A Houston couple's nightmare with a hacked baby monitor that let an intruder not only see into their sleeping 2-year-old daughter's room, but curse at her, is not the first such incident involving wireless baby monitors. It may, however, be among the most disturbing.
"I'm afraid the truth of the matter is some baby monitoring devices have not been built with security in mind, and instead have focused on convenience for the parents," Graham Cluley, a security consultant, told NBC News Wednesday.
"For that reason, some devices do not require a password for remote access — something that hackers can exploit — or have security vulnerabilities that can be taken advantage of by mischievous hackers."
It's not clear whether the intruder who found Marc and Lauren Gilbert's baby monitor was being mischievous or malicious, but it was clearly unnerving.
Marc Gilbert told ABC station KTRK that last Saturday the couple was at home, where they have the monitor installed in daughter Allyson's room. The camera is trained on Allyson's bed, and over her bed, on the wall, her name is spelled out. The couple heard a voice coming through the monitor, exhorting the child, by name, to wake up and was using foul language.
"He said, 'Wake up, Allyson, you little (expletive),'" Marc Gilbert told the station. The voice over the monitor also called Gilbert a "stupid moron" and his wife, "a b****," reported the station.
Because Allyson was born deaf, she has cochlear implants, which were turned off at the time. So she did not hear the wireless intruder.
"It felt like somebody broke into our house," he told the station. (NBC News has tried contacting the Gilberts and will update this story if we reach them.)
Lisa Vaas, of Sophos Security, points out on that company's blog, "Video baby monitors can broadcast to TVs, handheld receivers or even over Wi-Fi to PCs or smartphones. That means you can keep an eye on your children from almost anywhere. Unfortunately, it also means that others can, and do."
She says, for starters, parents should be sure to change a wireless monitor's default password, and if they don't know how to do that, they "should ask for help from somebody with security expertise — somebody they trust with the safety of extremely precious things."
The vulnerabilities of baby monitors with Internet-based video cameras are well known, despite a range of security features that various brands of monitors might have. It's usually up to parents to enable those security features. In 2009, one Illinois man sued the manufacturer of a baby monitoring system after learning a neighbor, using the same system, could see into the baby's room, including his wife breastfeeding.
Foscam, the maker of the baby monitor used by the Gilberts, released updated firmware — software for a device — on Monday. The update, the company says, includes strengthened security, including options for longer passwords, and a prompt for the user to change the default, blank login password.
"The makers of this particular baby monitor have released security patches in the past — but, of course, it's perfectly possible that sleep-starved parents haven't got around to applying them to their devices," said Cluley via email. "Maybe stories like this will wake parents up about the importance of making sure their baby monitor is properly secured, or risk (even more) sleepless nights."