I have a problem with those two "vulnerabilities" listed:
- Available Serial Interface (referring to easy-to-solder console port pads on PCB, accessible once you tear device apart);
- Weak Default Credentials (referring to weak root password that is only ever accepted via serial console).
Life-span of a baby monitor is couple of years, by definition. After that, this hardware could either become a cool easy-to-tinker Linux device, or e-waste.
Researchers at sec-consult seem to think e-waste option is better, or at least it's a necessary evil to deter those pesky hackers who sneak near your child's crib, armed to their teeth with soldering irons and screwdrivers.
> Life-span of a baby monitor is couple of years, by definition.
Unless you have more than one baby. Or friends/family with babies. My nephews are using products that weren't even new when I played with them, decades ago.
I have a four year old monitor that's on baby #1 in my household. It's a dead simple device and just works. I overhwelmingly care about its reliability to work or tell me when it's not working and I'll easily sacrifice any hackability to achieve that.
Ever have an infant crying for 45 mins because the monitor failed and you thought he was still sleeping? Really really upsetting.
People who have covert spy teams entering their home hacking serial interfaces on baby monitors probably shouldn't be buying this thing. The vendor in this case seems to have build a pretty decent solution considering the pricepoint and purpose.
The only vulnerability here is the consumer vulnerability for buying something as trivial as a baby monitor that is dependent on some random consumer company's cloud service for a core function. It would be better to have a fallback to a multicast DNS service so it could function on the local network.
- Available Serial Interface (referring to easy-to-solder console port pads on PCB, accessible once you tear device apart);
- Weak Default Credentials (referring to weak root password that is only ever accepted via serial console).
Life-span of a baby monitor is couple of years, by definition. After that, this hardware could either become a cool easy-to-tinker Linux device, or e-waste.
Researchers at sec-consult seem to think e-waste option is better, or at least it's a necessary evil to deter those pesky hackers who sneak near your child's crib, armed to their teeth with soldering irons and screwdrivers.