Baby Monitor Exposures and Vulnerabilities

Several video baby monitors from a cross-section of manufacturers were subjected to in-depth security testing; all of the devices under test exhibited several common security issues. Rapid7 researchers focused on ten new vulnerabilities which were disclosed to the individual vendors, to CERT, and to the public, in accordance with Rapid7's Disclosure Policy. The vulnerabilities are broken down according to "reach" – that is, if the issues are exploitable only with physical access to the device, if they are exploitable via the local network, or if they are exploitable from the Internet.

The results of this research are particularly relevant in light of the growing risk that businesses face as employees accumulate more interconnected devices on their home networks. If key personnel are operating IoT devices on networks that are routinely exposed to business assets, a compromise on an otherwise relatively low-value target – like the video baby monitors covered in this research – can quickly provide a path to compromise of the larger, nominally external, organizational network.