How WiFi Baby Monitors Contribute to Home Hacks
Don’t Panic! Risks from IoT monitors like Nest and Owlet are avoidable (I’ll tell you what to do)
I’m not in the business of scaring people. However, there’s risks that come along with any internet-connected device, and WiFi baby monitors pose a unique, avoidable risk that you need to know about if you’re going to buy one.
A WiFi baby monitor is any video and/or audio monitor used in a baby or toddler’s room that uses a WiFi connection to send that sound and video to a parent video unit or, typically, your smartphone. Some popular brands include Nest, Owlet, Nanit, Miku, and Cubo AI. They are part of a type of technology product called Internet of Things — aka items in our homes that now have an internet connection.
WiFi baby monitors work by connecting to your WiFi router, same as any phone or other smart device. As a result, they should be treated with the same security precautions as as laptop, but they’re most often seen as a toaster or a blender — set it and forget it. That’s where the trouble starts.
It’s the sort of horror story you might see on the nightly news: A baby screams from their room and you go to check on them, only for a stranger’s voice to blare out of the baby monitor. Some news reports have said hackers and “pranksters” have scared kids and parents by threatening to kidnap their kids, telling the children to be their friend because they’re Santa Claus, or calling the children racial slurs.
(Again, skin-crawling stuff. But I need to take a beat and just say again these events of strangers speaking to kids through video monitors are exceptionally rare. Botnet attacks caused from IoT devices, which I’ll address in a future post, are not rare but also are not so viscerally scary. Your kids are going to be OK, but this is the uncommon sort of thing that’s easy to guard against and I don’t want you to be unprepared.)
For example, one family’s story made the rounds on national TV news in 2019 when their Nest camera was hacked and a stranger shouted racial slurs at their 7-month-old and turned their thermostat up to 90 degrees. Google has since increased their security for the home monitoring camera. I’ve put a how-to guide below about how to set up a password for Nest.
Any device with a WiFi connection should be secured with a unique password and other safety precautions just like a laptop or a smartphone. I’m talking about internet-connected smart assistants (Alexa, Google Home, etc), smart lightbulbs, smart plugs, WiFi-connected vacuum cleaners, and internet range boosters. Goodness, I even have a WiFi-connected litter pan for my cats! Yes, someone could hack the poop box.
If it’s connected to the internet, you can use the strategy I lay out below to protect yourself from the same vulnerabilities that come from WiFi baby monitors. It’s less about the baby monitors themselves and more about any device’s ability to connect to your internet router that makes them a security concern. First, let’s talk about how these devices are vulnerable to attacks.
Risk of a Hack in Your Home
Typically, a risk starts with a few entry points: 1. Devices’ passwords aren’t changed from the factory default when you start using them. 2. The software inside them goes to a third party to provide certain features but the third party’s security isn’t robust. 3. The internet networks between digital accessories aren’t secure.
It’s unlikely to happen, but if someone were to be able to sign into your WiFi baby monitor without your permission, they could watch your child and family at all hours of the day. If your camera has a “talk-back” function that you use to soothe your child in the middle of the night, someone who signs in without your permission could speak through their phone or laptop to your child.
This could happen from someone targeting you or someone who is looking to cause trouble finds your unsecured device in a database. But whether by someone targeting you or by a random act of chaos, this isn’t something you want to leave open.
Software can even be written to prod at these devices to test long lists of companies’ default passwords, so if a device is set up at home without changing the password, it can be accessed through the flaws in this third-party software through a virus alone. The way to fix this is through always setting up a unique password on WiFi devices. I’ll go through an example of how to set up a Nest password below.
How to prevent a hack:
1. Always set up a unique password for any WiFi device, including baby cameras. The best password is one that uses four or more words, plus numbers and symbols. Even if the product begins working without a password, go into your setting and make sure a password and username are set up before you start using that product.
Here’s some guidance from my favorite math-y web comic, XKCD, on the subject that I use as an unconscious habit in my daily life when choosing passwords:
Another easy way to make your passwords more secure is to use a password manager. My husband and I use BitWarden, and my mom uses LastPass. Here’s a list from CNET that ranks password managers.
A password manager can create secure passwords for you and can store all of your passwords so you don’t have to memorize any passwords (except for the password to your password manager… You’ll still need to remember that one).
2. Choose a device with end-to-end encryption.
3. Look for a product that gets regular software updates and always update that software as soon as it’s available (if updates aren’t automatic).
4. Always make sure your internet router itself has a unique password. Here’s how to check and change your password.
5. With baby monitors, you can buy a radio or bluetooth baby monitor that doesn’t connect to the internet. It’s less convenient because you can’t use it with your phone and can’t check the cameras when you’re away from home, but it’s much less likely to be vulnerable to hacks or virus attacks. Full disclosure, my husband and I chose a video baby monitor that uses radio waves instead of WiFi due to concerns about viruses and botnet attacks (which I’ll discuss in a future post) but the quality on the camera we got isn’t good enough to monitor the entire room, so I’m considering getting a Nest and just taking the steps to keep us safe from cyberattacks.
Here are a few very popular non-WiFi brands of baby video monitors from Infant Optics, Infant Optics, and LBtech.
6. Research products for data breaches before you buy.
7. Keep an eye on your own data exposure. Check Have I Been Pwned regularly for updates on whether your information has been hacked, and then change passwords associated with those accounts.
8. Some security experts recommend avoiding products that advertise P2P capabilities.
9. If you want to dive into something a bit more technical, you can set up a separate network within your router’s settings for all of your IoT devices. Then your WiFi devices can connect to that network and your computers and phones can connect to your regular network. (Comment below if a how-to on this would be something you’d like to see!)
How to set up a password with Nest:
The simplest and most important step you can take is to set up a unique password on your new device. Let’s walk through how to do that with a Nest because it’s a popular baby camera.
Use a unique password (different from anything else you use). If you already have a Google account and you haven’t changed your password in more than six months, go ahead and change it now.
Download the Google Home app.
Does your phone have Face ID or fingerprint verification turned on? If that isn’t available, make sure you have a six-digit password on your phone. This will keep anyone from getting into your Nest if your phone is borrowed or stolen.
Add your Nest camera to the Google Home app
Scan the QR code on the front of your Nest camera when prompted in the app. Remove the QR code sticker and place it in your user manual so no one can scan the code and install it on their phone.
Plug in the power cord
Follow the steps in the app to set up the camera to the WiFi network
Set up two-factor authentication
A. Go to your Google Account
B. Click “Security” on the left hand side menu
C. Click “Two-Step Verification” in the center menu
D. Sign in
E. Click “Turn On” and follow prompts
This will make it so you get a code sent to your phone when you (or someone else) tries to access your Google account from an unrecognized browser. It’s been simple enough for me to manage for the years I’ve had this on my account and it makes it very difficult for a hacker to access your account.
What did you think of this analysis of this topic and this how-to guide? Which parts of this topic would you like to see more of in future posts? Let me know below or email me!
This post contains Amazon affiliate links. This post is NOT sponsored by any brand, product, or company. I link to as many products as possible for easy access for busy parents and I won’t hesistate to share the pros and cons of all products I discuss.
Sources:
I’ve decided to start sharing all the sources I use to write this post. If you’re interested in diving into this issue yourself, here’s where to start.
Articles: https://www.iotforall.com/5-worst-iot-hacking-vulnerabilities
https://www.theregister.com/2016/10/13/possibly_worst_iot_security_failure_yet/?mt=1476453928163
https://hacked.camera/
https://krebsonsecurity.com/2019/04/p2p-weakness-exposes-millions-of-iot-devices/
https://techcrunch.com/2020/06/01/google-nest-advanced-protection/
https://www.theregister.com/2016/10/13/possibly_worst_iot_security_failure_yet/?mt=1476453928163