Hacked baby monitor? Welcome to the security implications of the internet of things

The internet of things promises great things with its profusion of connected devices, but it also brings with it significant risks. My colleague Derrick Harris recently described many of those risks, several of which involve networked security cameras and smart TV webcams, but here’s a very real-world example of what can go wrong – and why the internet of things could be a security nightmare.
This week ABC News reported an incident that struck a Houston, Texas, couple and their infant girl. A European-accented hacker took control of the Foscam baby monitor that was keeping an eye on the girl and started cursing at her (as it happens, she’s deaf) and her parents. The hacker was also moving the camera around, so he could likely see through it too.
Structure Europe in article square
Unsurprisingly, that baby monitor is now disconnected and the parents say they’re unlikely to hook it up again. But the incident highlights a deeper problem that is a hot topic in the nascent internet of things industry, and it’s sure to be a subject for discussion at our “Do you really want all your things on the internet?” panel at Structure:Europe in London from 18-19 September, where experts such as Alicia Asin (Libelium CEO), Michael Simon (LogMeIn CEO), and Alexandra Deschamps-Sonsino (Good Night Lamp founder) should have a lot to say.

Many hackable things

According to the BBC, hackers have known for a while how to tap into these devices (and not just Foscam’s products, either). Security researchers told Foscam back in April that there were vulnerabilities in its baby monitor software — a big one was the fact that the device’s default admin username was “admin” and there was no password requirement. Attackers could also apparently scrape Foscam’s website for individual device codes, which they could then target.
Foscam issued a firmware update in June, boosting the device’s security to a certain extent. It’s not clear whether the Gilbert family, featured in that ABC report, installed the update — apparently they would have only known to do so if they had signed up to a firmware update newsletter.
Is that good enough? Probably not — a baby monitor will by definition be used in a sensitive situation where security is paramount. Updates should either happen automatically or all owners should be notified when such a critical patch is issued. And passwords should be strong.

Increased complexity

That said, when you take into account how many connected devices will be in our homes in the coming years — from door locks to thermostats — it becomes clear that homeowners will need to take a lot of security management into account in their daily lives.
Today, we’re used to updating the firmware on our phones and maybe our TVs. Tomorrow, things could be a lot more complicated. And, as always, the balance between security and convenience will be key to making sure the internet of things doesn’t turn scary.