iBaby Monitor Can Be Hacked to Spy on Children, Leak Video Recordings

An internet-connected baby monitor intended to make parenting "easier and hassle-free" has been found to contain vulnerabilities that could let hackers spy on children.

Bugs in the iBaby Monitor M6S, which now retails for about $100, can be exploited to leak personal data of users and lead to "remote access of the camera" and some related functions, according to research released this week by security firm Bitdefender, in collaboration with PC Mag.

Security experts said iBabyLabs has essentially ignored the issues. An email request for comment sent by Newsweek today returned a bounce-back message.

According to the researchers, attempts were first made to report the flaws to the vendor in May last year and are now being responsibly disclosed to protect iBaby users.

There are two big M6S issues in play: the first vulnerability is in a communication protocol known as MQTT (MQ Telemetry Transport) that leaks information about camera, and the second is a flaw that can let an attacker obtain some personal information about the device owner.

The team warned the connection to the cloud storage used by the company is not properly set up, and can be exploited to obtain access IDs that are hardwired into the WiFi monitor.

"What's troubling the most about the first vulnerability is that the camera uses a secret key and an access key ID to upload an alert to the cloud. These keys can be used for directory listing and downloading of any alert (video or picture) uploaded by any camera with alerts enabled (motion and/or sound)," Bitdefender explained in its advisory about the problems with the M6S.

Because the set-up process of the baby camera is linked to a misconfigured cloud server, critical login information can be exposed when it is being configured by the customer. "The server leaks camera IDs, user IDs and the status of the camera," according to the Bitdefender team.

"If an attacker monitors the MQTT [MQ Telemetry Transport] server when a user configures a camera, critical information will be leaked to the attacker. They could then stream video, take screenshots, record video, or play music using the obtained credentials," it added.

According to PC Mag, which first reported the hacking disclosure, the M6S baby monitor has the option of sending these video or sound alerts to the cloud, for example if the baby starts to move or cry, and the private ID keys are supposed to protect those files from unwanted snooping.

The second security issue isn't as scary as a full takeover, but could be used to obtain a user's email address, name, location, profile picture and timestamps of their last login.

It's unclear if the attack has been experienced by any iBaby customers. Unlike the recent Ring camera hacks, no videos have surfaced of toddlers being tormented in their own homes.

The IoT company was contacted for comment by Newsweek using a broad support email address after the press relations contact details failed. Recode reported the firm sent it a statement dated to 2015, signed by a co-founder who has not been employed there since 2017.

"HTTPS is enabled for the communication between apps and Amazon Web Services," that notice read, referencing its supposed security measures. "The alert file paths are encrypted and random, hackers will not be able to just change a serial number to get others' files. Also our monitors are hosted by Amazon servers, therefore, the security is very high, equivalent to military security."

Amazon has been contacted for comment. The M6S, released back in 2016, is described under the label "Amazon's Choice" on the shopping website. The newest camera model is the iBaby M7.

Update - iBaby released the following statement: "It has come to our attention that certain online articles regarding the vulnerabilities of our iBaby M6S have caused concerns.

"We want to reassure you that the security of our customers' database is and has always been our utmost #1 priority. We follow strict government privacy guidelines and use the industry's highest standards to guard the safety of our customers' data.

"However, we are quickly researching these reports and verifying the validity of the claims. Right now we have not received any data compromising reports. We are also working with members of the media to research and investigate their reports. We appreciate your patience while we search these issues and bring you new updates as soon as they're available."

This article has been updated with a comment from iBaby Labs.

iBaby Monitor M6S
The Amazon listing image of the iBaby Monitor M6S, which is not currently available to purchase. iBaby/Amazon