Hackers breaking into baby cams are actually trying to help

Earlier this month, in the middle of the night, a pair of Minnesota parents heard strange music coming from their baby’s room. When they investigated, they were horrified to find that the sound was coming from their Foscam baby camera. The camera had been hacked, and its live-feed of their baby’s crib had been posted to a site with the URL “Spycam.cdn7.com.” The site’s title was “Big Brother Is Watching You.”

The world of connected baby cams is no stranger to hackers, and Foscam, in particular, has been criticized for years for its lax security settings. Security researchers discovered in 2013 that the China-made camera was designed with a vulnerability that would let anyone on the Internet access it and take control of the stream. The company released an update that would fix the problem, but did not force an update out into the wild, meaning that thousands of the cameras are still vulnerable to hackers until their owners change their passwords and download a security update.

The fact that digital security was not an inherent product feature obviously comes as a surprise to the new parents and other customers who bought the cameras.

“It’s not just nurseries,” the alarmed, unnamed Minnesota mother told the local TV station KTTC. “It’s people’s bedrooms, their living rooms, their kitchens. Every place that people think is sacred and private in their home is being accessed.”

Well-meaning hackers have been trying to alert parents to Foscam’s security vulnerability for years. Sometimes, their efforts aren’t subtle. (One hacker took control of a Foscam and screamed “wake up, you little slut” to a toddler in Texas in 2013; another shouted “wake up, baby” to a youngster in Ohio in 2014.) But as malicious as their methods can sound, these hackers are actually trying to do these customers a service: waking them up to the fact that the product they’re putting into “sacred” places in the home is hackable by anyone with minimal tech expertise.

The method hackers used to alert the Minnesota family—putting their baby cam’s stream online in a publicly accessible way—was gentler than screaming at toddlers. But clearly, it was still enough to freak out the family.

When I interviewed the chief operating officer for Foscam’s U.S. distribution arm, Chase Rhymes, about the problem last year, he told me the company had made the cameras this way “to give our customers the freedom to keep it easy and not have to make their own password.” He said with new products, Foscam does force customers to put a customized password on the devices, but he said there was no way for the company to communicate to some of the people who had bought the security-defective cameras the company had made in the past. “If customers bought from a third party [like Amazon or Best Buy] they’re on an island and we can’t necessarily reach them,” said Rhymes.

The “Big Brother” camera site claimed to access over 1,000 cameras and had them categorized by the room they snooped on: “nursery,” “bedroom,” “living room,” etc. The person behind the site, a programmer who corresponded with Fusion via an anonymous email account, says that he created it six months ago. He took it down after the news report in Minnesota, because his hosting provider received an “abuse complaint.” When asked why he created it, he pointed Fusion to the disclaimer that was on the site when it was live:

This site doesn’t own any of presented ip cameras. All captures are automatically deleted after 72 hours. Our goal is to give awareness of technical security problems around private life. All presented ip cams use default password or no password at all. Everyone on the internet can access such cameras using Google or other specialized search engines. It’s a serious problem that can result in bigger security consequences. If you want your camera to be removed – simply change your password.

He said his main goal was to alert people they were exposed, but he couldn’t do it one by one. “That’s technically difficult. The only thing you know is the IP address, so you have to contact an ISP to pass the info to their client. That’s a huge work,” he wrote (in shaky English) by email. “Generally people don’t see the potential problem until they are touched with it. The level of IT education is rising but not as fast as the electronics is coming in our life.”

However alarming their tactics, this white-hat hacker effort clearly worked with at least one family. According to KTTC, the Minnesota family “removed all the cameras, choosing to monitor their child the old-fashioned way.”