The software is secure against known bugs and types of attacks.
The baby monitor handset connects directly to a media stream provided by the camera itself, and does not need a successful connection to third-party servers or the broader internet beyond a wifi network in order to establish a connection to the stream. In our analysis of traffic going to and from the handset we found no indication of any web browser activity.
The baby monitor handset does not use a browser.
NA
― Apps ―
The software is secure against known bugs and types of attacks.
Testing found that the baby monitor Android app, handset, and camera use a third-party service, in a manner undisclosed to the user, which brokers a direct video connection between the camera and the app. This service is used to find where both the paired camera and the app are located on the internet, while traversing firewall restrictions, to send a video feed directly from the camera to the app over the open internet. While such a function is plausibly necessary for the intended functionality of the monitor, in the past the use of the same third-party service was observed and documented by other researchers on many similar devices. They noted this behavior as a possible vulnerability for all devices reliant on this particular vendor. Similar devices, in this case, include home security cameras and doorbells, as well as a variety of other connected devices that allow direct connections between a mobile app and a sensor on different networks. Of primary concern is that the device regularly transmits data across regional/jurisdictional boundaries, despite many other parts of the service using regionally-specific servers.
❌
― Connected Devices ―
The software is secure against known bugs and types of attacks.
Testing found that both the baby monitor camera and handset use a third-party service to broker connections between the Android app, camera, and handset. This service is used to traverse firewall restrictions, and send a video feed directly from the camera to the app, over the open internet. While such a function is plausibly necessary for the intended functionality of the monitor, in the past the use of the same third-party service was observed and documented by other researchers on many similar devices. They noted behavior as a possible vulnerability. Similar devices, in this case include home security cameras and doorbells, as well as a variety of other connected devices that allow direct connections between an app and a sensor on different networks. Of primary concern is that the device regularly transmits data across regional/jurisdictional boundaries, despite many other parts of the service using regionally-specific servers.