Internetted baby monitor: An analysis

Last week, I promised an analysis of the baby monitor system that was hacked, to the detriment of a family in Texas. This analysis is based on the little information I have about the system and follows several standards for information security analysis.

The analysis occurs in three basic domains: Confidentiality, Integrity and Availability. Each of these three are then seen in three aspects: Storage, Transit and Processing. Each of these nine domain aspects pose risks. Each risk have a degree of probability and consequence.

Confidentiality

Storage: From the promotional video at Foscam, storage is on the device itself. Hence storage is as safe as the location itself. From this, one can assume that a potential intruder will take the camera and therefore render it useless as an instrument of surveillance.

Transit: I do not have information of whether transit is encrypted or not. However, in order to access the camera from the Internet, you go to Foscam's web site in order to access an outgoing tunnel from the camera. Security from that point on is based on username/password, which we know is subject to social engineering.

Processing: Access to the camera means access to anything you might be doing to the camera. So not is your surveillance accessible, but your use of it is also available, and setting you do might be altered by, say, turning off alarms.

Integrity

Storage: Assuming the system has been breached, all integrity of camera storage is also compromised. The major issue is mode of access.

Transit: Centralized access means easy man-in-the-middle attack. This would also reveal username/password.

Processing: Man-in-the-middle attack could potentially give you recorded images.

Availability

Storage: Loss of Internet connectivity will not affect storage. Au contraire, my friend. :)

Transit: Loss of Internet connection reduces global availability. Can the camera be accessed diretly from you LAN, or do you have to go via the web site?

Processing: Loss of Internet connection reduces global availability. A breach allows hacker to change password and lock you out of your own camera.

Main risks

The main risks of the device is the camera's availability through the Internet. Even secure connections are subject to man-in-the-middle attacks, and hacking the company's server will also allow a hacker full access to all cameras.

A firmware update for the camera has arrived to force users to change the default admin password because, as we know, this is where the first fail occurs. It is now also possible to change the admin user name. This will certainly eliminate the easiest brute force attack (select camera, enter default admin password and you're set), but it is still only a delay.

It would be more secure if the camera only accepted access by devices with a specific encryption certificate, installable on the accessing device only when connected to your LAN. Though this approach heightens the threshold to use its Internet connection, that might be a threshold parents should be required to step up to, so that they truly understand the risks they are about to subject their children to. But it won't stop access from the NSA.

However, it is typical for these cameras to also be available directly on your LAN without going through the Internet. And using it as a baby monitor, that is all you really should need. So block the camera's Internet connection, and it's safe to use. If you need surveillance when you're not at home, you'd want a device that
stores your recordings somewhere else.

Baby monitor hacked: Personal information security

A video baby monitor in Texas was hacked via the Internet and abused by a very bad man:

If I connected security cameras at work to the Internet, authorities would come at me with full force. Surveillance is sensitive information and must be treated as such. One of the problems, then, is that most people are not trained to think of information security in their daily lives.

As a trained professional, I would look at the package saying "over the Internet", shake my head in disgust and put it back on the shelf - unless I was looking for a public web camera for Runde. Blinded by the convenience, however, a lot of people will cheer with joy for this invention, not realizing that they are opening themselves wide open to a malicious hacker ready to subvert their children.

The formula is fairly simple: Identify what is sensitive information (or sensitive access to your loud speaker as well, as in this case), identify who needs the information and the shortest route there, make sure you do everything you can to protect that channel in all nine aspects: Confidentiality, Integrity and Availability of Storage, Transit and Processing.

I will leave it for the reader as an exercise, before I reveal my own analysis of this system.