As a new parent, you want only the best for your bundle of joy. If your baby wakes up in the night and cries for a feeding, you probably don’t worry about your state of dress (or undress) when you respond. Just be aware that if you’re using an iBaby Monitor M6S to keep tabs on the little one, you may be putting on a free show for total strangers. Researchers at Bitdefender discovered multiple security problems with this device that would allow hackers to grab any saved pics or videos, view live video, and even capture your personal information. Most shocking of all, anybody who has one of these devices and the necessary network skills can access cloud-stored videos and pictures uploaded by every other baby monitor of the same type.

This discovery is the result of an ongoing partnership between PCMag and the Internet of Things security team at Bitdefender. We give the Bitdefender team information about which devices are popular and are therefore important to test. They put the devices through grueling hands-on analysis, looking for vulnerabilities that hackers could exploit. Before they (and we) reveal the results of this testing, they give the device’s maker 90 days to come up with a remedy.

When we reported a security hole that Bitdefender discovered in the popular Ring Video Doorbell, Ring came up with a fix and pushed it out to protect affected devices. Likewise, Belkin fixed the vulnerability that the Bitdefender team found in its Wemo Smart Plug. That’s exactly what we hoped for with this partnership—not public shaming of the device makers, but enhanced safety for our readers who use IoT devices.

Alas, the situation with iBaby doesn’t have the same happy ending. Bitdefender reported the problems to iBaby’s developers in May of 2019, but they never got any response. They gave the developers way more than the standard 90 days to come up with a fix, but eventually informed them that the research would be presented during the RSA Conference in San Francisco. With no response from iBaby, the research is now public, and the problem remains.

For a more detailed run-down of the problem, you can go to Bitdefender's blog post. And if you want to experiment with the vulnerability yourself (staying within the law, of course), Bitdefender's whitepaper offers the full details, the same details they supplied to iBaby's developers roughly nine months ago.

All Your Baby Videos Are Belong to Us

Like a vast number of other companies, iBaby relies on Amazon Web Servicesfor cloud storage. When the iBaby device sends an alert because your baby moves around or starts crying, it uploads a video clip to the cloud. Alerts are protected with a secret key and an access ID key. Sounds safe, right?

The problem is that the two keys don't just give the monitor access to your own cloud data; they let you see everyone's data. Bitdefender’s IoT wizard Alex “Jay” Balan explained it with a simple analogy. Say you have personal data stored on a website at www.example.com/pathto/myfiles. You shouldn’t be able to visit www.example.com/pathto and get a list of everyone else’s files. And you most definitely shouldn’t be able to craft a URL like www.example.com/pathto/otherfiles and get into some other person’s files. But that’s just the kind of access iBaby’s misconfigured cloud storage permits (though the process isn't as simple as just changing a URL.)

That means any ne’er-do-well can purchase an iBaby monitor and use it to access files from every iBaby monitor. Unbelievable? Believe it. For legal reasons, the Bitdefender researchers did not access data belonging to other real-world users. Instead, they set up a second test device and verified access.

This is shocking enough that I have to say it again. Any network whiz with access to one of these baby monitors can use it to gain access to all cloud-stored videos and pictures from every other baby monitor of the same type. Bitdefender warned the maker and gave them several times the usual 90-day period before disclosure, but as of this writing, there has been no response.

Tell Me Everything

The iBaby monitor uses a protocol called MQTT (MQ Telemetry Transport) for communications with, for example, its smartphone app. It sends information to the MQTT server, and other devices subscribe to specific topics to receive that information. Configured correctly, the server would only send necessary data to each device or process. However, as with the cloud storage system, iBaby’s server configuration is too loose.

Bitdefender’s experts found that with credentials from one iBaby monitor, they could subscribe to every topic from everyiBaby monitor. Each snippet of information comes with the camera’s ID, which can be abused. A snoop could pick up the camera ID, user ID, on/off status, and more. But the consequences of this server’s blabbing don’t end there.

Configuration Penetration

For many devices, configuration goes something like this. You activate the configuration mode by pressing a special button on the device. It temporarily becomes an unsecured Wi-Fi hotspot. You log into the hotspot with your mobile phone and then give it the credentials for your home network. At that moment, an attacker monitoring your network could capture your Wi-Fi password and thus get access to your network. Ring fixed the problem by simply making the temporary Wi-Fi hotspot an encrypted connection.

The iBaby device works a bit differently. You plug it in to your smartphone using a USB cable and use the associated app to initiate Wi-Fi sharing. However, the configuration process relies on the MQTT server which, as we’ve seen, isn’t properly secured. If a hacker who’s monitoring that server captures a configuration event, it’s a disaster. According to Bitdefender’s whitepaper, “If an attacker monitors the MQTT server when a user configures a camera, critical information will be leaked to the attacker." They could then stream or record video from the device, take screenshots, or even play music on the device. Hey, little one, ready for some Death Metal?

The simple solution? Just fix the security on the servers involved. We’re not talking about developing a firmware patch and pushing it out to all devices, the way Ring had to do. It’s hard to conceive why iBaby hasn't yet fixed both this issue and the configuration problems with their cloud data.

Additional Problems

Another security problem found by Bitdefender’s researchers isn’t quite as dire. Using what’s called an Indirect Object Reference (IDOR), an attacker can extract some personal details about the parent who installed it. These include the email address, name, location, and even profile picture. This same technique can retrieve timestamps for every time the parent accessed the camera remotely.

This attack requires that you know the ID of the camera you want to raid for data. However, the Bitdefender team points out that an attacker who’s gained remote control of the device can easily get the ID. In addition, the cloud-stored data includes camera ID information.

This Baby Monitor Needs a Change

The iBaby Monitor M6S does a great job helping parents keep tabs on their darling tykes. It looks slick, captures 1080p video, allows two-way communication, and supports panning and tilting. Based on those excellent features we deemed it an excellent product, worthy of being named Editors’ Choice.

In the light of its security failings, though, we are reevaluating our rating and recommendation.

Further Reading

Home Security Camera Reviews