Questions about the software security of the increasingly diverse array of connected home devices were raised yet again in a recent attack targeting a Houston, Texas, couple and their two-year-old daughter. A hacker manipulated the baby monitor the couple used to keep an eye on their child, moving the camera around and cursing at both the parents and baby, ABC News reported.
The couple first noticed the attack when they heard noises coming from their daughter’s room, according to the news agency. They walked in to find their daughter – who is deaf and therefore remained asleep – being berated with abusive language by an attacker with what sounded like a European accent. The attacker then turned his attention to the parents, cursing them out.
“At that point I ran over and disconnected it and tried to figure out what happened,” the father, Marc Gilbert, told ABC News, which reported on the incident with alarm. “[I] Couldn’t see the guy. All you could do was hear his voice and [that] he was controlling the camera.”
Protecting household systems
The attack may have taken advantage of a security flaw, first reported in April, in many cameras, including those made by Foscam, the brand used by the Gilberts, according to GigaOM. While Foscam released a firmware update in June, it was unclear whether the Gilberts had installed it. GigaOM’s David Meyer suggested that the update was poorly publicized, particularly given the sensitive nature of usage scenarios for baby monitors.
While automatically updated or well-publicized software updates are important for ensuring successful patch rollouts, the underlying problem with incidents such as this baby monitor attack is that consumer devices are becoming increasingly exposed to outside parties, Meyer noted. As more smart devices come online, attackers are finding more forms of disruption, whether they are taking control of security cameras, televisions or smart toilets.
“Today, we’re used to updating the firmware on our phones and maybe our TVs,” Meyer wrote. “Tomorrow, things could be a lot more complicated. And, as always, the balance between security and convenience will be key to making sure the internet of things doesn’t turn scary.”
For device manufacturers, this admonishment means that greater care must be taken to secure electronics and avoid creating risks in the first place. By implementing a secure development lifecycle that involves tools such as static analysis software and checks such as peer code review, companies can catch errors in their devices that might leave them vulnerable to hackers before these flaws are released into the wild and cause panic.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.