As any new parent will tell you, baby monitors are important. They let you keep a close eye on your most precious cargo as it rolls around in the crib and they even let you talk to the little tyke. But you might not be your baby’s only audience.
Some smart baby monitors have crucial security flaws that allow hackers to take over, sometimes watching and even interacting with your child. The popular iBaby family of internet-connected cameras recently joined this club when a cybersecurity company found vulnerabilities in its M6S model. Almost a year after being contacted about the bug and three days after this article was originally published, iBaby Labs fixed the issue.
This might make you wonder: Is the sense of security these monitors provide parents worth dealing with the actual security vulnerabilities many of them have? There are also questions about AI-outfitted baby monitors designed to offer “life-saving” features that might actually create more anxiety for parents than they relieve. Maybe, in the face of all this new tech, it’s time to cut the 21st-century umbilical cord.
iBaby apparently doesn’t care about security warnings
Bitdefender, the aforementioned security company, just released the results of its research on the iBaby device as part of its partnership with PCMag. The report details several ways potential hackers can remotely access iBaby’s monitors. They include giving hackers the ability to download recordings, to find the camera’s device ID, to pull users’ personal information using that ID, and even to control the camera.
Alex Jay Balan, chief security researcher for Bitdefender, told Recode that iBaby “should have a relatively easy time fixing these” problems. However, when Bitdefender notified iBaby that its M6S smart baby monitor contained potential vulnerabilities that give hackers access to baby videos, its response was initially a whole lot of nothing. It was only after Bitdefender, PCMag, and others made the issues public that iBaby fixed the vulnerabilities.
Starting in May 2019, Bitdefender made multiple attempts to contact iBaby and inform the company of the vulnerabilities so the company could fix them before they became public. Bitdefender told Recode that it was never able to get in touch with iBaby, and so those issues remained unsolved when the company published its report. Recode had similar difficulty reaching iBaby; its press email bounced back and a call to the support line went to voicemail that, more than 24 hours later, still was not returned.
iBaby did reply to an email sent to its support email address, but the response appeared to be a form letter with assurances that the safety and comfort of “your family and precious baby” was iBaby Labs’ No. 1 priority. It then linked to a statement from September 2015 that, in addition to a promise of encryption, reads, “Our monitors are hosted by Amazon Servers, therefore, the security is very high equivalent to military security.” The letter was signed by Elnaz Sarraf, who is identified as iBaby’s co-founder and president. She left the company in 2017.
The initial lack of response is especially surprising considering iBaby’s prominent place in the baby monitor market. The iBaby Monitor M6S camera, the model with the reported vulnerabilities, was once a top Wirecutter recommendation, and CNN recently proclaimed its M7 model to be the best wifi baby monitor. It’s also currently marked as “Amazon’s Choice.”
“Companies with high accountability (most recently Ring/Amazon) reply instantly, and they’re very cooperative,” Balan said. “Most others, however, don’t have a security contact.”
Three days after the report on its M6S monitor was released, iBaby told Recode that it had “taken a few measures” to fix the vulnerabilities and found that there were no data breaches. Bitdefender confirmed the fixes to PCMag. iBaby also said a firmware update will be released to improve its security “soon” and that it would notify customers when it came out.
Smart baby monitors are increasingly popular targets for hackers
Like Ring cameras, baby monitor hacks tend to expose some of our most sensitive information. The cameras are often internet-connected, and they’re in our homes, recording our daily activities, giving voyeurs the chance to watch and even communicate with our children. This potential for abuse is perhaps what makes smart baby monitors such attractive targets to bad actors, and it’s also why repeated instances of lax security features on baby monitors are so unsettling.
In recent years, smart baby monitor vulnerabilities and the hacks they make possible have made quite a few headlines. A Seattle couple reported last November that their Fredi brand baby monitor got hacked, causing the camera to scan their home. An unidentified voice even said “I love you” to their 3-year-old child. In December 2018, a Nest camera shouted sexual expletives and threatened to kidnap the baby. And a Minnesota couple was horrified to find photos of their baby from their hacked monitor on another website in 2015.
“It’s not easy to say why some of the cameras don’t do a better job of protecting user’s data,” David Choffnes, an associate professor in computer science at Northeastern University who has studied smart camera security, told Recode. “Often it manifests from a gap between knowing what are best practices and correctly implementing them on devices.”
As is often the case with technology, you get what you pay for. “In the end, many consumers purchase devices based on price, not security,” Choffnes added. “Until that changes, the incentives are not in place to have more security by default.”
That said, the vast majority of smart baby monitors don’t get hacked at all, so the odds are pretty good that your baby will make it through toddlerhood without being spied on by someone other than you. As with any internet-connected device, the chances of a hack are never nil. There are non-connected baby monitor alternatives, however, that mitigate that risk. More on that in a second.
Do AI-equipped baby monitors and “smart socks” save lives or make them worse?
While it seems reassuring not only to hear your slumbering baby but also to watch them breathe, there’s evidence that some of the newest and highest-tech devices may create more anxiety than they alleviate — and that monitor manufacturers are using that anxiety to cash in.
Take, for example, the new AI-enabled surveillance software that monitors your baby’s face for signs of distress, then alerts parents if it detects any trouble. Or take the AI baby monitor called Cubi. This gadget claims to be “the world’s smartest baby monitor” and will send you push notifications with updates when your child cries or rolls over onto their face. Cubi aggressively markets its device as a system that “saves babies’ lives.”
Then there’s the Nanit Sleep System, which claims not only to monitor your sleeping baby but also to detect the quality and time of their sleep. A company called Owlet makes something called a “smart sock” that wraps around your baby’s foot and supposedly measures your baby’s heart rate, oxygen levels, and sleep. There’s also the Sproutling smart anklet, which offers all of those measurements as well as baby temperature, ambient noise level, and data on your baby’s movements.
While this data can be an attractive selling point for new parents, some experts doubt that super-smart baby devices are necessary, and there’s not currently any scientific evidence that suggests otherwise.
“We have the technology to do this kind of constant surveillance and hyper-monitoring, and maybe some of these technologies will help or save one kid,” Kim Brooks, the author of Small Animals: Parenthood in the Age of Fear, recently told the Washington Post. “But what we don’t talk about is the cost. It’s driving parents insane.”
So, what’s best for you and your baby?
Look, we’ve all got different priorities and concerns. If your primary issue is protecting your baby monitor from hacks, the solution is easy: Go analog.
In the days of old, parents used radio-powered walkie-talkies to monitor their children from afar, which provided audio cues of potential trouble. These gadgets were not connected to the internet, and they didn’t have video. Before that, parents just used their own ears and hoped for the best. Were these better methods? That depends on what makes you more nervous: not being able to see your baby at all times or owning an internet-connected video camera that could malfunction or, in rare instances, give a random hacker access to your home.
As with buying anything, finding the right device with the right amount of features — including connectivity and AI — involves careful research. Wirecutter offers in-depth reviews, though we should also remind you that the once hackable iBaby M6S made its list. Wired has picks for several types of baby monitors, including audio-only and internet-free devices. Meanwhile, Lifehacker recommends staying away from wifi models entirely.
But if after all of this, your heart is still set on a smart baby monitor or sock, try to find a device that lets you set your own password and offers two-factor authentication. Also, be sure to keep current with security updates, since they may include vulnerability patches.
Choffnes, the security camera expert, doesn’t use an internet-connected baby monitor for his toddler.
“Given the potential risks of devices being hacked — and the numerous news stories about it happening — and the lack of any benefits I perceive from having an internet connection, I can’t justify purchasing such devices,” Choffnes said. “Except for testing in my lab.”
Update, March 4, 2020, 12:45 pm ET: This piece as been updated to include iBaby’s response and clarified that the security issues have been resolved.
Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.