Hacker 'shouts abuse' via Foscam baby monitoring camera

Marc Gilbert heard expletives being directed at his two-year-old daughter Allyson

Related Stories

A hacker was able to shout abuse at a two-year-old child by exploiting a vulnerability in a camera advertised as an ideal "baby monitor".

ABC News revealed how a couple in Houston, Texas, heard a voice saying lewd comments coming from the camera, made by manufacturer Foscam.

Vulnerabilities in Foscam products were exposed in April, and the company issued an emergency fix.

Foscam said it was unable to provide a statement at this time.

However, a UK-based reseller told the BBC it would contact its entire customer database to remind them "the importance in setting a password to their cameras".

The spokesman added that it would be urging Foscam's head office - based in Shenzhen, China - to send out a memo to all its resellers suggesting they too contact their customers.

ABC reported that Marc Gilbert and wife Lauren were left shaken when they heard a "British or European accent" coming from the camera.

Mr Gilbert said the voice directed offensive, sexualised words at their daughter Allyson, who was asleep in bed.

The family believed the hacker was able to call the child by her name because it was spelt out on the bedroom's wall.

Analysis

Using monitoring equipment to ensure the safety of children can be very valuable.

However, if you do wish to use such devices you should exercise caution before using something that attaches to the internet as it increases the potential vulnerability.

There are forums and dedicated search engines that look for vulnerable devices on the web - so if yours is susceptible there is a good chance it will be found, and could be abused.

Regardless of the security you think you may have on your PC each device can be separately vulnerable.

If you do use a web-connected device then you must ensure software is always up-to-date.

This is not just the operating system on your PC but also applications you use and the built-in software - known as firmware - built into the devices.

Many attacks use security holes found in such firmware.

Most vendors send out updates monthly: the second Tuesday of each month having become known as Patch Tuesday when many release their software.

However, urgent updates may be distributed as soon as possible so vigilance is the key.

The two-year-old is deaf, something the couple described as "something of a blessing" in the circumstances.

It is not clear whether the family had updated the camera with the latest software.

'Kids room'

The BBC has found evidence of hackers sharing information on how to access insecure Foscam cameras via several widely-used forums.

Using specialist search engines, people can narrow their results by location.

On one forum, internet addresses for cameras - not all made by Foscam - were listed with descriptions such as "school/daycare?" and "kids room".

In April, security firm Qualys uncovered a weakness in Foscam's devices.

The company said that various attack techniques exposed the camera's remote monitoring access - the simplest of which was simply scraping Foscam's website for unique identifying codes for each customer.

Around two out of every 10 Foscam cameras monitored by the researchers were insecure, Qualys said - using just "admin" to log in, and requiring no password.

Foscam is not the only company to find itself the target of hackers. Last year, camera company Trendnet had to rush out an update to fix a security hole that left thousands of cameras exposed.

Fix issued

In June, Foscam issued a fix for some of the issues raised by Qualys. In a blog post, the company said it appreciated the "constructive criticisms and advice".

Visitors to the firm's homepage do not see any notice of the critical upgrade.

The company did however publish a blog post to publicise the patch, and users who had signed up to a firmware update newsletter should have been informed by email.

Foscam homepage There is no mention of the critical patch on the company's homepage

Discussion forums on the Foscam website show several other customers having security problems with their devices.

User pianomama00 wrote: "My husband heard something in babies room.

"He went in and a guy started talking to him and said he wasn't a neighbour and lived in a different state! Be careful everyone!"

Another user criticised the firm's customer service, saying: "I can't call, can't chat online and I've sent email with no response."

A technical support number listed on the UK website remained on hold for 30 minutes when contacted by the BBC. A separate sales number gave an estimate of a "47-minute" wait to speak to an advisor.

A link to find out more information about the company and its location led to a broken page.

Foscam products in the UK are also sold under the trading name of GadgetFreakz - as well as being sold through Amazon.

A spokesman for GadgetFreakz said the company was looking at ways to better inform customers of the importance of setting secure passwords, adding that it prided itself on good customer service.

Follow Dave Lee on Twitter @DaveLeeBBC

More on This Story

Related Stories

More Technology stories

RSS

Features

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.