Parents say creep hacked their baby monitor to tell toddler they ‘love’ her – Naked Security

Another mouthbreather with nothing better to do than hack a baby monitor and broadcast their “love” for a 3-year-old has apparently struck again.

This time, it happened to a family in Seattle.

According to local broadcaster King 5, a couple who asked to be identified only as Jo and John said that their daughter, Jaden, was spied on by a stranger who spoke to the tot via a babycam last week. The King 5 segment is also available on Insider.

What Jaden’s mom, Jo, told King 5:

We were both downstairs working in our office here, and our daughter called out. She’s saying, ‘Mommy, mommy.’ She said, ‘The voice is talking to me.’

After Jo went upstairs to check, here’s what she heard:

I said, ‘What’s going on?’ And she said the man said, ‘Jaden, I love you.’ And I said, ‘What!’

Neither parent heard the voice of the hacker first-hand. At first, they thought nothing of it. But then, the couple said, John’s mother heard a stranger’s voice coming from upstairs last week. Meanwhile, Jaden’s story has stayed consistent: yes, the voice comes from the camera, no, not from a nearby stuffed animal.

Jo and John also noticed that the camera had been mysteriously resetting itself, moving its focus from its typical angle of looking down into Jaden’s crib, to instead peer up, into the room, without their input.

The spycam in question

The couple say that the baby monitor is a Taococo FREDI model that they got as a baby shower gift for their youngest child about six months ago. Going for around $50 on Amazon, it’s a Wi-Fi-enabled webcam that lets people keep an eye on their babies, their elders, their pets, or, surreptitiously, their nannies, beaming out a live stream to phones “any time, no matter where you are.”

As SEC-Consult has previously reported, it’s a little tough to figure out exactly who manufactures these webcams. A quick search on returns several suppliers for this type of camera, most of which offer “OEM/ODM” services, including custom branding, for wholesale customers.

One of the OEMs, Shenzhen Gwelltimes Technology Co., Ltd., develops the camera firmware, designs the hardware and operates the “P2P Cloud” service that’s enabled by default and which is typical of consumer-grade surveillance products. The cloud service makes it easy for users to access video data no matter where they are, from their phones or desktops.

However, the fact that there’s an internet connection involved raises all sorts of security questions, such as whether the stream is encrypted or whether that connection can be intercepted by hackers. Another question: who’s monitoring the servers? A country that’s governed by data privacy laws such as the General Data Protection Regulation (GDPR)? Or a country that isn’t, such as China?

As it is, the “P2P Cloud” service was successfully attacked in 2017 by Berlin-based Security Research Labs. The researchers started by scanning for valid device IDs, brute-forcing passwords, and then exploiting missing firmware update integrity/authenticity checks to gain remote code execution (RCE) and persistence on the device.

To somebody who just wants to make sure their baby’s OK – that’s a lot of “yikes!”.