In late February, Daxdi and Bitdefender reported several significant security flaws in the popular iBaby Monitor M6S.
A server-side configuration error meant that a network expert could use an iBaby monitor of their own to view and download videos and pictures uploaded by other legitimate users of the device.
A different configuration problem made it possible for third parties to listen in on communications from every monitor.
An attacker who caught setup details of a new device while snooping could take full control of the baby monitor.
Finally, by piggybacking on the first two security holes, an attacker could capture the owner’s personal information.
The discovery of these security flaws came as a direct result of a partnership between Daxdi and Bitdefender’s Internet of Things security team.
On an ongoing basis, we inform the Bitdefender team about which devices are popular and well-regarded, and they put those devices through rigorous testing.
If they discover security problems, they warn the device’s designers and give them time to come up with a fix, typically 90 days.
But when time’s up, they publish the results whether or not the holes got fixed, both in a blog post that’s understandable to most, and in a whitepaper with full details for the edification of security experts.
Past reports stemming from this partnership have covered security problems in the Ring Video Doorbell and in Belkin’s Wemo Smart Plug.
Ring and Belkin fixed the problems right away.
In Ring’s case, the fix required pushing out a firmware update to secure all affected devices.
Since all of the iBaby vulnerabilities were on the server side, a fix should have been easy, but almost nine months went by with no action.
So, what happened?
Communications Breakdown
When the Bitdefender team found security problems with the iBaby device, they attempted to report them to iBaby Labs.
They tried various email addresses, asking to set up an encrypted email communications channel so they could pass along their findings securely.
Unfortunately, they received no useful response.
Daxdi’s hardware team necessarily communicates with iBaby Labs when reviewing their baby monitoring devices. This team supplied the Bitdefender group with contact information.
Even so, Bitdefender couldn’t make a connection with the iBaby developers.
Typically, researchers give device makers 90 days to deal with this kind of vulnerability before making it public.
Bitdefender kept trying to contact iBaby for almost nine months, eventually revealing the details in a talk at the 2020 RSA Conference in San Francisco.
A Fast Fix
In conjunction with the big reveal at the RSA Conference, we released our reporting on the subject and Bitdefender’s team published their blog post and whitepaper.
The next day, iBaby Labs contacted us with great consternation.
The company representative stated they’d never heard about these problems.
It’s clear, though, that thanks to the details in Bitdefender’s whitepaper, iBaby’s developers quickly understood the security flaws.
In just a few days, iBaby Labs announced a fix for all the reported problems.
The report notes that while data could have been exfiltrated through the security holes, they found no evidence this had happened.
As noted, the security flaws existed at the server level, which means that iBaby’s fixes took place immediately.
Bitdefender’s IoT wizard Jay Balan confirmed the fix.
“I can say that at this point the attack vectors we identified in our research don’t work anymore,” said Balan.
“The speed with which they delivered the fix is to be appreciated.
We’re only sorry it took this media outreach to get their attention, leaving their clients with a pretty big vulnerability window.”
In addition to the server-side fixes, the report from iBaby promises a firmware update.
The report states, “Soon we will also release a firmware update to be pushed out to your device.
Once it’s available, you will receive a notification.
This will further enhance data security.”
Recommended by Our Editors
A Lesson to Learn
With every week that goes by, we learn about some new Internet of Things device, from diapers that text you when they need a change to a robot that folds your laundry.
Almost all of these have one thing in common—they’re not designed with security in mind.
And why should they be? Will somebody hack into your internet-aware toaster and burn the toast? The problem is, any unprotected IoT device on your network can be suborned by malefactors to compromise your whole network’s security.
In the case of a baby monitor or other camera-equipped device, hackers may literally spy on you.
I’m not suggesting that the burgeoning IoT industry slows its production of new devices by adding dedicated security teams.
Doing so would give a competitive advantage to unsecured devices that could sell for less.
And even with a security team on board, some bugs could slip through.
Rather, I’m strongly suggesting that every device maker publish a contact that researchers can use to report problems.
It’s a simple enough solution.
Had iBaby Labs provided such a contact, this could have been a very different story.