Pierluigi Paganini June 24, 2018

Vulnerabilities in Fredi Wi-Fi baby monitor could be exploited by a remote unauthenticated attacker to control it and spy on the family.

Security researchers at SEC Consult reported discovered that vulnerabilities in Fredi Wi-Fi baby monitor could be exploited by a remote unauthenticated attacker to control it and spy on the family.

The investigation started when a mother from South Carolina USA, Jamie Summitt,  claimed someone had taken control over the baby monitor.

Many commercial surveillance products leverage a “P2P cloud” feature that is enabled by default. Every device connects to a cloud server infrastructure and keeps this connection up. Mobile devices and desktop applications can connect to the camera via the cloud.

This architecture makes it easier for users to interact with the camera, no firewall rules, port forwarding rules or DDNS setup are required on the router. But this approach has  many security drawbacks as highlighted by the researchers:

• The cloud server provider gets all the data (e.g. video streams that are viewed).
  • Open questions: Who runs these servers? Where are they located? Do they comply with local jurisdiction, e.g. also EU GDPR?
• If the data connection is not properly encrypted, anyone who can intercept the connection is able to monitor all data that is exchanged.
• The “P2P Cloud” feature bypasses firewalls and effectively allows remote connections into private networks. Now attackers can not only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach) but a large number of devices that are exposed via the “P2P Cloud”.

The experts discovered that the P2P service connects directly to the cloud and can be accessed with no more than an 8-digit device number and a shared default password.

This means that everyone accessing to the online portal could enter random numbers with the default password to view camera feeds.

“Unfortunately the device ID does not look very secure,” reads the post published by the researchers.

“Plus the default password is neither randomly generated nor device-specific. Unless the user has changed the password to a secure one, anyone can log in and interact with the camera by ‘trying’ different cloud IDs.”

SEC Consult researchers added that insecure Fredi Wi-Fi baby monitors could also be used by hackers as an entry point in the home networks that host them.

“The ‘P2P Cloud’ feature bypasses firewalls and effectively allows remote connections into private networks. Now attackers can not only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach) but a large number of devices that are exposed via the ‘P2P Cloud’.” continues the report.

Is the problem limited to the Fredi Wi-Fi baby monitor?

Unfortunately no, because the Chinese company that provided the firmware for the Fredi baby monitors develops generic camera control apps for many other devices.

“Obviously, the device and the cloud service is not GDPR compliant.” conclude the experts.

“It seems that consumer electronics with opaque supply chains, paired with insecure, built-in cloud features that are enabled by default will keep us busy in the future,” 

The experts also published IoCs to detect the presence of devices using the Gwelltimes “Cloud-Links” platform in infrastructure.

Pierluigi Paganini

(Security Affairs – Fredi Wi-Fi baby monitor, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]