Wi-Fi baby heart monitor may have the worst IoT security of 2016

Not long ago, top computer security researcher Jonathan Zdziarski was blessed with a new baby and did what a lot of parents do – spent money on gizmos to keep an eye on it.

One of the devices was an Owlet – a sensor that babies wear in a sock that monitors their heartbeat and relays that data wirelessly to a nearby hub. This internet-connected home unit can then ping out an alert to the parent's smartphones if anything is amiss.

Zdziarski told The Reg that his suspicions about the device were first raised when he looked at the end-user license agreement, which has a big section indemnifying the company from litigation if the device malfunctions and the wearer dies. But he found even more worrying details when he started examining the device's code.

The Owlet base station encrypts data sent to and received from the manufacturer's servers, which contact parents' phones if needed. But the ad-hoc Wi-Fi network linking the base station to the sensor device is completely unencrypted and doesn't require any authentication to access.

If you're within range, you can snoop on the base station's wireless network, and meddle with it. That's right, the base station creates its own unlocked Wi-Fi network that the sensor (and anyone else) can join.

A single unauthenticated command over HTTP can make the Owlet base station leave your home Wi-Fi network and join one of your choosing; you can also take control of the system and monitor a stranger's baby and prevent alerts from being sent out.

It's just another drop in an ocean of insecure gadgets and gizmos we're all drowning in. It's further evidence we're in an epidemic of slap-dash security in embedded engineering.

Getting your neighbor’s @owletbabycare baby vital signs monitor to quit their network and join yours in one easy command, with no password… pic.twitter.com/MV1DEzX0b6

— Jonathan Zdziarski (@JZdziarski) October 12, 2016

"This would be simple to do by someone scanning port 80 [on the Wi-Fi network], which the base station is locked into using," he said. "The whole interface is non-authenticated, so if you go into the IP address for the base station you can delete specific Wi-Fi networks, disconnect the Wi-Fi altogether, and ultimately break the alerts."

He also found some serious design flaws. If the monitoring sock falls off the baby's foot an alert goes off that something is wrong. After the worried parent rushes in and just puts the sock back on, the device doesn't reset itself. It remains dormant unless the parent reenables it, he said.

Zdziarski also said that, based on a quick examination of the code, there didn't appear to be a software update mechanism in place to fix these issues. Owlet has since told The Reg that there is an update mechanism that the company uses regularly.

"The safety, security and privacy of our customers are of the utmost importance to us. We are aware of the report on Twitter, and our data team is working closely with this individual to better understand his concerns and ensure we continue to provide value to parents," an Owlet spokeswoman told us.

"At this time, what we can share is that we are connecting our data team with Mr Zdziarski so they can work closely with him to understand his concerns and what he's identified." ®