08.15.13 7:11 PM ET
How to Protect Yourself From the World’s Perviest Hackers
What happened to Marc and Lauren Gilbert and their gurgling little bundle of joy in Houston last week is pretty horrifying, and it will hopefully never happen again.
It’s horrifying because some creepsauce found a way to hack into the couple’s video baby monitor and yell obscenities at their 2-year-old daughter as she lay sleeping peacefully in her crib. The child is deaf, so she was never awakened during the rant that included phrases like, “wake up you little slut.” Marc Gilbert heard the commotion from a different room in his house, burst in to find out who was yelling at his child, and is now convinced that what once seemed a foolproof method of keeping tabs on his child was not even remotely worth the consequences.
But it will hopefully never happen again because this informative article you are reading right now will trend worldwide and every parent across the globe will soon understand how to keep the creepers from peeping on your baby. We talked to several very smart people (including Marc Gilbert) and this is what we learned:
The most important thing to understand about video baby monitors is that they aren’t all made the same, explains Andrew Wright, product manager for Levana, one of the many companies that makes baby monitors. There are three completely different kinds of the monitors, operating on three different kinds of technology platforms, and vulnerable in three different ways. These technology platforms all describe how the monitor communicates with whatever you’re using to watch it.
The first is analog, broadcasting a publicly available signal between the camera and a monitor, the same way cordless phones in the early 1990s did, the same way a radio or television station sends out stuff across the airwaves. Then come digital broadcasts, which send an encrypted signal between the camera and the monitor, communicating only with that device to which it has been paired. Lastly, there’s the kind deployed in the Gilbert household: Internet Protocol cameras, which transmit video feeds across your home Internet network.
In general, Wright says, both the IP and analog cameras are the most prone to hacking, but in different ways. To break into an analog signal, all someone needs to do is drive around with a special kind of video receiver and wait to pass a house broadcasting an analog feed. No hacking required. Just proximity. But what’s dangerous about IP cameras is that anyone in the world can target your network, break in and watch your feed. Some IP cameras automatically turn themselves into wireless access points, the same way your wireless router does, which means it’s visible to anyone nosing around that particular IP address. Others have unencrypted passwords, passwords with only letters available as options or, worse, a “master password” that if a hacker were to acquire would allow him to bypass even the cleverest of user-generated codes.
You want IP cameras so that you can check on the baby from your iPhone, or at work on the computer. But to minimize the associated risks, the most important thing to do is change whatever default password is on the device. But it’s also best to find a camera with a 256-bit encryption, the same used in online banking, Wright says. Also — and bear with this jargon for a moment here — it should communicate only with a “tier 1” server or a cloud hosting company, rather than strictly peer-to-peer. That increases the steps creeps have to take to find you.
“Almost none of these devices are going to be secure out of the box,” Larry Seltzer, contributing editor at Zdnet.com, told The Daily Beast. “The consumer really has to take a little bit of time.”
The thing that frustrates Gilbert is, he did take the time. In the wake of widespread publication of his family’s saga, he’s been called both “lazy” and “stupid” by Internet trolls who don’t know all the research he did to make sure the camera he installed was safe. Gilbert chose the Foscam F1891W after trying three other ones, because even though it is the IP (networked) style of camera, it comes with WPA2 Encryption. He also hard-wired the camera to his network, via an ethernet cable and not just a WiFi connection, which he thought would make the system more secure.
The problem, though, is any home network can be hacked, as long as it’s connected to the outside world.
“It’s not the camera you should worry about with your security; it’s your home networking,” said Brad Pittmon, director of product marketing for VTech, another baby monitor maker. “Once a person accesses your camera, they can also access your PC, and get all kinds of personal information. The way to protect yourself is to ensure your wireless network at home is very secure.”
Foscam company officials declined to comment for this story, directing questions to a step-by-step guide for customers about how to secure their cameras.
The monitors Pittmon sells all use a “frequency-hopping spread spectrum” that make it “impossible,” he said, for hackers to connect to the channel you’re transmitting.
“It hops every millisecond to another channel,” he said. “It’s mathematically impossible to link to that signal.”
Gilbert knows that he could have chosen a more secure option like digital, that communicates only with the receiver and broadcasts no signal to the outside world. At this point, he and his wife are both “done” with baby monitors. They’re still completely unnerved about not having the answer to three critical questions: who hacked them, how, and why?
Local police have forwarded the case to their “cyber crime” division, Gilbert said, and the FBI may get involved. After doing some research, Gilbert has learned that there’s a way to break into the software of his particular camera model unless the latest firmware is installed. He thinks it’s highly unlikely that someone broke into his wireless network, as it’s well encrypted. More probable, he said, is someone got in through the network itself, over the ethernet.
As to why his family, Gilbert is stumped — and spooked.
“I really don’t know,” he said. “I think it’s probably someone in another country. It seems like a random thing. I hope it’s random. The guy seemed like a pedophile, a predator. I hate thinking about it.”