It’s like something out of Paranormal Activity: A young couple settled in for the night, only to be startled awake by a disembodied voice screaming at their 10-month-old baby in her bedroom.
This scene isn’t from a scary movie, but the real-life drama that unfolded last week in Hebron, Kentucky, was no less horrifying. Sometime around midnight, parents Heather and Adam Schreck said a hacker accessed the Foscam Internet camera the couple was using as a baby monitor, and yelled out, “Wake up baby! Wake up baby!”
Heather Schreck checked the camera through her smartphone and saw it panning around. When Adam bolted into the baby’s room, it pivoted to face him and then started hurling a stream of epithets.
It’s hard to say what’s more unsettling—that a hacker could target a small child asleep in her bed, or that it might become a trend. The same thing happened to another Foscam customer in Texas last year.
Connecting The Threads On Connected Threats
Last August, a hacker infiltrated a wireless camera owned by the Gilbert family, living in Houston, Texas. The stranger took control of the unit and used it to scream obscenities at a two-year-old toddler. Fortunately, the hearing-impaired child didn’t have her cochlear implant turned on at the time, otherwise she would have heard the stranger yelling, “Wake up Allyson, you little slut!”
Such attacks are particularly vile, certainly because they involve children, but also because they mar technologies intended to increase security. These devices are supposed to make us safer, but as it is right now, they wind up being our points of vulnerability.
It’s tempting to blame Foscam for the security failings—after all, both the Schreck and Gilbert families used its cameras—or wonder if hackers were intentionally zeroing in on this company. But it’s more likely that Foscam winds up being targeted simply because it’s a popular brand: According to the company, it sells about 50,000 to 60,000 cameras each month worldwide and services millions of users.
With so many customers, even small technical issues can have major ramifications. Case in point: the failure of Foscam’s software to remind users to change their default login. That’s the likely reason the Schrecks’ camera got hacked; the couple was still using the default login.
“[The software] didn’t prompt us to change our password,” Heather Schreck told me over the phone. “We didn’t realize that we should do that. We have our router secured, so we thought it was safe. Foscam really needs to work on that to make it more recognizable and known that people need to change their passwords.”
I contacted Foscam, which said it did update the firmware to include the prompt, along with other important security bug fixes. In fact, the company claims its software and hardware are routinely tested by security researchers, and maintains that it regularly publishes security updates.
See also: Heartbleed Defense: The 3-Step Password Strategy Everyone Should Use
The Schrecks, however, didn’t get the new software. The reason for that is buried in the details.
Although some reports state that the Schrecks’ unit was “the latest IP camera manufactured by Foscam,” it actually wasn’t. Heather informed me that it was actually model #FI8910W, a version that launched three years ago, and the Schrecks had been using it since little Emma was born.
“There were no hardware issues with this camera,” said Foscam COO Chase Rhymes. However, he explained, that particular product debuted before the relevant security bugs were patched. Newer versions of the camera have the latest firmware pre-loaded, but owners of older cameras—say, older than six months—need to manually update their software for the latest updates.
Either way, users would still have to change their usernames and passwords.
The Bug In This Rug
At the very least, whether prompted or not, the key takeaway for owners of Foscam devices or any other gadgets that touch the Internet is simply this: Never stick with the default username and password.
“The problem is, [default passwords are] easy for people to come up with … you know ‘admin’ or ‘1234.’ Whatever a company’s default password is,” Rhymes said. “They just try one until it works.” In this way, your device remains wide open to hacking for anyone that comes across it. That could be a lot of potential assailants.
Many Internet gadgets are easily discoverable via the Shodansearch tool. Think of it like Google search for connected devices that hackers could use to identify potential targets. If your device shows up there—and plenty do—the last thing you want is to rely on a flimsy login like “admin/admin.” You might as well as post a sign on your house that says, “Front door is unlocked. C’mon in.”
For current customers, Foscam posted a list of tips for securing their wireless cameras, including changing logins and setting port forwarding on Internet routers, to make it tougher for hackers to discover your unit. The first item on the list is to update your software to get the latest security patches, especially if the cameras are more than six months old. Foscam also maintains an email list that customers can register for on the website, which reminds people to continuously update their software for the latest fixes and features.
Of course, no amount of patching can ever make connected devices 100% hackproof. That’s true for Internet cameras, smartTVs, Web-enabled HVAC appliances or anything else in a connected home. If nothing else, Heartbleed—the major security bug that caught the tech world with its pants down—taught everyone that.
Just to be clear, this Foscam camera exploit has nothing to do with Heartbleed. But they both point to an inevitable truth: Any device that connects to the Internet, by its very nature, cannot be a “set it and forget it” gadget. It requires a certain amount of upkeep to ensure its integrity—even if it’s just a baby monitor.
As a culture of consumers and convenience-minded end users, we may not be accustomed to this amount of maintenance. We want innovations that make our lives easier. Still, when safety matters and when those features really count, we have to be prepared to tend to our technologies, if we want them to take care of us.
Images taken from video, courtesy of Cincinnati News, FOX19-WXIX TV