Cybersecurity experts warn about a Chinese-made baby monitor sold on Amazon.
The infant monitoring device has multiple critical vulnerabilities; all found soon after a South Carolina mother reported that her baby monitor had been hacked to spy on her and her baby.
The FREDI-branded device, which looks like a puppy, has an OEM called Shenzhen Gwelltimes Technology Co., Ltd.
The cybersecurity flaws are present in its P2P cloud feature which allows supported devices and desktop apps to connect to it via the cloud in order to make things simpler for users to interact with the monitor without needing to be on the same network.
This P2P cloud feature has literally no cybersecurity measures implemented (no firewall rules, port forwarding rules or DDNS setup).
Companies and individual people must take certain precautions against this growing phenomenon of cyber attacks; for that they should implement at least a cybersecurity solution, like an antivirus, to protect their systems. Necessary things like regularly updating operating systems, using antivirus for Windows or antivirus for Mac depending on which OS your device is using. Companies must also hire professional cybersecurity firms to do regular checkups to their internal network a couple of times per year. These checkups must always include a penetration test and various ethical hacking test.
Unfortunately, the bad news doesn’t end here, on the back of the device there is an ID Code and a password (ID: 11613262, password: 123) that are needed to link the device with the cloud viewing app.
The device ID is far from being very secure, just 8 random digits that can be easily generated by an attacker; and if the user did not change the default password to a secure one, things become even more simple for the hackers and even for non-hackers because anyone can log in to use the monitor functions and intercept its audio-video feed.
Keep in mind that researchers have already successfully proven how a P2P cloud system can be hijacked by scanning for valid device IDs, brute forcing passwords and then exploiting missing firmware update checks to gain remote code execution and persistence on the device.
If a device like this is compromised hackers will not only use it to spy on you or other family members, they will also obtain unrestricted access to all of your private home network.
All these privacy-threatening flaws are the result of consumer electronics with opaque supply chains, that are using insecure, built-in cloud features which are enabled by default.
Keep in mind that every private data has a significant value that must be protected by at least cybersecurity solution like an antivirus. Depending on which OS your device is running, install an antivirus for Windows or antivirus for Mac for total protection. Companies must take an extra step and hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking test. For companies that exist 100% online, we recommend the using of cyber-secured web hosting services.