(CNN) — An unknown hacker apparently gained access to a 2-year-old girl’s baby monitor, calling her by name and harassing her, and her parents, with insults and profanity.
A couple in suburban Houston, Texas, told CNN affiliate KTRK that, over the weekend, they heard a strange voice in the bedroom shared by their two toddlers. When they got there, Marc Gilbert said they realized the voice was coming from the Web camera they use to keep tabs on the children.
What they heard next was ugly.
“He said, ‘Wake up Allyson, you little slut,’ ” Gilbert said. He said the hacker, who had a British or European accent, may have read her name on a wall in the bedroom.
When he and his wife Lauren arrived, Gilbert said, the camera swiveled to face them. The hacker proceeded to call him a “stupid moron” and his wife a bitch, Gilbert said, before he unplugged the camera.
The only positive about the situation, he said, is that Allyson never woke up. She was born deaf and has cochlear implants to help her hear, which she was not wearing while sleeping.
“I felt like somebody broke into your house,” Gilbert said. “As a father, I’m supposed to protect her against people like this. So it’s a little embarrassing to say the least, but it’s not going to happen again.”
Baby monitors, particularly those with video capabilities, have been shown in the past to be vulnerable. Video monitors can broadcast to TVs and hand-held receivers, or over Wi-Fi to computers, smartphones and tablets.
In 2009, an Illinois family sued the manufacturer of its monitor after they discovered that they and their neighbors could monitor each other’s feeds.
Some newer models have technology that jumps from frequency to frequency, making them more secure, while older monitors do not.
Security experts warn parents to make sure to enable passwords for baby monitors and Web cameras. Most new models are equipped with that ability, they say.
Experts like Lisa Vaas of the Sophos Security blog also say to make sure home Wi-Fi and routers are password-protected.
“Those who can’t figure this out should ask for help from somebody with security expertise — somebody they trust with the safety of extremely precious things,” Vaas said.
In comments on the KTRK article about the hack, Marc Gilbert said he did take basic security precautions: “The router was password protected and the firewall was enabled. The IP camera was also password protected,” he said.
“Of course, devices may well be protected by passwords, but default passwords that haven’t been changed are like having no password at all, as other commenters pointed out,” wrote Vaas on the Sophos Security blog.
Multiple security experts have identified the camera model shown in the Houston news report as a Foscam FI9821P. A FAQ page on the manufacturer’s site lists the default user name and password — both “admin” — for the camera, as well as the default port used to connect it to the Web.
Altering those default settings “with a non-trivial password would make the device far more difficult to access, and probably too much trouble to bother with,” wrote technology and security analyst Larry Seltzer for tech blog ZDNet. “If you want to go even further and make it really hard for attackers, you can change the default port.”
Seltzer said that anyone on the Internet could build a scanner that would find cameras still hooked up to their default port. They could then check those cameras to see if they still open using the default password.
“This is almost certainly what happened,” he wrote.
Earlier this year, researchers at security firm Qualys used the Foscam in a demonstration of how Web-enabled cameras can be exploited.
Foscam did not immediately respond Wednesday to a message seeking comment for this story.