like these, monitoring devices can be abused by malicious entities to surreptitiously monitor
conversations between adults remotely, leading to a loss of privacy.
In the case of the WeMo devices, it is clear that design principles led to a situation in
which the privacy of a given monitoring device is at risk from anyone who might have one-
time access to the local network. And as we saw with the Foscam devices, it is easy for anyone
to find hundreds of thousands of exploitable IoT monitoring devices using a service like
Shodan.
We’ve learned the importance of security the hard way when it comes to software, and we
are at risk of committing the same mistakes in IoT devices. We’ve learned not to trust other
devices on the local network. We’ve learned to have secure processes built into the develop-
ment lifecycle, so that bugs in code that lead to simple ways to bypass authentication don’t
occur. Companies building devices such as baby monitors must make it a habit to build secu-
rity in from the get-go, from designing secure use cases and architectures to making sure the
source code is checked for vulnerabilities.
Monitoring devices, especially ones like those discussed in this chapter, must allow for
security patches to be applied seamlessly. Otherwise, we will only continue adding devices in
their millions onto the Internet that will remain unpatched and exploitable. In the case of the
Foscam devices, the process to apply a critical security patch was so cumbersome that few
parents actually made the effort to do so. Consumers of such devices should demand a
smoother process by supporting manufacturers that implement software updates seamlessly.
CHAPTER 3: ASSAULTING THE RADIO NURSE—BREACHING BABY MONITORS AND(^84) ONE OTHER THING