ARS Technica has posted a list of nine baby monitors tested that didn’t bother to include any useful form of security before they shipped them. In other words, if you own one of the ones listed (nothing I’ve ever recommended,) chances are someone could spy on you.
Issues from unencrypted internet traffic, to URLs that simply use a serial number which is easily guessable if you have seen one camera, all the way to the ability to add an administrator account to a camera without needing a password. Utterly idiotic programming failures that put you and your loved ones at risk of being spied on.
Worse yet, a hacked camera can do things other than just spy on you. Keep in mind these cameras are all little computers. You could find out that your camera’s firmware has been reflashed and it has been being used to relay internet traffic and mask illegal activities.
If you’re going to let a piece of internet connected equipment in your house, and that means anything, from an internet connected thermostat to a baby cam, you need to make sure you can lock your network down so that only you can use it.
Every product out there is going to try and sell you on their security, but there are no independent audits that these places use, and the software is often designed by people who aren’t security-minded programmers and often these software packages are just modified by the end-parties selling the product.
An example would be of a generic webcam built in China, a generic software control and web back end. A company such as Company X purchases these cameras and software, slap their stickers and an instruction manual in a box, make a few changes to the code so that their servers and their logo are there, and that’s it. The company you purchased the product from didn’t really write any code and is trusting another company that supplies the same buggy code to a dozen resellers.
That said, don’t go throwing out your webcams just yet. Everything has a fix.