How Secure Is a Smart Baby Monitor? Finding Out Is Far Too Difficult

Writing in Tech Policy Press, OTI's Nat Meysenburg argues consumers have far too little information to make informed decisions about their privacy when choosing to use Internet of Things devices. Smart baby monitors, for example, collect a great deal of sensitive information, yet little transparency from manufacturers means parents are mostly in the dark about the security of their children's data.

When it comes to privacy and security, the IoT is somewhere between a mess and a dumpster fire. One effort to raise the bar is the Digital Standard, an open-source framework for evaluating the privacy and security of connected consumer products. As part of a project to create a testing handbook for use with this standard, my organization, the Open Technology Institute, recently tested a connected baby monitor against the Digital Standard’s protocols.

What we found was troubling. The monitor regularly contacted a server in Beijing that did not belong to the manufacturer of the baby monitor itself. The amount of data being sent was small, and this communication could be nothing more than part of how the monitor and app find each other. But detailed examination of this communication did not reveal what the monitor is sending, and why. These kinds of relationships with third-party providers are common in IoT devices, but rarely disclosed or openly discussed. Even if there is nothing of value being sent, not knowing if or why your baby monitor is regularly communicating with servers in China, or anywhere, is cause for concern.

Outside of the FCC compliance stamp on the back of all electronic devices, IoT products are not required to undergo testing against common standards. Without a fair amount of expertise, a lot of time for digging, a tolerance for voiding warranties, and a willingness to break things, there is really no good way to know if a baby monitor contacts third-party servers or is vulnerable to security threats. This leaves the average parent with no meaningful way of knowing what bits of information are leaving the nursery, or how vulnerable the monitor is to attack.