back to article Wi-Fi baby heart monitor may have the worst IoT security of 2016

Not long ago, top computer security researcher Jonathan Zdziarski was blessed with a new baby and did what a lot of parents do – spent money on gizmos to keep an eye on it. One of the devices was an Owlet – a sensor that babies wear in a sock that monitors their heartbeat and relays that data wirelessly to a nearby hub. This …

  1. Anonymous Coward
    Anonymous Coward

    Prize winning security

    Surely the time is ripe for someone to start something along the lines of the Ignobel prize but for IoT security? Certainly plenty of contenders. Right up your street ElReg?

    1. Allan George Dyer Silver badge
      Trollface

      Re: Prize winning security

      It would have to be a weekly daily award...

      1. Anonymous Blowhard

        Re: Prize winning security

        "It would have to be a weekly daily award"

        I don't think there are enough hours in a day...

    2. Immenseness
      Thumb Up

      Re: Prize winning security

      The polished turd award?

    3. Anonymous Coward
      Thumb Up

      Re: Prize winning security

      Great idea (but why post anon?).

      El Reg make it so please!

      1. druck Silver badge
        Happy

        Re: Prize winning security

        Maybe AC works for an IOT company.

  2. DNTP

    To be fair to Owlet, they are not selling (and it would be either very expensive, or very stupid) their baby monitor as a medical device.

    Also to be fair to them, this is horribly bad security that arguably "compromises the average use case and expectation for a device of this type" regardless of any large-type disclaimer of responsibility.

    1. Anonymous Coward
      Facepalm

      To be fair to Owlet, they probably spent far more time and money on an adorable name, a cute website and lots of fab marketing than they spent on writing the actual baby monitoring software. So they can't be blamed for every tiny little fault with the product, can they?

      I'm sure their (offshore) Data Team are providing best practices on twitter even as I write this.

      1. 's water music

        To be fair to Owlet...

        the industry that bilks new parents for useless shit that they either don't need and often doesn't even solve the non-problem that it claims to has been around for years.

        After market cycling accessories are quite similar.

        But lots of people have buying stuff as their hobby which gets expressed through a series of obsessions, ostensibly with some or other activity but actually with buy accessories.

        New parenthood is similar but a lot more participants are emotionally vulnerable so the take-up rate (and presumably turnover/profit) is better.

        1. druck Silver badge
          Unhappy

          Re: To be fair to Owlet...

          I suspect there are not many actual parents contributing to this topic, and don't appreciate the worry that new parents feel every time they put their babies down to sleep

          Cot death is a very small risk for most families, certainly not enough to hooking your child up to a medical grade ECG machine every time it's put in a cot. But so as you don't feel guilty for not checking them every 10 minutes during their sleep for the first year of their life, particularly when you are out and leaving the duty to a baby sitter, some sort of unobtrusive and reliable monitor would good, and that's why there is a market for these sorts of things.

          We don't expect these things to have FIPS 140-2 security certifications, but not being wide open to anyone if WiFi range would be a good start.

          1. Anonymous Coward
            Anonymous Coward

            Won't someone think of the children!

            This.

          2. Anonymous Coward
            Anonymous Coward

            Re: To be fair to Owlet...

            As a new parent who's survived the first 10 months so far without incident, I was considering buying one of these devices (not Owlet mind you, as they're overpriced). SIDS is always lingering in the back of your mind. There's a "back to sleep" program that teaches new parents to ensure their baby is sleeping on their back while still in swaddling age that has reduced SIDS significantly. A baby O2 and heart/breathing monitor and alert system was alluring for sure. We settled on a (wired) 1080p security camera on the ceiling of the baby's room for visual monitoring and a traditional audio baby monitor that we leave always on (which obviously isn't secure). Is an open wifi device like Owlet less secure though? Yes, definitely.

    2. SImon Hobson Silver badge

      To be fair to Owlet, they are not selling ... their baby monitor as a medical device.

      No, but (I assume) they are selling it on it's features which effectively means they ARE selling it to parents who expect a certain level of functionality. Ah, checks website, they most certainly are - with statements like "Designed to alert you if your baby stops breathing", "Proactively Monitors your baby’s heart rate and oxygen levels so you can have peace of mind", and "83% of parents who report better sleep while using the Owlet Baby Monitor". No doubt there that the expectation intended to be set is that you can fit this device and you can relax a bit "safe" in the knowledge that it'll alert you to problems.

      Put another way, if you aren't going to rely on any of it's monitoring functions, then "why" buy it ? So if you assume that the device can't reliably alert you if the baby stops breathing, then your option is to check regularly - clearly if 83% of parents say they sleep better, a heck of a lot of parents are using the device to reduce the frequency they need to check.

      OK, so you could argue that it may provide an alert in between your regular checks. Well unless there is some certainty (which it appears there isn't), then you can equally say that "the baby may die without any alert" which I assume won't be appearing on their website as a testimonial !

      As to the disclaimer in the agreement - we all know how many people read those. So maybe the sort of person to be found in ElReg's forums will understand the limitations - the "average" person will believe this this device is something they can "rely" on.

    3. Alan Brown Silver badge

      "regardless of any large-type disclaimer of responsibility."

      Such disclaimers tend to fall foul of the unfair contracts laws that exist in the EU - something else that Teresa's acolytes want to remove.

  3. Alan W. Rateliff, II
    FAIL

    First security problem is using wireless for critical application

    How easy is it to send de-auth packets? A flood of them? You want to trust your baby's life to that?

    Owlet has a disclaimer and indemnity clause in the EULA, which indicates to me the device should NOT be used as some parents are likely to use it and (I would hope and assume) Owlet likely does not encourage such use.

    The reality, however, is wireless and cloud is becoming so ubiquitous in our society to be almost inescapable, and thus implicitly trusted, even with all of its faults. Who should carry the burden of culpability for this: the vendors who push and push, the users who push and push onto others, or the poor suckers who just think things should work like magic?

    1. Brian Miller

      Re: First security problem is using wireless for critical application

      No, the first problem is using a gadget instead of an actual medical device. The Independent ran an article a couple of years ago that these monitors were mostly useless.

      Honestly, the old nursery rhyme has it right: put your child in a rickety basket in the top of a tree during a wind storm, and if the kid survives that fall, you'll have no worries. If you want a gadget, add a Raspberry Pi to monitor wind speed, cradle movement, and precipitation.

      1. Darren B 1

        Re: First security problem is using wireless for critical application

        >>If you want a gadget, add a Raspberry Pi to monitor wind speed, cradle movement, and precipitation.

        Smart nappies, now you are on a winner.

        1. allthecoolshortnamesweretaken

          Re: smart nappies

          Self-changing nappies.

      2. Alan W. Rateliff, II
        Meh

        Re: First security problem is using wireless for critical application

        "No, the first problem is using a gadget instead of an actual medical device. The Independent ran an article a couple of years ago that these monitors were mostly useless."

        I said security problem, not usage problem of the device in question. Our points are complementary.

  4. Herby

    It IS bad, but..

    At least they (Owlet) isn't sticking their head in the sand as other have want to do.

    Yes, security, we've heard of it, do we care? (crickets heard).

    1. CraPo

      Re: It IS bad, but..

      wont

    2. Gene Cash Silver badge

      Re: It IS bad, but..

      Really? Did you not read their clueless reply to his tweet?

  5. AustinTX

    How adorably 1990's

    "our data team"? You sure you don't want to capitalize those words to make them sound a tad more confident? You don't need a "Data Team", you need software developers, testers and at least a security consultant. I bet someone's flipping through their Rolodex for the number to that Chinese company who made the software for them...

    1. Terry Cloth
      FAIL

      ``Data Team'' competence

      [O]ur data team is working closely with this individual to better understand his concerns[.]

      That says it all. Are there are any of El Reg's readers who didn't understand the problem instantly it was described?

      1. Phil O'Sophical Silver badge

        Re: ``Data Team'' competence

        The internet of stable doors, swinging in the breeze...

    2. LDS Silver badge

      Re: How adorably 1990's

      No, no, what they want is exactly a *data* team, *your data we gathered* team. Who cares about development?? The whole IoT stuff is about making people installing people's data gathering devices through offering some side features. Data they resell and make them earn more money than selling devices.

      1. Kane Silver badge
        Childcatcher

        Re: How adorably 1990's

        "The whole IoT stuff is about making people installing people's data gathering devices through offering some side features. Data they resell and make them earn more money than selling devices."

        Exactly this, which is reflected in this statement:

        "The Owlet base station encrypts data sent to and received from the manufacturer's servers..."

        So the data they are gathering is encrypted, because it has more value to them than the actual data that is generated between the device and the base station.

  6. This post has been deleted by a moderator

    1. Richard Jones 1
      WTF?

      Re: I will have to buy a car one day

      My wife has a modern car, it is like being in a fairground ride with sensors pinging and complaining distracting the driver from what matters.

      So it is with the 'let's sell more junk squad'. If there is a medical problem use medical grade hardware and check the stuff to the nth degree, plus do it in a suitable location. If there is no medical issue, then remember, children have survived since before the cave people era without crap electronics. Safety proofing homes is another issue.

      Note, medical places are very noisy, the wired sensors* are always falling off, they stick on but must be able to be removed without attached skin. The first few times you are there your insides want to join the outside world when the buzzers go off and the red lights burn. (You know some will die, but which ones and when?)

      *Take care with the trailing wires, attendant tripping, infant strangulation and choking hazard for growing babies during unskilled user deployment.

    2. Anonymous South African Coward Silver badge

      Re: I will have to buy a car one day

      Hopefully somebody will have a HOWTO up to help you disabling that pesky open bluetooth and wifi AP built into your car, so as to prevent rogue haxx0ring of your preciouses car...

      I would do that, just have a toggle switch to enable bluetooth/wifi before it goes in for a service (as the workshop may need access to that in order to run diagnostics etc) then disable it as soon as I get the car back. Should said workshop not need access to bluetooth or wifi, then it stays off forever.

      Or even a piece of tinfoil strategically placed...

      Will have to wait and see... I'm not looking forward to have a vulnerable car.

      1. Old Handle

        Re: I will have to buy a car one day

        My family got our first bluetooth enabled car recently. It does have a fairly easy to find option for turning it off. Though it's through a settings menu, not a hardware switch, so I guess there's still room for paranoia.

  7. Anonymous Coward
    Anonymous Coward

    I'm not sure why they created another "Solution" without a problem but realistically for about 30 pounds you can get a sound and heart monitor that works with a board underneath the baby, no internet, it just works and it works well. Alarm sounds should it stops detecting a heart beat and you can hear if baby starts crying.

    This has next to no security and you are reliant on someone else's servers to be up and running along with the internet. It's about time someone informs the public of the dangers of these devices and passes laws requiring mandatory security and service level agreements. Maybe when a botnet of these things takes down a bank or a government website they might take notice.

    1. stu 4

      stuff and nonsense

      Typical software 'engineer' over complicating things...

      breeder baby monitor:

      get one party horn.

      glue into babys mouth.

      place peg over babys nose.

      when noise stops - you have a problem.

      job done.

  8. My-Handle Silver badge

    "Utmost importance"

    <Rant>

    "The safety, security and privacy of our customers are of the utmost importance to us"

    Am I the only one getting sick to the back teeth of this phrase, or an extremely similar one, being trotted out by every bloody company that gets caught cutting corners, when the evidence points to the exact opposite? It's so blatantly disingenuous, it's almost an insult that they expect people to swallow it. There's no genuine apology, no intent to find the cause of the fault and no intent to improve on the quality of the product and the company. They might as well say "We got caught, get the lawsuits over with and bugger off. We've got another crap product we need to start not designing".

    </Rant>

    1. Commswonk Silver badge

      Re: "Utmost importance"

      "The safety, security and privacy of our customers are of the utmost importance to us"

      Am I the only one getting sick to the back teeth of this phrase, or an extremely similar one, being trotted out by every bloody company that gets caught cutting corners, when the evidence points to the exact opposite?

      No; you aren't. Not by a very long shot, I suspect. You almost apologised for "ranting", but in reality the point you make is entirely valid, and you must avoid giving the users of the boilerplate statement any possible excuse to ignore you by suggesting that your point is a rant.

      1. PNGuinn
        Mushroom

        Re: "Utmost importance"

        "The safety, security and privacy of our customers are of the utmost importance to us"

        If I so much as hear that B***S**T once more from some lousy marketing skunk who should rightfully strung up by the b******s and t**g*r across the nearest high voltage line (maybe lv would be better - he'd last a bit longer) .....

        Y'know, it makes the honesty of Linus's rants positively endearing.

        Eat this - scumbags of the net >>

        ps

        Sorry - its friday - I'm in a good mood.

    2. toughluck

      Re: "Utmost importance"

      I wonder when companies start getting sued for statements like these which are blatant lies.

      I would really like to see a judge hand a verdict saying that while their security is terrible, there's no law against it. Nevertheless, the company will be fined $millions due to the outright lie that safety, security and privacy were in any way important when evidence clearly proves otherwise.

      At least maybe then we would get true statements such as:

      We are deeply sorry that we got caught releasing a product which was clearly unfit for purpose. We don't give a rat's ass about our customers' safety, security or privacy. In fact, we will make damn sure to sell them whenever we have a chance to make a quick buck and we will cut corners to reduce our costs, suckers.

      1. Wiltshire

        Re: "Utmost importance"

        "Your call is important to us, please hold".

        Did someone mention TalkTalk?

  9. Dr Patrick J R Harkin

    It could be worse.

    At least the sock doesn't use a Samsung battery...

  10. Anonymous Coward
    Anonymous Coward

    The monitoring sock? Seriously?

  11. Stevie Silver badge

    Bah!

    All your babylove are belong to lightbulb.

  12. Anonymous Coward
    Anonymous Coward

    Our data, our rights cannot be signed away in a user agreement

    The data that we create, data that is us, is ours and should be ours alone. While we can allow others to use it we shouldn't be able to sign away all our data rights anymore than we can agree to be murdered. Yet agreeing to be murdered appears to be the present situation with IoT and will remain so until the laws and enforcement systems change to put the onus on the perpetrators rather than the victims.

  13. zb

    So the solution is to monitor your baby with a webcam, they have good security ... err ... I'll get my coat.

  14. Alistair
    Unhappy

    *sigh* I can't ... really

    SWMBO works in a store that sells babystuff, loves the job.

    Personally, I'm stunned that parents buy *any* of this stuff. However it is modern days.

    "our customer's contribution to our financial bottom line is incredibly important to our stockholders....."

    Is the *ONLY* statement that any corporation should be making along those lines.

    All that said, considering the nature of IT of late days, and the mandates I've seen from management types (based on the bottom line, always), should we as customers expect *anything* else from the large corporates in the market these days?

    Almost makes me wonder if putting my heart into it is worth doing anymore.

  15. JJKing

    When I was a baby, parents used to tear themselves away from a device known as the wireless and check their baby was ok. Now I suppose it is such an inconvenience to have to put down your tablet, tear yourself away from the latest restaurant food shot your friend has posted on InYourFaceBork to physically check your new real life device.

    Oh the inhumanity of it all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021