Few scenarios conjure up digital nightmares darker than a hacked, Internet-connected camera pointing at a baby's crib. After a string of incidents in which hackers have watched or even verbally harassed children through baby monitors, the devices have come to represent everything that's wrong with the Internet of things. Now New York City's consumer watchdog agency wants answers from the companies that make those inadvertent spy cams.
On Wednesday the New York City Department of Consumer Affairs launched an investigation into the baby monitor industry's hackable vulnerabilities, sending subpoenas to four companies—which the agency has declined to name for now—demanding information about their security practices. The subpoenas, according to the agency, demand to see evidence to back up claims that the companies make about the security of their devices, complaints they've received about unauthorized access to the cameras, their use of encryption on the devices, and their history of handling vulnerabilities discovered in the devices, including alerting customers, releasing patches, and whether those patches were actually implemented by the devices' owners.
If the companies aren't living up to the promises of security they've made in their marketing to consumers, the agencies could be hit with civil fines for deceptive marketing practices, says Consumer Affairs Commissioner Julie Menin. "This is a situation where parents purchase a video monitor intending for it to give them peace of mind…and instead what we're seeing is some terrifying instances of people hacking into them," Menin told WIRED in a phone call. "When these manufacturers say they keep your babies safe, and yet they're not taking precautions they need to protect families' data, that's a real problem, and it's deceptive marketing."
Baby monitors, of course, are only one example of security disasters that have resulted from the push to connect more consumer products to the Internet, extending from cars to medical devices to Barbie dolls. But the New York consumer protection agency says it's focused first on baby monitors due to the string of real-world hacking incidents affecting the devices that have gone beyond mere research. In 2013, for instance, a hacker accessed a Houston family's baby monitor to shout at a 2-year-old, calling her a "slut." Last year, an Indiana family was horrified to find a hacker playing "Every Breath You Take" at their 2-year-old, followed by "sexual noises." "This isn't a theoretical list," says Menin. "This an actual list of reported complaints."
Menin says her agency has consulted with security researchers about the baby monitors' security flaws. The investigation was triggered in part by those white-hat hackers' findings, including a report by security firm Rapid7 last year that found nine different brands of baby monitor were vulnerable.
In addition to its investigation into the baby monitor vendors, the agency has also posted a list of tips for consumers to avoid their own baby monitor intrusion horror stories. They advise consumers to read about the security of a device before purchasing it, use a strong password, register the device, download software updates, and turn the monitors off when they're not in use.
That list of tips follows a similar post from the Federal Trade Commission just last week—a sign that the awareness of insecure baby monitors is hardly limited to the city government level. In fact, in 2013 the FTC settled a lawsuit against baby monitor vendor TRENDnet, who left hundreds of thousands of consumers' cameras publicly accessible online. But as the New York investigation shows, the problem of baby monitor insecurities is far from resolved, and a few more device sellers may be due for a slap.