14th August 2013
A wireless video camera described by its manufacturer as being an ideal baby monitor has been hacked into, and the infant it was monitoring shouted abuse at.
The incident took place in a home in Texas, but the camera is also on sale in the United Kingdom.
According to ABC News, the parents of the two year-old girl were shaken when they heard a voice shouting lewd comments in a "British or European accent", coming out of the camera, made by Foscam. Marc Gilbert claims that the voice directed offensive, sexualised words at his daughter, who remained asleep in bed during the incident. The hacker was able to call the child by name because it was spelled out on her bedroom wall, in view of the camera. What the offender did not know is that the girl is deaf.
Foscam, which is based in Shanghai, said it was unable to provide a statement.
In April, a weakness in the cameras was uncovered by an internet security firm which found that it was relatively simple for a hacker to exploit it. Qualys said that two in every ten Foscam cameras monitored were insecure, needing a simple 'admin' to log in, without needing a password.
Foscam issued a fix some two months later for some of the issues raised, saying that it appreciated the "constructive criticisms and advice". There was no hint of the critical upgrade on the company's homepage, however, but a blog post. Users who had signed up to a firmware update newsletter were allegedly also emailed.
A number of posts in discussion forums on the company's website indicate that other customers have suffered similar breaches … allegedly with poor response from the supplier. The cameras are also sold in the UK under the trading name of 'GadgetFreakz' and are also sold through the Amazon website.
The BBC claims to have uuncovered disturbing evidence that hackers share information on how to access insecure Foscam cameras via a number of online forums. They can narrow their results by location using specialist search engines, even saying what the camera is being used for.
Professor Alan Woodward from the University of Surrey's Department of Computing said to the BBC earlier today: "Using monitoring equipment to ensure the safety of children can be very valuable. However, if you do wish to use such devices you should exercise caution before using something that attaches to the internet as it increases the potential vulnerability. There are forums and dedicated search engines that look for vulnerable devices on the web – so if yours is susceptible there is a good chance it will be found, and could be abused."
Prof Woodward added: "Regardless of the security you think you may have on your PC each device can be separately vulnerable. If you do use a web-connected device then you must ensure software is always up-to-date. This is not just the operating system on your PC but also applications you use and the built-in software – known as firmware – built into the devices."
He went on to explain: "Many attacks use security holes found in such firmware. Most vendors send out updates monthly: the second Tuesday of each month having become known as Patch Tuesday when many release their software. However, urgent updates may be distributed as soon as possible so vigilance is the key."
