Technology

Hacker 'shouts abuse' via Foscam baby monitoring camera

A hacker was able to shout abuse at a two-year-old child by exploiting a vulnerability in a camera advertised as an ideal "baby monitor".

ABC News revealed how a couple in Houston, Texas, heard a voice saying lewd comments coming from the camera, made by manufacturer Foscam.

Vulnerabilities in Foscam products were exposed in April, and the company issued an emergency fix.

Foscam said it was unable to provide a statement at this time.

However, a UK-based reseller told the BBC it would contact its entire customer database to remind them "the importance in setting a password to their cameras".

The spokesman added that it would be urging Foscam's head office - based in Shenzhen, China - to send out a memo to all its resellers suggesting they too contact their customers.

ABC reported that Marc Gilbert and wife Lauren were left shaken when they heard a "British or European accent" coming from the camera.

Mr Gilbert said the voice directed offensive, sexualised words at their daughter Allyson, who was asleep in bed.

The family believed the hacker was able to call the child by her name because it was spelt out on the bedroom's wall.

The two-year-old is deaf, something the couple described as "something of a blessing" in the circumstances.

It is not clear whether the family had updated the camera with the latest software.

'Kids room'

The BBC has found evidence of hackers sharing information on how to access insecure Foscam cameras via several widely-used forums.

Using specialist search engines, people can narrow their results by location.

On one forum, internet addresses for cameras - not all made by Foscam - were listed with descriptions such as "school/daycare?" and "kids room".

In April, security firm Qualys uncovered a weakness in Foscam's devices.

The company said that various attack techniques exposed the camera's remote monitoring access - the simplest of which was simply scraping Foscam's website for unique identifying codes for each customer.

Around two out of every 10 Foscam cameras monitored by the researchers were insecure, Qualys said - using just "admin" to log in, and requiring no password.

Foscam is not the only company to find itself the target of hackers. Last year, camera company Trendnet had to rush out an update to fix a security hole that left thousands of cameras exposed.

Fix issued

In June, Foscam issued a fix for some of the issues raised by Qualys. In a blog post, the company said it appreciated the "constructive criticisms and advice".

Visitors to the firm's homepage do not see any notice of the critical upgrade.

The company did however publish a blog post to publicise the patch, and users who had signed up to a firmware update newsletter should have been informed by email.

Foscam homepage
There is no mention of the critical patch on the company's homepage

Discussion forums on the Foscam website show several other customers having security problems with their devices.

User pianomama00 wrote: "My husband heard something in babies room.

"He went in and a guy started talking to him and said he wasn't a neighbour and lived in a different state! Be careful everyone!"

Another user criticised the firm's customer service, saying: "I can't call, can't chat online and I've sent email with no response."

A technical support number listed on the UK website remained on hold for 30 minutes when contacted by the BBC. A separate sales number gave an estimate of a "47-minute" wait to speak to an advisor.

A link to find out more information about the company and its location led to a broken page.

Foscam products in the UK are also sold under the trading name of GadgetFreakz - as well as being sold through Amazon.

A spokesman for GadgetFreakz said the company was looking at ways to better inform customers of the importance of setting secure passwords, adding that it prided itself on good customer service.

Follow Dave Lee on Twitter @DaveLeeBBC

More on this story