Law in the Internet Society
DRAFT 2 CAN BE FOUND HERE

Baby Monitors: Sacrificing Security for "Safety"

-- By AyeletBentley - 08 Oct 2019

Even before I walk into the apartment where I am babysitting the family is watching me. They’re not home but they see me on the “Ring” and text, “I see the nanny let you in.” Suddenly they appear on their video Alexa without warning and without me answering to explain the bedtime procedures for their 3-year-old. At bedtime she wants to listen to “Uncle Moishe.” Almost immediately her parents have turned it on from their phones. While sitting at a concert 60 blocks south they ignore Billy Joel, instead watching and listening to their daughter and me.

Constant parent surveillance started in my generation. Friends got busted for lying about their whereabouts when their parents tracked their phones. Sneak in after curfew? Good luck. Your phone, the “Ring,” the cameras inside are the nosiest neighbors. For concerned parents the gadgets of the internet age allow for a type of helicoptering like never before.

What if we told these concerned parents that with a few lines of python anyone can watch? Or that there are websites listing webcams that are set to the default passwords (or without passwords) that anyone on the internet can access?

Hacking is Easy

Accessing someone’s unsecured webcam isn’t difficult and sites like Shodan and Insecam make this easier. Bots randomly scan for unsecured devices, something that can be done across the entire internet in a matter of hours. If one runs a quick search on Shodan she can find a slew of web servers that use the username and password admin/admin or that can be accessed through a password found by googling “manufacturer default credentials.” These default credentials are conveniently assembled on ispyconnect.com’s “user guide.” Still other cameras can be accessed through known vulnerabilities such as Boa webcams. Boa has a vulnerability that allows you to reset the admin password. In 2015, security firm Rapid tested nine popular baby monitors for security. Eight of the nine got an F, the ninth a D minus. Despite the reporting on this in 2015, nothing has changed.

There have been accounts of mothers catching hackers hijacking the cameras. One mother noticed her baby monitor moving without anyone controlling it. She realized it was scanning the room and landing on her bed. Everyone who was supposed to have control was in the same room not moving the device. Others reported their baby monitors talking. One particularly disturbing case involves a hacker yelling at babies on baby cams.

If peeping Toms on the internet are watching through baby monitors, what comes next? Surely those who lived in Stalin’s Soviet Union would find bringing a device into your home that anyone can access foolish. Even if you aren’t worried about your own government, there is nothing stopping other countries from peeping too. This can allow for more targeted advertising, election campaigning, perfect price discrimination. Even if governments or companies aren’t themselves watching, the dangers of commodification of personal information are real.

The dangers of these insecure devices goes beyond concerns of creeps or the hypothetical 1984 sounding concerns of the government or companies watching, they can bring down the internet. In 2016 DNS provider Dyn was attacked by Mirai botnets which took down sites including Netflix, Twitter, and Spotify largely using IoT? devices (such as baby monitors) infected with malware. Hackers took complete control of the monitor. Further, baby monitors can grant a hacker access to the home network to get information from computers.

The Law

As is common with the law and the internet, the law hasn’t caught up with the baby monitors. Some have noted the right to privacy should apply here. What is more of a violation of privacy than someone watching you in your bedroom? Seeming natural applications of existing laws don’t go far enough to solve the problem. While applying peeping Tom laws to those watching over baby monitors could prosecute some people and give some justice to victims, avoiding prosecution wouldn’t be hard and it wouldn’t solve the problem. Security experts have proposed other solutions including regulation of baby monitors, allowing victims to sue the baby monitor companies, and hacking back.

Security experts have called on the government to get involved by regulating IoT? devices. Mikko Hypponen, chief research officer for F-Secure, for example, compared leaking WiFi? passwords to devices catching on fire: it shouldn’t happen and the government should make sure it doesn’t. Experts have proposed civil and criminal penalties for creating unsecure devices and laws requiring buyers to change the default password before the device can be used. Others, however, believe regulation would be useless because U.S. regulations won’t affect other countries.

Some have proposed allowing victims of baby monitor hacks to sue manufacturers or sellers of the monitors. The Mirai attack shows the widespread hacking of these devices and suggests the possibility of a class action suit. If companies are hit with hefty fines they would be incentivized to send shoddy security for IoT? devices the way of lead paint.

Still others have proposed a more radical solution: hacking back. Rob Graham, security researcher and hacker, suggested the NSA launch a proactive strike to knock compromised IoT? devices offline. Graham sees this as a solution to U.S. legislation being useless overseas. While that may be true, there are likely other Constitutional concerns with the NSA hacking into people’s devices to knock them offline.

Conclusion

This paper discussed the security concerns of hackers accessing baby monitors and what this could mean for commodification of personal data and access by companies and governments as well as widespread attacks. Other concerns with baby monitors go beyond the scope of this paper: children growing up constantly surveilled and the ethics of spying on your babysitter, to name a couple. Parents have begun to worry about sharing about their children on Instagram. A class action suit is currently going against Disney for scraping data from children’s video games. It is time parents become concerned about the safety devices they bring into their homes.

I think this draft is uncertain of its subject: is it baby monitors or the security of the Internet of Things, known among security professionals as the Internet of Shit? Most of your paragraphs are about the social context of child surveillance technology, but in the final paragraphs you say that only security (or rather, the insecurity of product design deliberately intended to compromise security for ease-of-setup in order to save manufacturers the cost of real after-sale support) is your subject. As to that, baby monitors are not much different from all the other IoS? gear; a discussion of the political economy of insecurity would better address the problem than a focus on a particular product category. The technology of child- and home-surveillance, on the other hand, raises questions about the intra- and interpersonal-psychology, sociology, economics etc. of family life in the "developed" world that far exceed issues of device and network security in their breadth and potential importance. The next draft should choose. I can see good reasons to pursue either path, and good results that can follow from it; my own bias in favor of the latter topic should not be relevant to your choice.

If you are, in the end, writing about the issue of Io[ST] security, you should read Bruce Schnier's Click Here to Kill Everybody (2018), the essential study, which Columbia University appears not to possess in its decaying libraries.


You are entitled to restrict access to your paper if you want to. But we all derive immense benefit from reading one another's work, and I hope you won't feel the need unless the subject matter is personal and its disclosure would be harmful or undesirable. To restrict access to your paper simply delete the "#" character on the next two lines:

Note: TWiki has strict formatting rules for preference declarations. Make sure you preserve the three spaces, asterisk, and extra space at the beginning of these lines. If you wish to give access to any other users simply add them to the comma separated ALLOWTOPICVIEW list.

Navigation

Webs Webs

r3 - 19 Nov 2019 - 16:40:20 - AyeletBentley
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM