A Blog about the Internet of Things | Softeq

Security by Design: How to Create Hack-proof Baby Tech Solutions

Written by Vera Solovyova | Jul 28, 2020 2:18:56 PM

Although the Internet of Things opens the door to a new lifestyle and propels all industries forward, it comes with a considerable cybersecurity risk that cannot be taken lightly. According to the 2020 Unit 42 IoT Threat Report , 98% of all IoT device traffic is unencrypted, which means all the data users send over the Internet can be intercepted by cybercriminals.

57% of IoT devices are vulnerable to medium or high-severity attacks, including remote code execution, DDoS, phishing, and attacks stemming from default device passwords and credential reuse. All of this makes IoT low-hanging fruit for would-be criminals. The graph below gives a breakdown of the top IoT security threats:

Security cameras are the most vulnerable IoT gadgets, constituting nearly half of all cyberattacks. Smart hubs and network-attached storage devices come in second with 15% and 12%, respectively. Other types of devices that often fall victim to cybercriminals include printers, smart TVs, and IP Phones. 

What about baby care devices—baby monitoring cameras, smart cribs, wearable devices, and smart toys? One might think they never register on cybercriminals' radar. However, that’s not exactly true.

Security Flaws in Connected Baby Care Solutions

Digital-first parents have the assumption that smart baby gadgets are hack-proof, thinking they should be secure by default. The thing is, smart Baby Tech solutions are hardly different from your average IoT device. The consequences of cyberattacks targeting connected cribs, smart socks, and baby monitors can range from mild, such as the loss of confidential data, to catastrophic—i.e., strangers spying on innocent families around the clock and broadcasting creepy messages to their children.

In 2018, a family in Houston started receiving threats via a wireless camera that was primarily used to monitor a baby. Once the family realized they had been hacked, they turned their cameras and Wi-Fi off. 

One Lowcountry family was spied on by strangers the same year. Their baby monitor was compromised, and the small device run by an app was watching the family 24/7. The police said it’s a common issue with baby monitors that use Wi-Fi. 

A similar case happened one year later in Seattle. A stranger hacked a baby monitor and used it to peer around a home remotely and tell a 3-year-old child "I love you." 

A well-known kid’s tablet LeapFrog was also a target for malicious activities. The tablet allowed hackers to send messages to children and launch man-in-the-middle attacks. 

To avoid such problems, experts recommend that users change passwords regularly and install firmware updates issued by device manufactures. 

Why Baby Tech is Vulnerable, and How to Keep Connected Devices and Family Data Secure 

A compromised Baby Tech solution gives cybercriminals full access to—and full control over—connected devices that monitor a child's health and well-being. Wide-open code, weak default passwords, and unsecured Wi-Fi are the major Baby Tech soft spots exploited by attackers.

Both end users and companies eyeing the burgeoning Baby Tech market should consider the security of connected baby gadgets as their top priority.

When building a connected baby device, it is essential to:

  • Release updates of embedded and mobile software, as well as cloud infrastructure regularly and create security patches     
  • Prohibit users from creating short hackable passwords and keep passwords encrypted     
  • Deploy end-to-end data encryption 
  • Equip Baby Tech solutions with biometric authentication or set up a two-factor authentication
  • Implement intrusion detection and prevention (IDS/IPS) systems
  • Validate and encode all input data 
  • Configure a firewall and install security plugins 
  • Make sure the solution is compliant with cybersecurity standards and requirements, such as HIPAA, HL7, FDA, PCI DSS, GDPR, and FedRAMP

How to Incorporate Security into Baby Tech Solution Design

To identify security threats and inspect them, engineers should model attack trees and conduct a fault tree analysis. 

Attack trees are diagrams used to describe threats posed to IT systems. They are built to see all possible ways in which a system can be attacked, mitigate ROI and profit for potential cybercriminals, make hacking more complicated, and design countermeasures to thwart attacks.

 

Security engineers should be aware of common cyberattacks targeting Baby Tech. This will help to better protect a connected baby gadget by choosing appropriate countersteps.

The most widespread attacks are:

  • Mirai IoT botnets
  • DDoS attacks
  • Security failures that range from a lack of data encryption to missing encryption certificate validations
  • Attacks targeting baby cameras and baby monitors that use peer-to-peer (P2P) communication technology
  • Man-in-the-middle attacks
  • Attacks on weak or hardcoded passwords
  • Authentication issues: protocols that do not require authentication between a parent’s device and a child’s device
  • Issues with HTTP protocols: outgoing traffic from the device is not encrypted using HTTPS but instead the clear-text and less secure HTTP protocol is used

GATED CONTENT

  • Mirai IoT botnets
  • DDoS attacks
  • Security failures that range from a lack of data encryption to missing encryption certificate validations
  • Attacks targeting baby cameras and baby monitors that use peer-to-peer (P2P) communication technology 
  • Man-in-the-middle attacks
  • Attacks on weak or hardcoded passwords
  • Wi-Fi issues: Ad-Hoc connections that broadcast to other compatible devices nearby using a simple SSID
  • Authentication issues: protocols that do not require authentication between a parent’s device and a child’s device
  • Issues with HTTP protocols: outgoing traffic from the device is not encrypted using HTTPS but instead the clear-text and less secure HTTP protocol is used
 

Developers should conduct a fault tree analysis to determine different combinations of hardware, software, and human errors that could cause system failure. Competing companies may turn to the fault tree analysis to eliminate rivals in unfair market competition: hackers analyze how a system can fail and identify optimum ways to attack their rival’s product. 

Cybersecurity risks must also be mitigated at every stage of the development process. Starting in the design phase, the solution requirements should be documented with security in mind. Developers specializing in cybersecurity should be responsible for the security functions, while non-security functionality should be delegated to the rest of the team. 

During the development phase, engineers implement the security features and follow security rules defined in the solution requirements document. Since IoT solutions incorporate firmware/hardware, connectivity technologies, and user-facing apps, each of these components should be crafted with cybersecurity on the priorities list. 

Firmware/Hardware

When developing firmware, rely on the security frameworks investigated and improved by security experts, and make sure your firmware is up to date. Use a digital signature as a reliable verification tool. This should be incorporated into the firmware at its origin and read by the receivers using a private key. On the hardware level, install custom hardware security modules (HSMs) and tokens, and provide hardware authentication features, as well as features supporting secure boot. 

Connectivity

To rest assured a baby gadget is free of vulnerabilities, use secure connectivity protocols, ensure safe connection to the device at each entry point, and support secure data exchange via multi-factor authentication, bonding, data encryption, and device management.

Mobile Apps

Mobile apps enable on-the-go access to data generated by a gadget and act as remote control tools. To avoid data breaches, turn to high-level data encryption, use authorized APIs, and biometric authentication.

Take-home Message

Modern parents are positively geeking out over baby technology, so the demand for smart baby gear is increasing. But as the connected device market grows, so too does security vulnerability and the risk of hacking. Vendors should not neglect security principles and put a particular focus on protecting kids from hackers to avoid devastating consequences.