Several video baby monitors from a cross-section of manufacturers were subjected to in-depth security testing; all of the devices under test exhibited several common security issues. Rapid7 researchers focused on ten new vulnerabilities which were disclosed to the individual vendors, to CERT, and to the public, in accordance with Rapid7's Disclosure Policy. The vulnerabilities are broken down according to "reach" – that is, if the issues are exploitable only with physical access to the device, if they are exploitable via the local network, or if they are exploitable from the Internet.
The results of this research are particularly relevant in light of the growing risk that businesses face as employees accumulate more interconnected devices on their home networks. If key personnel are operating IoT devices on networks that are routinely exposed to business assets, a compromise on an otherwise relatively low-value target – like the video baby monitors covered in this research – can quickly provide a path to compromise of the larger, nominally external, organizational network.
IoT Baby Monitor Research and IoT Security Explained
HACKING IoT: A Case Study on Baby Monitor Exposures and Vulnerabilities
Written by Mark Stanislav and Tod Beardsley
Good Morning America: Warning Over Internet-Based Baby Monitors
Frequently Asked Questions: Internet-Connected Baby Monitor Security Research
What do I need to know? How serious is this? Who does this affect?
#IoTsec Disclosure: 10 New Vulnerabilities for Several Video Baby Monitors
Community.Rapid7.com blog post