In late February, PCMag
and Bitdefender reported several significant security flaws in the popular iBaby Monitor M6S. A server-side configuration error meant that a network expert could use an iBaby monitor of their own to view and download videos and pictures uploaded by other legitimate users of the device. A different configuration problem made it possible for third parties to listen in on communications from every monitor. An attacker who caught setup details of a new device while snooping could take full control of the baby monitor. Finally, by piggybacking on the first two security holes, an attacker
could capture the owner’s personal information.
The discovery of these security flaws came as a direct
result of a partnership between PCMag and Bitdefender’s Internet
of Things security team. On an ongoing basis, we inform the Bitdefender
team about which devices are popular and well-regarded, and they put those
devices through rigorous testing. If they discover security problems, they warn
the device’s designers and give them time to come up with a fix, typically 90 days. But when
time’s up, they publish the results whether or not the holes got fixed, both in
post that’s understandable to most, and in a whitepaper
with full details for the edification of security experts.
Past reports stemming from this partnership have covered
security problems in the Ring
Video Doorbell and in Belkin’s Wemo
Smart Plug. Ring and Belkin fixed the problems right away. In Ring’s case,
the fix required pushing out a firmware update to secure all affected devices. Since all of the iBaby vulnerabilities were on the server side, a fix should have been easy, but almost nine months went by with no action. So, what happened?
When the Bitdefender team found security problems with the
iBaby device, they attempted to report them to iBaby Labs. They tried various email
addresses, asking to set up an encrypted email communications channel so they
could pass along their findings securely. Unfortunately, they received no
PCMag’s hardware team necessarily communicates with iBaby Labs when reviewing their baby monitoring devices. This team supplied the Bitdefender
group with contact information. Even so, Bitdefender couldn’t make a
connection with the iBaby developers. Typically, researchers give device makers
90 days to deal with this kind of vulnerability before making it public.
Bitdefender kept trying to contact iBaby for almost nine months, eventually revealing the
details in a talk at the 2020 RSA
Conference in San Francisco.
A Fast Fix
In conjunction with the big reveal at the RSA Conference, we
released our reporting on the subject and Bitdefender’s team published their
blog post and whitepaper. The next day, iBaby Labs contacted us with great
consternation. The company representative stated they’d never heard about these
problems. It’s clear, though, that thanks to the details in Bitdefender’s
whitepaper, iBaby’s developers quickly understood the security flaws.
In just a few days, iBaby Labs announced a fix for all the
reported problems. The report notes that while data could have been exfiltrated
through the security holes, they found no evidence this had happened.
As noted, the security flaws existed at the server level,
which means that iBaby’s fixes took place immediately. Bitdefender’s IoT wizard
Jay Balan confirmed the fix. “I can say that at this point the attack vectors
we identified in our research don’t work anymore,” said Balan. “The speed with
which they delivered the fix is to be appreciated. We’re only sorry it took
this media outreach to get their attention, leaving their clients with a pretty
big vulnerability window.”
In addition to the server-side fixes, the report from iBaby
promises a firmware update. The report states, “Soon we will also release a
firmware update to be pushed out to your device. Once it’s available, you will
receive a notification. This will further enhance data security.”
A Lesson to Learn
With every week that goes by, we learn about some new
Internet of Things device, from diapers that text you when they need a change
to a robot
that folds your laundry. Almost all of these have one thing in common—they’re
not designed with security in mind. And why should they be? Will somebody hack
into your internet-aware toaster and burn the toast? The problem is, any unprotected
IoT device on your network can be suborned by malefactors to compromise your whole
network’s security. In the case of a baby monitor or other camera-equipped
device, hackers may literally spy on you.
I’m not suggesting that the burgeoning IoT industry slows its
production of new devices by adding dedicated security teams. Doing so would
give a competitive advantage to unsecured devices that could sell for less. And
even with a security team on board, some bugs could slip through.
Rather, I’m strongly suggesting that every device maker
publish a contact that researchers can use to report problems. It’s a simple
enough solution. Had iBaby Labs provided such a contact, this could have been a
very different story.