The frightening experience of a Texas couple who discovered their toddler's baby monitor had been hacked by an apparently demented man showcases the serious security lapses in consumer electronics, experts say.
Researchers have repeatedly documented the security flaws in Internet-connected video cameras. But for Marc and Lauren Gilbert of Houston, academic findings became reality when they heard the creepy voice of a vulgar man calling their sleeping 2-year-old daughter Allyson an "effing moron" and telling her to "wake up you little slut," ABC News reported.
The intruder, who apparently had taken control of the Foscam-manufactured camera in the child's room, turned his attention to the Gilberts when they entered after hearing strange noises from the kitchen. The man shouted expletives and called Gilbert a stupid moron and his wife a b----, ABC said.
How the man broke into the device through the Internet is not known, but vulnerabilities in wireless IP cameras manufactured under the Foscam brand are well known.
Two researchers from security vendor Qualys reported in April that they could easily find the Internet-connected cameras on the Web using the Shodan search engine. They then discovered that breaking in through the devices' Web interfaces was not difficult.
Among the serious security lapses they found was allowing users to login with the default "admin" user name and no password, PCWorld reported. (This flaw was found in roughly 20 percent of the cameras studied.
Foscam did not return a call or email requesting comment.
Artem Harutyunyan, a researcher in the Qualys study, said Wednesday the manufacturer was quick in releasing patches for vulnerabilities as they were discovered by Harutyunyan and his partner, Sergey Shekyan.
"They were pretty quick in rolling out updates and patching the vulnerabilities as they came in," Harutyunyan told CSOonline.
What the manufacturer lacked was an effective way to get the patches and updates out to customers.
"There are no automatic updating or alerting mechanisms in the camera," Harutyunyan said.
Foscam did not place an urgent notice that critical patches were available on its homepage, the BBC reported. However, the company did publicize the fixes in a blog post and in an email sent to people who signed up for the company's firmware update newsletter.
One logical place where an alert could have been placed is in the web interface customers use to watch and listen to their children, Harutyunyan said. That was not done.
"It shouldn't be very hard to introduce a change in their code, so whenever there is a new version (of software or firmware), you get an alert on the camera's Web page," he said.
Dropping the ball in getting software patches and firmware updates to customers is not unique to Foscam, which also sells its cameras to companies that resell the products under their own brands. Consumer electronic companies in general do a poor job at protecting users from security lapses.
Sign up for CIO Asia eNewsletters.