Law in the Internet Society
Even before I walk into the apartment where I am babysitting the family is watching me. They’re not home but they see me on the “Ring” and text, “I see the nanny let you in.” Suddenly they appear on their video Alexa without warning and without me answering to explain the bedtime procedures for their 3-year-old. At bedtime she wants to listen to music. Almost immediately her parents have turned it on from their phones. While sitting at a concert 60 blocks south they ignore Billy Joel, instead watching and listening to their daughter and me.

Constant parent surveillance started in my generation. Friends got busted for lying about their whereabouts when their parents tracked their phones. Sneak in after curfew? Good luck. Your phone, the “Ring,” the cameras inside are the nosiest neighbors. For concerned parents the gadgets of the internet age allow for a type of helicoptering like never before.

What if we told these concerned parents that with a few lines of python anyone can watch? Or that there are websites listing webcams that are set to the default passwords (or without passwords) that anyone on the internet can access?

Hacking is Easy

Accessing someone’s unsecured webcam isn’t difficult and sites like Shodan and Insecam make this easier. Bots randomly scan for unsecured devices, something that can be done across the entire internet in a matter of hours. If one runs a quick search on Shodan she can find a slew of web servers that use the username and password admin/admin or that can be accessed through a password found by googling “manufacturer default credentials.” These default credentials are conveniently assembled on ispyconnect.com’s “user guide.” Still other cameras can be accessed through known vulnerabilities such as Boa webcams. Boa has a vulnerability that allows you to reset the admin password. In 2015, security firm Rapid tested nine popular baby monitors for security. Eight of the nine got an F, the ninth a D minus. Despite the reporting on this in 2015, nothing has changed.

There have been accounts of mothers catching hackers hijacking the cameras. One mother noticed her baby monitor moving without anyone controlling it. She realized it was scanning the room and landing on her bed. Everyone who was supposed to have control was in the same room not moving the device. Others reported their baby monitors talking. One particularly disturbing case involves a hacker yelling at babies on baby cams.

If peeping Toms on the internet are watching through baby monitors, what comes next? Surely those who lived in Stalin’s Soviet Union would find bringing a device into your home that anyone can access foolish. Even if you aren’t worried about your own government, there is nothing stopping other countries from peeping too. This can allow for more targeted advertising, election campaigning, perfect price discrimination. Even if governments or companies aren’t themselves watching, the dangers of commodification of personal information are real.

The dangers of these insecure devices goes beyond concerns of creeps or the hypothetical 1984 sounding concerns of the government or companies watching, they can bring down the internet. In 2016 DNS provider Dyn was attacked by Mirai botnets which took down sites including Netflix, Twitter, and Spotify largely using IoT? devices (such as baby monitors) infected with malware. Hackers took complete control of the monitor. Further, baby monitors can grant a hacker access to the home network to get information from computers.

The Law

As is common with the law and the internet, the law hasn’t caught up with the baby monitors. Some have noted the right to privacy should apply here. What is more of a violation of privacy than someone watching you in your bedroom? Seeming natural applications of existing laws don’t go far enough to solve the problem. While applying peeping Tom laws to those watching over baby monitors could prosecute some people and give some justice to victims, avoiding prosecution wouldn’t be hard and it wouldn’t solve the problem. Security experts have proposed other solutions including regulation of baby monitors, allowing victims to sue the baby monitor companies, and hacking back.

Security experts have called on the government to get involved by regulating IoT? devices. Mikko Hypponen, chief research officer for F-Secure, for example, compared leaking WiFi? passwords to devices catching on fire: it shouldn’t happen and the government should make sure it doesn’t. Experts have proposed civil and criminal penalties for creating unsecure devices and laws requiring buyers to change the default password before the device can be used. Others, however, believe regulation would be useless because U.S. regulations won’t affect other countries.

Some have proposed allowing victims of baby monitor hacks to sue manufacturers or sellers of the monitors. The Mirai attack shows the widespread hacking of these devices and suggests the possibility of a class action suit. If companies are hit with hefty fines they would be incentivized to send shoddy security for IoT? devices the way of lead paint.

Still others have proposed a more radical solution: hacking back. Rob Graham, security researcher and hacker, suggested the NSA launch a proactive strike to knock compromised IoT? devices offline. Graham sees this as a solution to U.S. legislation being useless overseas. While that may be true, there are likely other Constitutional concerns with the NSA hacking into people’s devices to knock them offline.

Conclusion

This paper discussed the security concerns of hackers accessing baby monitors and what this could mean for commodification of personal data and access by companies and governments as well as widespread attacks. Other concerns with baby monitors go beyond the scope of this paper: children growing up constantly surveilled and the ethics of spying on your babysitter, to name a couple. Parents have begun to worry about sharing about their children on Instagram. A class action suit is currently going against Disney for scraping data from children’s video games. It is time parents become concerned about the safety devices they bring into their homes.

Navigation

Webs Webs

r12 - 08 Oct 2019 - 12:52:49 - AyeletBentley
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM