Hacking smart baby monitors to blackmail the parents

New reports on Internet of Things (IoT) devices with poor cybersecurity measures have emerged. This time, experts revealed that smart monitors from M6S Monitor iBaby firm have multiple security issues that could allow threat actors to extract stored images or videos and even steal users’ personal information. These vulnerabilities were found thanks to a prior investigation on security measures at Ring smart doorbells.

Just like many other tech companies, iBaby uses Amazon Web Services for cloud storage. When the device sends its admin an alert because of the baby’s movements or cries, a video is uploaded to the cloud platform; these video alerts are protected with a secret key and an access ID.

Even though this is a pretty secure method, it is poorly implemented, as those security keys don’t grant users access just to their profiles. Instead, the keys let you access everyone elses’ cloud data. It is worth noting that this process is not as simple as it soudns; however, those are severe iBaby’s cloud access misconfigurations.

To exploit these flaws, a threat actor could buy a vulnerable iBaby monitor model and use it to access the files stored on any other user cloud storage. Specialists in charge of the founding are not allowed to disclosed the method used during testing, but users should consider this is a completely feasible attack.

Besides, there are other security flaws with a lesser severity rate. One of them has to do with Indirect Object Reference (IDOR), which could be used by a hacker to extract personal details about the monitor’s administrators. Potentially exposed information includes names, email addresses, location data and even profile pics.

The security flaws were reported to iBaby since May 2019, although the company still has not responded. Thus, developers in charge of the discovery decided to publicly disclose these severe flaws that could affect thousands of families with little babies. There’s still time for iBaby developers to implement better security measures for its clients and their babies.