Update: iBaby says it has taken steps to address the issues and will be rolling out an additional update to "further enhance data security." The company says there was no breach of data.
"We have immediately deactivated the potentially compromised AWS authentication information," the company officially stated. "In addition, we've taken a few measures to tighten the security such as limited the cloud storage access and enhanced the MQTT server configuration to strictly limit the topics to which each device can subscribe to. We are continuing to enhance all our safety efforts."
Bitdefender researchers recently discovered multiple security vulnerabilities in a widely used baby monitor, the iBaby Monitor M6S. Analysts, who partnered with PCMag, said that all it would take to exploit these cameras is someone who had access to one of these devices and a bit of rudimentary network skills. It's a piece of cake after that.
It was a troublesome scenario with far-reaching consequences for parents and just about anyone who cares about tech's impact on everyday privacy. And it came just weeks after disturbing reports of hackers taking control of home surveillance devices like Ring and Nest cameras.
Easy breezy access to cloud storage — Bitdefender researchers discovered that iBaby Monitor M6S cameras possessed weak security infrastructure that would let hackers easily access recorded videos, photos, live feeds, and personal information in cloud storage run by Amazon Web Services. The analysts said that iBaby's secret and access ID keys open the doors to just about any home.
Stunningly weak server configuration — iBaby monitors relied on a protocol titled MQ Telemetry Transport (MQTT). It's basically how it executes communication. The problem was that iBaby's MQTT server was so open and loose that if one person had the credentials to one monitor, they could easily access other iBaby cameras if they wanted to, and easily run cameras, take photos through the monitor, activate music, and record clips of unsuspecting homes.
Initial silence — For the parents who rely on iBaby cams to keep an eye on their little ones, these vulnerabilities were undoubtedly nightmarish. PCMag initially reported that that the company did not respond to Bitdefender's report right away. However, in an emailed statement to Input, iBaby Labs claimed that it was not aware of the attempts Bitdefender made to contact the firm.
It looks like iBaby Labs has attempted to address these security flaws. For the future, we advise all device manufacturers to prominently display their contact details so that researchers can truly put their innovation to test.