A new report from Safety Detectives emphasises that cheap baby monitors and security cameras have inbuilt flaws that the vendors will never fix. The flaw allows anyone to remotely view unencrypted video streams.
Yes, we have reported recently on the billions of cheap generic video doorbells and security cameras – it is scary, especially if you have one. This new report exposes that hundreds of millions of cheap baby monitors and security cameras have an intentional ‘convenience’ feature that is a huge security flaw.
The features is password-less monitoring, saving you from entering a log-in and password in the middle of the night to access the cheap baby monitors and security cameras. And it is widely used by baby monitor cameras, pet monitors and kindergarten remote viewing cameras.
The faulty tech behind the cheap baby monitors and security cameras flaw
Any camera that uses RTSP (Real-Time Streaming Protocol) and weak or password-less access is remotely accessible. All it takes is a simple scan of the Wi-Fi network to obtain the devices external IP address. Think of RTSP just like HTTP. It is used the same way to access a URL (in this case as IP address) in a browser e.g., rtsp://<ip>:<port> RTSP/1.0\r\nCSeq: 2\r\n
It then acts like a TV remote controller (play, record and pause) to access streams from a cloud server or live camera. So, when you see all those TV CIA, FBI, Hacker shows accessing public, ATM and building cameras know that the RTSP flaw is real and perhaps even a mandated backdoor.
Hacking is all automatic
Automated bots roam the Internet and use Cameradar – affectionally known as a ‘grinder’. It uses a variation of the above script.
Detect open RTSP cameras
Get its public info (hostname, port, camera model, etc.)
Launch automated attacks to get its stream route (for example /live.sdp)
Launch automated attacks to get the camera username and password
Generate thumbnails to check if the streams are valid and to preview the stream quickly
Insert a substitute video loop, e.g., showing a baby sleeping when it has been kidnapped
Print a summary of all the information Cameradar could get with further intensive use
If the camera is secure, the response is ‘401 Unauthorised’ and the bot moves to the next IP address and grinds on.
In 2019 a scan revealed 4.6 million accessible cameras in a specified US IP range.
One of the major free Linux-based operating systems used by most IoT, cheap baby monitors and security cameras since the late 80s is VxWorks RTOS (real-time operating system). Until recently (Version 6.5 or later) there was no patch for the TCP stack vulnerability that allows hackers to get past the router firewall – hundreds of millions of pre-2019 IoT devices use it.
Safety Detectives say Australia is high up the attack list because they buy lots of cheap baby monitors and security cameras. The average user cannot easily test for the vulnerabilities, but the following flow-chart gives some assistance.
It says the only way to secure these devices is to set up a unique password on each (change the admin log-in), not just the log-in and password for any overall control app. That means accessing the camera by IP address – beyond most users’ expertise. You should also turn off RTSP in your router (it may be in advanced settings). That should not stop you from accessing the camera over mobile data if you have a secure camera.
What are secure brands?
They certainly are not generic, white-label, Chinese-made baby monitors and security cameras that use a common cloud like CloudEdge. Then AliExpress, eBay, Amazon, Kogan, Dick Smith or other merchant sites flog them. It is cheaper to do it that way. Suspect brands include EUFY, EZviz (Hikvision), Merkury, Geeni, Orion, Youpin, Qihoo, Accfly, Banggood, Chuango, Kogan, Dick Smith, Imou, 360, Vivitar, Eken, Lyeef and hundreds of Ring knockoffs. Just look at AliExpress here – there are 14,863 results!
For that reason, we support Arlo’s privacy as a pledge. So far, no other security camera maker has been able to match. But buying D-Link, Uniden, Nest and Swann are a pretty safe bet.