How Secure Is a Smart Baby Monitor? Finding Out Is Far Too DifficultNat Meysenburg / Mar 4, 2021
Parents have placed baby monitors crib-side for decades, buying the tech-enabled peace of mind that comes with knowing, from a distance, if their baby is safe. Like many other products in the past decade, baby monitors have moved past their analog roots, connected to your wifi network, and joined the Internet of Things (IoT). Now, they’re part of a constellation of home surveillance devices gathering huge amounts of private information.
For those whose memory of a baby monitor resembles the ubiquitous walkie-talkie styled one-way radio that was a fixture of the 1980s nursery, the array of new features may be dizzying. Most new baby monitors are wifi-connected and controlled through smartphone apps. Many include options like movable cameras, infrared night vision, room humidity and temperature readings, and monitoring of the baby’s breath, movement, heart rate, temperature, and more. Some allow you to record video and save it to the cloud, and some will even analyze the footage for you.
There have long been complicated privacy questions around baby monitors. It is hard to imagine something more private than what happens in a small child's bedroom, and a baby monitor’s basic function is to broadcast these moments. Over time, these broadcasts expanded from audio to video, and from local live listening and viewing to internet storage of footage and health data. Where parents used to face only a small risk of nearby snoops, connected monitors expand their concerns to include tech companies, data brokers, and intrusions from anywhere on the internet.
The analog baby monitors of previous decades were notoriously susceptible to eavesdropping from nearby devices like cordless phones, walkie talkies, and other baby monitors, all of which operated on the same radio frequencies. However, the ability to listen to neighbors’ devices was limited. These radio signals didn’t go very far, and were easily blocked by walls and trees. The privacy trade-off, then, was straightforward; there was a small risk your neighbors could listen in. For many, convenience and peace of mind was worth it.
Connected baby monitors change the equation dramatically. Baby monitors are technically similar to home surveillance products, and are often now made by home security companies. This move from a market focused on children’s products to one focused on connected surveillance products creates a real possibility that data from baby monitors could be fed as training data into algorithms for other surveillance devices. A notion of “save everything” common to the IoT has found its way into baby monitoring.
When it comes to privacy and security, the IoT is somewhere between a mess and a dumpster fire. One effort to raise the bar is the Digital Standard, an open-source framework for evaluating the privacy and security of connected consumer products. As part of a project to create a testing handbook for use with this standard, my organization, the Open Technology Institute, recently tested a connected baby monitor against the Digital Standard’s protocols.
"Not knowing if or why your baby monitor is regularly communicating with servers in China, or anywhere, is cause for concern."
Nat Meysenburg, technologist at New America's Open Technology Institute
What we found was troubling. The monitor regularly contacted a server in Beijing that did not belong to the manufacturer of the baby monitor itself. The amount of data being sent was small, and this communication could be nothing more than part of how the monitor and app find each other. But detailed examination of this communication did not reveal what the monitor is sending, and why. These kinds of relationships with third-party providers are common in IoT devices, but rarely disclosed or openly discussed. Even if there is nothing of value being sent, not knowing if or why your baby monitor is regularly communicating with servers in China, or anywhere, is cause for concern.
Outside of the FCC compliance stamp on the back of all electronic devices, IoT products are not required to undergo testing against common standards. Without a fair amount of expertise, a lot of time for digging, a tolerance for voiding warranties, and a willingness to break things, there is really no good way to know if a baby monitor contacts third-party servers or is vulnerable to security threats. This leaves the average parent with no meaningful way of knowing what bits of information are leaving the nursery, or how vulnerable the monitor is to attack. Such fears are not academic. News stories of hacked baby monitors, with attackers terrorizing families, are easy to find online.
Aside from wondering about unknown third-party companies and attackers having access to sensitive data, there are related questions about where data held by manufacturers goes. There is no clear legal limit on how long companies are allowed to keep data. We don’t yet know what could happen to this data in twenty or thirty years. However, given the frequency and severity of data breaches, there is a real risk that the companies holding a lot of this data will eventually lose control of it due to some combination of carelessness, ineptitude, technical failure, legal action, and hacking.
Unlike an adult who chooses to wear a FitBit, infants aren’t participating voluntarily. While that might be okay during infancy, monitored babies will grow up to live in the digital shadow that was created for them.
The unquestionable utility of baby monitors has made them commonplace in parenting. But many parents may not even be aware of the many internet-age risks to privacy that baby monitors and cloud data storage bring into their home. More information would help. Many new parents already spend a lot of time researching safe and effective baby products. More widely available information about privacy concerns and long-term risks could help parents make more informed choices.
To get there, we need widespread and rigorous testing against a common set of standards. Without that, parents who want the peace of mind of a connected baby monitor are left in the dark on the security and privacy of their child’s bedroom.
New America's Open Technology Institute is a tech policy research and advocacy organization that works at the intersection of technology and policy to ensure that every community has equitable access to digital technology and its benefits.