Stories of cybercriminals talking to children or watching in on a nursery are enough to turn our stomachs. Yet despite five years of headlines and warnings from experts, manufacturers have done little to make baby monitors more secure (1). The rise of connected and so-called ‘smart’ baby monitors is exacerbating the problem.
Manufacturers depend on retailers to sell their products, so if a company like Target makes it clear that security is a priority, manufacturers are much more likely to pay attention. We know that retailers are more sensitive to what customers think. We know that Target has already stopped selling the Kayla doll that was banned in Germany because of security concerns. Will you call on Target to put our security first?
We’re asking Target to commit to asking if a device a) uses encryption (industry standard to safeguard communications), b) has strong passwords and c) is updatable, so if a security weakness is found it can be fixed. These requirements won’t guarantee that baby monitors are completely secure, but it will help make egregious security practices much less likely.
(1) - 2013: Tex. Couple Nervous After Baby Monitor Hacking; Good Morning America; 2015: Several baby monitors vulnerable to hacking, cybersecurity firm warns CBS News; 2017: Growing concerns over security of baby monitors as more families report 'hacking' - Seven News
Want to dig into more details? Read the full petition text here:
Dear Target,
We’re asking you to take a leadership role when it comes to safeguarding the security of consumers. Families rely on baby monitors for peace of mind and the devices are often marketed to parents as safety devices. Many of these devices are ‘connected’ or supposedly ‘smart.’
Sadly, these products have been plagued with security failings that can lead to hackings that leave families feeling violated. What’s worse is that this isn’t new. Security failings in these devices have been noted by experts and splashed across headlines for years.
Will you show that you stand with new families by pledging to ask manufacturers three simple security questions before agreeing to stock their products on your shelves? The questions are:
1) Is it Encrypted?
The product should encrypt local communication, to avoid someone being able to sit outside a customer’s house and snoop on communications. If products can connect to the Internet, those should also be encrypted to avoid someone being able to snoop on consumers’ internet connections.
2) Does it take authenticated updates?
If the software cannot take updates, then security vulnerabilities might be found but could not be fixed, leaving the device vulnerable. Experts recommend these updates be authenticated (so the device cannot be updated maliciously) and automatic (since users won’t likely remember to update IoT devices manually).
3) Does it use default passwords? (It shouldn’t)
Devices that require an account but ship with default insecure credentials (with for example a default user name of Username and a default password of Password) can be left vulnerable because users will often not change the default. (Derived from BITAG.)
Your leadership here would send a signal across the industry and ensure that manufacturers begin fixing some of these underlying security flaws instead of repeating the same mistakes over and over again.
Thank you, the undersigned: