BolehVPN

What is a Dash Masternode and how do I set up one?

February 7th, 2016

Dash

BolehVPN is a proud supporter of Dash and grants a 10% discount to users who pay for our services using Dash.

What is a Dash Masternode?

As you know, we are a big fan of Dash, a privacy centric, anonymous and innovative digital currency that seeks to solve the drawbacks of Bitcoin. These improvements are achieved primarily through a layer of users hosting servers that provide services on top of Dash which are called masternodes.

Masternodes enable the following services:

  • InstantX (instant transactions). In contrast, Bitcoin takes about 10 minutes to confirm a payment.
  • PrivacyProtect (anonymous transactions). In contrast, Bitcoin transactions are totally public and traceable. Only the identity of the addresses is anonymous.
  • Dash Evolution (a decentralized payment processor (think a decentralized Paypal).)

Masternode users also have to put down a stake of their Dash (1000 Dash which at the time of writing is worth about USD4240.00) and temporarily locks it up to host a masternode. This prevents people from easily creating a masternode in order to game the security of the system.

Masternode users also are given voting rights on proposals. Each masternode has 1 vote and this vote can be used on budget proposals or important decisions that affect Dash.

How much can you earn from hosting a Masternode?

Masternodes cost money and effort to host so they are paid a share of the block reward to incentivize them. With current masternode numbers and rewards masternodes earn approximately a 14% return on 1000 Dash (which means 140 Dash or USD593.60 at current prices) for the year of 2016. This rewards fall off in subsequent years but as the value of Dash is rising and the supply of Dash goes down, masternodes should still be sufficiently incentivized. This projection also doesn’t count the fees that masternodes earn whenever someone uses its services (InstantX and PrivacyProtect).

MN Chart

Masternode Returns

What do I need to host a Masternode?

  • 1000 Dash: Arguably the hardest part. Dash can be obtained from exchanges such as Poloniex, Bittrex and LiveCoin. Shapeshift‘s service is also an excellent way. You can also use
  • A server or a VPS installed with Linux: For the purposes of this guide we will be used Ubuntu 14.04 LTS. We recommend cheap VPSes such as from Vultr and DigitalOcean though any decent provider will do. Generally a low specced one will do. I use the 5 USD ones from Vultr and they work fine.
  • A dedicated IP address: These usually come with the VPS/server.
  • A little time <3 When I first got into masternodes, there were only a few guides around and did not cover all the scenarios. It took days for me to figure out the best ways to do everything. However, the process now takes a few minutes. With this guide it, I hope it will make the process a lot easier.

If you can’t be bothered with setting up and maintaining your own and don’t mind paying a little extra, you can go with paid masternode hosters which will greatly simplify the process. A few good ones are:

  • Node40 You can tell Perry that BolehVPN sent you! (perry [a] node40 dot com)
  • Splawik Supershare Hosting Service Tell Splawik (splawik21 [a] dash dot org) that BolehVPN  sent you! He also does share services where if you don’t have 1000 Dash you can share with other people too! Splawik is an official member of the Dash team.
  • Masternodehosting by Holger (flare). Holger is an official member of the Dash team.
  • Moowcowmoo Masternode.Me Moocowmoo is an official member of the Dash team.

BolehVPN is not affiliated to any of these providers though we have been in contact with most of them. A full list can be found here.

Step By Step Guide in Hosting a Masternode

This post assumes you are familiar with setting up a Ubuntu 14.04 VPS and already have a Dash wallet installed on your local computer.

If you do not have your Dash wallet yet, you can download the client from here. You can also read full documentation on the Dash wallet here.

If you need step by step instructions on setting up a VPS, you can use Tao’s Masternode setup guide for dummies which has a section on setting up one in Vultr.

Step 1 Secure your wallet

First of all make sure you have encrypted your wallet. This makes sure your Dash is kept safely even if your computer or wallet falls in the wrong hands.

Click on Settings > Encrypt Wallet and choose a suitably long passphrase.

Step 2 Generate a masternode private key and a deposit address.

Your masternode private key identifies you as the owner of the masternode. It also allows you to vote on budget proposals.

Although it isn’t a good idea to leak out your masternode private key, even if this information is out, your 1000 Dash is safe. If a third party gets hold of this masternode private key, all they can do is use your vote on proposals so it isn’t the end of the world.

Your deposit address is where you will be depositing your 1000 Dash.

Click on Tools > Debug Console and enter in the following commands as in the picture below.

genkey

Copy the two results and save it in a text file for later use. The first result is the masternode private key and the second result is the masternode deposit address. We will use it very shortly!

Step 3 Deposit your 1000 Dash

Make sure DarkSend (or Privacy Protect) and InstantX are left UNCHECKED. Send EXACTLY 1000 Dash into the masternode deposit address that you just created in one single transaction. That means, don’t send 500 and then another 500! It has to be in one single transaction! When sending it from direct from an exchange, make sure you have accounted for the transfer fees or else you might end up with less than 1000 Dash!

You now have to wait for 15 confirmations which should take approximately 40 minutes. We can move on to the other steps first while waiting for this!

Step 4 Install Dashman

Dashman is an amazing script by Moocowmoo (one of Dash’s devs) that automates a lot of the tedious parts of maintaining a masternode.

SSH into your Linux server.

Type the following in a terminal.

sudo apt-get install git
git clone https://github.com/moocowmoo/dashman.git
cd dashman
./dashman install

This will create a new hidden folder called .dash in your user directory with all the relevant Dash files. You now need to edit the Dash configuration file.
nano ~/.dash/dash.conf

This will bring up a file like this:


#----
rpcuser=1c94c9c6ec78e96d78c2db67639ff71340af4f499670ded12bde1f679a5c6634
rpcpassword=5ee4ffecc41502bc19e18e338c26e84bb03239e7f49ay4e50fd70f40aac6633f
rpcallowip=127.0.0.1
rpcport=9998
#----
listen=1
server=1
daemon=1
logtimestamps=1
maxconnections=64
#----
#masternode=1
#masternodeaddr=YOURMASTERNODEIP:9999
#masternodeprivkey=YOURMASTERNODEPRIVATEKEY

Delete the three “#” marked in green and enter in your masternode private key that you created in Step 2 in the place marked red. Dashman should have already automatically inserted your masternode ip in the appropriate section but just double check to make sure.

Press Ctrl X and confirm to save the file.

Type the following to restart your dash client to use the new settings:

./dashman restart

It is also highly recommended also to setup a simple firewall for added security.

apt-get install ufw

Enter the following commands EXACTLY (in this order) to set up your firewall:
Please note: Make sure you enter the code in this order! If you do not, the program will not work!
If need be you can disable your firewall by entering as root: ufw disable.

ufw allow ssh/tcp
ufw limit ssh/tcp
ufw allow 9999/tcp
ufw logging on
ufw enable

Check your firewall’s status by entering the following command:

ufw status

You will see a message saying that your ufw status is active and will activate upon reboot as well.

Step 5 Create a masternode.conf file on your local PC

Masternode.conf is a place to put all your masternodes details so your local Dash wallet knows which funds are in masternodes and allows you to label your masternodes.

You would first need to get your transaction hash and index for the deposit that you did into your masternode deposit address. To do this, go to Tools>Debug Console and type

masternode outputs

This will return something like this (the details below are fake but are for illustration purposes only).

{
06e38868bb8f9958e34d5155437d009b72dff33fc28874c87fd42e51c0f74fdb” : “0“,
}

The transaction hash is the first part marked in blue and the index is the single digit marked in orange (usually 0 or 1). You will need this info to create your masternode.conf.

Create a new text file called masternode.conf in the same place where dash.conf is located on your local PC (not your masternode server!). On Windows this is located at %appdata%/Dash (type this in Windows Explorer). Open it to edit it and enter in the following format.

LABEL IP:9999 YOURMASTERNODEPRIVKEY TRANSACTIONHASH INDEX

LABEL: Any name that you want to call your masternode in one word. For e.g. MN1
IP: Your masternode IP
MASTERNODEPRIVKEY: This is the masternode private key that you placed in your remote configuration just now
TRANSACTIONHASH: This is the transaction hash for the transaction in which you got your 1000 DASH deposited which you obtained just now through the masternode outputs command.
INDEX: This is the Index of your transaction which you obtained just now through the masternode outputs command.

To make things clearer let’s show a made up example of how a masternode.conf would look like. Colors are for illustration only.

MN1 52.14.2.67:9999 7rxSr3fXpX3dZcU7CoiFuFWqeHYw83r28btCFfIHqf6zkMp1PZ4 06e38868bb8f9958e34d5155437d009b72dff33fc28874c87fd42e51c0f74fdb 0

Once you have entered the necessary details, save your masternode.conf. Restart your Dash local client so it would take the new settings.

Note for multiple masternodes:

If you are creating more than one masternode, the “masternode outputs” command will return several transaction hashes and indexes. Just determine which one is the new one by comparing it with your existing masternode.conf and see which one is not in it.

You will then add the new corresponding details in new line in masternode.conf. An example is below:

MN1 52.14.2.67:9999 7rxSr3fXpX3dZcU7CoiFuFWqeHYw83r28btCFfIHqf6zkMp1PZ4 06e38868bb8f9958e34d5155437d009b72dff33fc28874c87fd42e51c0f74fdb 0
MN2 52.14.2.70:9999 7qmYP6epTN8d3S7pmkKsY52oFWRPCMs99kDe8tY4jkiDcP2X5bM 2788be8a939d445fff0c53ba5a53669925434a7498bd607a0791117633810b6a 1

Remember to restart your local Dash wallet whenever you edit your masternode.conf.

Step 6 Starting your Masternode

Before you proceed, make sure your masternode is synced up to the latest block. To do this, on your masternode server, type:

./dashman status

This will return a result that shows the health and other information on your masternode. Generally if everything is ok, it will appear green. To check if your masternode has fully synced, see this portion of the status:

blockheight

If your local dashd has the same number as the other ones, you are synced!

Now startup your local Dash wallet if it isn’t open already.

Open up your terminal and type

masternode start-missing YOURWALLETPASSWORD

If all is well, you will see something to similar to this (in this example there are 3 Masternodes listed in masternode.conf)

{
"overall" : "Successfully started 3 masternodes, failed to start 0, total 3",
"detail" : {
"status" : {
"alias" : "MN1",
"result" : "successful"
},
"status" : {
"alias" : "MN2",
"result" : "successful"
},
"status" : {
"alias" : "MN3",
"result" : "successful"
}
}
}

You can also use the command below to selectively start a single masternode.

masternode start-alias YOURMNLABEL

To make sure they are properly started, go back to your masternode server and type again

./dashman status

It should show the following:

masternodestatus

Sometimes the ninja one may take a few minutes to sync up but if the first two results are YES you should be safe and can check a bit later to ensure that ninja is updated.

Congratulations, you now have a running masternode!

Step 7 Getting your Payment and Maintaining your Masternode

Your first payment may take a week or more to show but afterwards should take place once every 6 days. As long your dashman status shows that everything is okay, you should be in line for a masternode payout!

IMPORTANT NOTE: Everytime you start a masternode, it resets its place in the payout queue thus delaying payments. Therefore although there is also a “masternode start-many ” command, it isn’t recommended since it would also restart nodes that have no issues. If one of your masternode servers has an issue (for e.g. the server was rebooted), only restart the masternodes which are down by using the masternode start-missing command and not the start-many command.

If there is a new version of Dash out, you can easily update by issuing the following command on your masternode server which will update your Dash to the latest version.

./dashman update

After you update always double check with a./dashman status to make sure your masternode is still in a started state. If not, you will have to start it again from your local Dash wallet.

Step 8 Optional: Auto restart of dashd in the event of crash

You can also install a monitor to auto restart dash if it crashes. This is optional. The below is taken from Moomoocow’s post:

Install Monit

sudo apt-get install monit

Create file /home/user/.dash/start_dashd.sh (change user to yours)

#!/bin/bash
/bin/su user -c '/home/user/.dash/dashd 2>&1 >> /home/user/.dash/rc.local.log'

Make it executable

chmod 755 /home/user/.dash/start_dashd.sh

Edit the file /etc/monit/monitrc

sudo nano /etc/monit/monitrc

Edit the file as follows:

# uncomment these lines
set httpd port 2812 and
use address localhost  # only accept connection from localhost
allow localhost        # allow localhost to connect to the server and
# add this to bottom - change user to yours
check process dashd with pidfile /home/user/.dash/dashd.pid
start program = "/home/user/.dash/start_dashd.sh" with timeout 60 seconds
stop program = "/bin/su user -c /home/user/.dash/dash-cli stop"

Load the new configuration

sudo monit reload

Enable the watchdog

sudo monit start dashd

That’s it. You only have to do above once.
You can check monit’s status by typing below:

sudo monit status

It’ll keep your dashd running for you (across reboots too, no need for any crons or scripts) and keep you from fighting with your chosen OS. Monit only runs once a minute, so be patient if you’re waiting for it to do something.

If you need proof it works, once you see your dashd in the ‘sudo monit status‘ output, you can test it by simply stopping your dashd (dash-cli stop) — within 2 minutes it’ll start it back up,

Disclosure

This post is not officially affiliated with Dash nor sponsored in any way. Our Co-Founder Reuben is a big fan of the cryptocurrency and wished to share what he had to learn through asking around and trawling many posts scattered across the web. He owns several masternodes in his own private capacity.

Wearable Tech of the Future – Friend or Foe?

February 7th, 2016

Wearable technology has been all the rage in our evolving world with the Internet of Things. With more and more devices, contraptions and wacky gadgets being connected to the internet, it is getting increasingly common to hear even clothing and accessories incorporating computer and advanced electronic technologies into their designs. Through the development of wearable technology, pioneers have worked towards weaving the conveniences of electronics, software, sensors and connectivity into our daily lives in attempts to ease our every day routines.

 

Here’s a look at some very interesting wearable technology that are definitely not your average accessory:

1) Nadi Smart Fitness Pants which helps yogis correct your yoga forms

3055510-inline-i-1-these-vibrating-yoga-pants-will-correct-your-downward-dog

(Source: Mashable)

 

2) This Bitcoin engagement ring with 3D-printed QR code

bitcoinring

(Source: Mashable)

 

3) The temporary tattoo which converts your sweat to electricity

sweattat

(Source: Engadget)

 

4) Google’s glucose-monitoring contact lenses

This undated photo released by Google shows a contact lens Google is testing to explore tear glucose. After years of scalding soldering hair-thin wires to miniaturize electronics, Brian Otis, Google X project lead, has burned his fingertips so often that he can no longer feel the tiny chips he made from scratch in Google’s Silicon Valley headquarters, a small price to pay for what he says is the smallest wireless glucose sensor that has ever been made. (AP Photo/Google)

(Source: TIME)

 

5) The D-Shirt by Cityzen Sciences that tracks your health & recharges during washing

d-shirt

(Source: Daily Mail)

 

6) These BlackSocks to pair & reunite lost socks to its other partner

blacksocks

(Source: BlackSocks)

 

While on top of all the crazy wearables companies are coming up with, the most common wearable tech that can be found among us are still our conventional fitness trackers and smart watches. Although once considered expensive to get a hold of, these days smartbands are getting more affordable and growing in their own array of functionalities and features.

However, while wearable technology is highly innovative, it also comes with certain risks. Be it any brand such as the Fitbit, Xiaomi, Nike, Pebble, Jawbone, Garmin, or countless others, all these smartbands have one thing in common; they could be leaking your personal information and activities without your consent.

pinterest

Source: Pinterest

The weakest link

As more users are donning their latest wearable tech track their fitness or answer calls, this new era of wearable technology inevitably opens up a front for hacking threats. The data that comes from wearable tech can in fact be even more personal and detailed than those which come from smartphones as they allow hackers to collect an in-depth understanding of their victims, from their location, heart-rate, to the number of hours they sleep each night. Hackers who gain access to this kind of personal information will acquire rich sources of the target victim’s home location, where they work, or cafes they frequent whenever the user connects their smartband. We might believe that fitness activity data may not be a huge concern, but every time a user switches on their smartband to record their daily activities, it leaves a door open for hackers to observe your habitual routines. Leaving your house at 6am every day for a jog? A burglar could be targeting your home to break-into.

cloud-cartoon

(Source: Cloud Tweaks)

Wearable technology could act as a gateway to other devices, such as smartphones, or data stored in the cloud. As many of these devices are connected to the user’s phone, that has their information such as emails or sensitive work information that makes it a prime target for hackers. More often than not, it is not the wearable device which presents itself as the weakest link in the chain, but the smartphone that is giving hackers a backdoor to your confidential data.

“You are more vulnerable if the attacker knows about you. The more data in the cloud linked with a personal profile, the more likely it is people can get the data and use it against you to craft an attack,” says Raimund Genes, chief technology officer of Trend Micro who warns that device makers are still not building enough security into their wearables.

 

What do the people think about wearable tech?

Apadmi, UK’s leading app developer, performed a study on wearable tech to assess the privacy risks potential customers perceive wearable tech poses.

apadmi

(Source: Apadmi)

While almost half of the respondents do perceive some form of privacy risks that wearable tech could threaten, approximately the same amount of respondents (40% of “Don’t know” responses!) are clueless regarding the impact wearable devices could have upon their privacy. Yes, while the explosive growth of wearable tech has made these devices mainstream, it seems many users still lack any firm grasp on the true potential security nightmares they could lead to.

Let’s not abandon our smartbands just yet

Naturally, sans any proper security, wearable tech can be just as susceptible to hacking targets as out smartphones and laptops do. Nevertheless, the risks of wearables vary by product, design and intended use. As it is likely that wearable tech designers and manufacturers have yet to come up with enough security which is up to par with their products, companies should consider data security factors as equal in importance to the functionality and design of their devices. As safety science company, UL, has spoken up about the importance of safeguarding against hackers to secure the future of wearables, their advice to tech manufacturers is to strive towards minimizing the digital risks involved through seeking the advice of third-parties, testing of product data security features and third-party audits of security procedures to open up new possibilities for consumers looking to fit these devices into their lives.

 

Sources

[1] CNBC

[2] Apadmi

[3] Telegraph

[4] Zingadget

[5] McAfee

The BolehVPN team will be away over Chinese New Year

February 3rd, 2016

We’ll be a little slow over Chinese New Year (7th – 9th of February) as we’re travelling and spending time with our families. Emails and tickets will still be answered, just a little slower than usual. Happy Year of the Monkey!

Google’s Move To Shame Unencrypted Sites

February 2nd, 2016

Google dreams of a world where all of its wide web is encrypted, and all information on the Internet is protected through secure channels. Yes, although they are often busy being the most popular search engine giant on the net, Google does to some extent share the security concerns of their 1 billion site visitors.

Google reportedly plans to introduce a feature in its Chrome browser which warns users by displaying a red X over a padlock icon in the URL bar when they land on a HTTP site. While people might observe a warning sign, they do not perceive the absence of one. This step by Google to mark unencrypted websites with a ‘scarlet letter’ is only an optional feature for now in Chrome, but it is believed that soon Google will start shaming unencrypted websites, alerting users when they are on a site that could be intercepted by hackers as the company looks to clamp down on cyber criminals exploiting insecure sites.

pc world

Source: PC World

 

HTTP vs HTTPS

Currently, when a page is unencrypted in HTTP form, (Hyper Text Transfer Protocol), Chrome merely displays an icon of a white page. If the page users are accessing is encrypted, a green locked padlock will appear. Google announced it wanted the whole of the web to be Hyper Text Transfer Protocol Secure (HTTPS), and if any sites that were otherwise should be flagged, explicitly highlighted and shamed, in order for users to be able to make informed decisions about how to interact with an origin. Communications which are sent over regular HTTP connections are in ‘plain text’ and can be read by any hacker if they succeed in breaking into the connection between your browser and the website. Clearly, this is a great danger if your communication is on an order form and includes your credit card details or social security number.

On the other hand, HTTPS makes sure that your information is protected from bad guys such as cyber criminals, who are after your passwords, messages and other data. The HTTPS protocol adds an extra layer of protection against snooping and interception, and hopefully allow web users to be less vulnerable to hackers by encouraging websites to implement HTTPS encryption to scramble data passing from media-viewing devices to online addresses. Moreover, HTTPS functions to deflect fake versions of websites that could also be used to trick you.

 

Who’s on board?

In fact, this move has been something Google proposed since 2014 on their Chromium Security website. However, these steps towards aiming for a more secure Internet for everyone does not come from Google alone. There have been companies and organisations who disagree with the current way of the Internet, and have joined forces to push for more encrypted sites and backing the Encrypt All the Things campaign, which calls for more network and data protection from unauthorized surveillance.

encrypt all

Source: Encrypt All the Things

“HTTP provides no data security,” Google software engineer, Chris Palmer, had posted on the Chromium Project site in December 2014 when first announcing the company’s proposal to implement the new feature in Chrome. “The goal of this proposal is to more clearly display to users that HTTP provides no data security.” he noted. Palmer also went on to say “We all need data communication on the Web to be secure (private, authenticated, untampered)”.

 

What’s in it for the web developers?

Besides being rewarded with a green lock visible on the browser, signifying the security of their site, web developers who follow guidelines to up the security of their sites will possibly have their sites given higher search rankings above less secure entities. Google’s Webmaster trends analysts, Zineb Ait Bahajji and Gary Illyes, stated in a blog post “We’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal”.

 

Drawbacks

Although generally speaking, nudging more sites to make website encryption the norm is great news to hear, this move does have drawbacks of its own. Albeit Google has insisted that its plan to introduce the new feature in Chrome will not break plain HTTP sites but merely introduce a new security alerting capability, however the company has mentioned little regarding the expenses that web developers might have to incur to obtain the Secure Sockets Layer (SSL) certifications needed to implement HTTPS. Downplaying the concern, the company mentions how “some providers offer free or inexpensive certificates that Websites can use”. Branding the HTTP sites with a bright X might not go over well with web developers, especially for smaller sites.

Undeniably, the large majority of web pages available on the Internet exist in HTTP form, not HTTPS. This would mean that web users could start receiving security warnings on pages which previously have always been browsed on with no trouble, and could cause panic among users and hammer on tech support to address the warnings. On the other end of the spectrum, web users may take these security warnings to be so common that they will learn to ignore them just as before, which would render the whole idea of the ‘branded X’ redundant.

Undoubtedly Google’s underlying goal to mark all HTTP pages as insecure is an effort to encourage a safer Internet for all. However in the end it still depends on the web users to make their own good decision in their browsing habits.

 

For Chrome users who wish to see how the proposed markings would work, the icon is available as an optional flag. Web users can enable it by typing chrome://flags in the URL bar and scroll to ‘Mark Non-Secure as’ and choose the option ‘Mark non-secure origins as non-secure’. This experimental feature works on Mac, Windows, Linux, Chrome OS, and Android.

 

Sources

[1] The Drum

[2] Motherboard

[3] Sputnik News

[4] ZDNet

“Mummy, I’m Afraid of the Man in the Monitor”

January 30th, 2016

It’s almost like a scene from any Paranormal Activity movie. But in all the horrific nightmares you could conjure up in your mind, this could be the most twisted and sickening because it is not dealing with ‘supernatural forces’, but rather real predators targeting real people in real life situations.

baby monitors

Source: CBS News

In general, baby monitors act as a tool for parents’ peace of mind to keep a watchful eye on their kids. But little do they know about the vulnerabilities and the dangers of hackable baby monitors. Following several reports of consumers recounting their horror tales of their monitor devices being hacked and abuses shouted at their children, American parents have been warned to be more wary of the types of baby monitors they are choosing to bring into their homes.

 

Creepy baby monitor stories

1) In 2013, a Houston couple were left shaken when they discovered a hacker had accessed their baby monitor to shout profanities at their then two-year-old daughter. Not only did the hacker make lewd comments to their toddler such as “wake up you little slut” and “effing moron”, the man had accessed the monitor’s camera and also called the child by her name “Allyson”, which was spelt out on the wall. When the parents, Marc Gilbert and his wife Lauren entered the room, the voice began swearing expletives at them too, by calling Gilbert a stupid moron and his wife a b****.

 

2) ohio heather

Source: NBC News

Heather Schreck was asleep in her Ohio home around midnight in April 2014 when she woke up to the sounds of a man screaming “Wake up baby! Wake up baby!” at her 10-month old daughter, Emma. When Heather checked her phone screen, she could see the camera monitor moving around the room. That’s when the screaming picked up, according to Fox 19 news. When Heather’s husband, Adam, quickly ran into the room, the camera then turned to point directly at him.

 

3) An Indiana couple, the Denmans, were freaked out when they found out a hacker was able to infiltrate their baby monitor at home and played “Every Breath You Take” by The Police. The two-year old child was playing at home with her mother when the music suddenly started playing. At first, the mother thought it was a joke, until the hacker began making sexual noises on the monitor. After Jared Denman searched online for similar cases, he found several videos posted online showing similar hacks with the same song playing over the speakers, and the hacker used a Twitter account to brag about the breaches.

 

The ongoing investigations

Now, New York’s Department of Consumer Affairs (DCA) have launched investigations into disturbing cases of baby monitor hackings by contacting four unnamed baby monitor companies, demanding information about their security and to see evidence of complaints about unauthorised access. The DCA issued subpoenas to these four major manufacturers who market their devices as “secure” in their investigation into the security vulnerabilities of the devices and whether their security claims violate NYC’s Consumer Protection Law, which prohibits deceptive and misleading advertising. If the companies are not living up to the security promises they made in their marketing, the agencies could be hit with civil fines for deceptive marketing practices. As the investigations are still currently ongoing, no names or details have yet to be released.

Earlier this month, the Federal Trade Commission (FTC) had also issued a similar warning to parents whose houses and children’s rooms, are equipped with security cameras. The FTC agency had researched five baby monitors and already found four of them to have serious security issues, because of its ease in which it could be accessed by simple, easy-to-crack passwords. Moreover, two of the five did not encrypt the feed between the monitor and the home router and one other did not encrypt the feed from the router to the internet.

“Video monitors are intended to give parents peace of mind when they are away from their children, but the reality is quite terrifying – if they aren’t secure, they can provide easy access for predators to watch and even speak to our children,” said DCA commissioner Julie Menin in a statement.

 

Tips

Due to the Internet of Things, our everyday devices and appliances are increasingly connected online, with computing and network capabilities embedded into them. Thus, this largely affects consumers’ personal privacy when exploited, such as the case of these baby monitor hackings. These are a couple of tips parents can consider to curb these disturbing hacks:

1) Use baby monitors which are not Wifi-enabled, such as this Motorola digital video baby monitor model recommended by Ars Technica. It offers no Internet connectivity and uses encryption to protect the video and audio stream sent between the camera and a dedicated handset. Although these types of monitors will probably have their own weaknesses in their kind, it does eliminate the fear of being Internet-connected, and are arguably safer as attackers will have to be in physical proximity of the people being targeted to perform any hacking.

2) As the DCA recommends, register your product and update software, firmware and applications. If you register your product, you will be notified of security updates by the manufacturer (which are important!). Be sure to install all security updates.

3) Additionally, the FTC urged parents to look for baby monitors with strong security protocols, or at least perform some research on baby monitors with any known security vulnerabilities before buying.

4) Choose strong passwords which are changed regularly. Avoid using the default camera name and password, and only share it with people you trust absolutely.

5) For those who have existing Internet-enabled baby monitors in your homes, it is preferable to cut off usage of the monitors until vendors are able to fully-address all the identified weaknesses in their devices. Monitor the manufacturer’s website for any security advisories or patches for their devices.

 

Sources

[1] Ars Technica

[2] NYC Consumer Affairs

[3] BBC News

[4] Parent Herald