On January 19, the Federal Trade Commission posted the results of a small study of baby monitor security, finding that four out of five devices tested did not have basic security procedures in place. The FTC warned that such weak security could allow a stranger to hack the video feed and see inside the home. The baby monitor study is the FTC’s latest foray into the Internet of Things (“IoT”) under the Office of Technology, Research and Investigation, which was launched in 2015.
The FTC notes that of the five monitors studied, only one required a complex password. Three of the five did not lock down the device after repeated incorrect password attempts. Two of the five did not encrypt the data flowing between the monitor and the router and one did not encrypt the data flowing between the router and the internet.
These vulnerabilities could allow a stranger to intercept video and audio signals to peer inside the homes of unsuspecting parents. Indeed, there have been several incidents in the past few years in which attackers used internet-enabled baby monitors to scream obscenities at toddlers or parents (reported here and here, for example). It is quite possible that many more incidents of baby monitors used silently as cameras have gone unnoticed.
The FTC post gives consumers tips on how to choose a baby monitor with adequate security, but did not identify the brands that were tested. There is no indication that the FTC is considering enforcement against any baby monitor manufacturers, but the Commission’s continued focus on the IoT is notable. The post follows closely on the heels of the FTC’s first PrivacyCon event in Washington, DC, during which Chairwoman Edith Ramirez’s opening remarks focused on “[t]he new generation of products we see in the marketplace—from smart appliances to connected medical devices to semi-autonomous cars….” Companies that manufacture internet-connected devices should continue to monitor FTC activity in this area while ensuring that their own products utilize appropriate security procedures.
Reporter, Tom Randall, Washington, DC, +1 212 556 2195, trandall@kslaw.com.