Cheap baby monitors and security cameras – widespread flaw allows remote viewing

baby camera
100% human

A new report from Safety Detectives emphasises that cheap baby monitors and security cameras have inbuilt flaws that the vendors will never fix. The flaw allows anyone to remotely view unencrypted video streams.

Yes, we have reported recently on the billions of cheap generic video doorbells and security cameras – it is scary, especially if you have one. This new report exposes that hundreds of millions of cheap baby monitors and security cameras have an intentional ‘convenience’ feature that is a huge security flaw.

The features is password-less monitoring, saving you from entering a log-in and password in the middle of the night to access the cheap baby monitors and security cameras. And it is widely used by baby monitor cameras, pet monitors and kindergarten remote viewing cameras.

Cheap baby monitors
Remote access by a hacker – they could easily insert a video loop to cover a kidnapping

The faulty tech behind the cheap baby monitors and security cameras flaw

Any camera that uses RTSP (Real-Time Streaming Protocol) and weak or password-less access is remotely accessible. All it takes is a simple scan of the Wi-Fi network to obtain the devices external IP address. Think of RTSP just like HTTP. It is used the same way to access a URL (in this case as IP address) in a browser e.g., rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r\n

It then acts like a TV remote controller (play, record and pause) to access streams from a cloud server or live camera. So, when you see all those TV CIA, FBI, Hacker shows accessing public, ATM and building cameras know that the RTSP flaw is real and perhaps even a mandated backdoor.

Hacking is all automatic

Automated bots roam the Internet and use Cameradar – affectionally known as a ‘grinder’. It uses a variation of the above script.

  • Detect open RTSP cameras
  • Get its public info (hostname, port, camera model, etc.)
  • Launch automated attacks to get its stream route (for example /live.sdp)
  • Launch automated attacks to get the camera username and password
  • Generate thumbnails to check if the streams are valid and to preview the stream quickly
  • Insert a substitute video loop, e.g., showing a baby sleeping when it has been kidnapped
  • Print a summary of all the information Cameradar could get with further intensive use

If the camera is secure, the response is ‘401 Unauthorised’ and the bot moves to the next IP address and grinds on.

How widespread?

In 2019 a scan revealed 4.6 million accessible cameras in a specified US IP range.

One of the major free Linux-based operating systems used by most IoT, cheap baby monitors and security cameras since the late 80s is VxWorks RTOS  (real-time operating system). Until recently (Version 6.5 or later) there was no patch for the TCP stack vulnerability that allows hackers to get past the router firewall – hundreds of millions of pre-2019 IoT devices use it.

Fredi pan and tilt was judged the Worst secured baby camera and came in hundreds of white-label variations.

Safety Detectives say Australia is high up the attack list because they buy lots of cheap baby monitors and security cameras. The average user cannot easily test for the vulnerabilities, but the following flow-chart gives some assistance.

It says the only way to secure these devices is to set up a unique password on each (change the admin log-in), not just the log-in and password for any overall control app. That means accessing the camera by IP address – beyond most users’ expertise. You should also turn off RTSP in your router (it may be in advanced settings). That should not stop you from accessing the camera over mobile data if you have a secure camera.

Cheap baby monitors
Basically you need to disable router port 554 but that may stop remote access

What are secure brands?

They certainly are not generic, white-label, Chinese-made baby monitors and security cameras that use a common cloud like CloudEdge. Then AliExpress, eBay, Amazon, Kogan, Dick Smith or other merchant sites flog them. It is cheaper to do it that way. Suspect brands include EUFY, EZviz (Hikvision), Merkury, Geeni, Orion, Youpin, Qihoo, Accfly, Banggood, Chuango, Kogan, Dick Smith, Imou, 360, Vivitar, Eken, Lyeef and hundreds of Ring knockoffs. Just look at AliExpress here – there are 14,863 results!

For that reason, we support Arlo’s privacy as a pledge. So far, no other security camera maker has been able to match. But buying D-Link, Uniden, Nest and Swann are a pretty safe bet.

Arlo Baby Cams link to an Arlo Smart Hub that protects them from hackers
Arlo privacy logo