- Security researchers were able to hack into the Snoo Smart Bassinet and exploit vulnerabilities to take over its motor and speaker systems.
- The $1,300 internet-connected crib is designed to be as safe as possible for babies and comes with built-in features that reduce the risk of sudden infant death syndrome.
- The new findings show the security perils associated with internet-enabled smart devices.
- Happiest Baby, the company that sells the Snoo Smart Bassinet, says it patched the vulnerabilities after they were flagged by researchers from Red Balloon Security.
- There are no reports of hackers exploiting the vulnerabilities, or of babies being injured in a Snoo device.
- Visit Business Insider’s homepage for more stories.
For $1,300, highly cautious parents can buy a Snoo Smart Bassinet that comes with a built-in swaddle, speaker, microphone, and sensors to monitor a baby’s well-being at all times.
The crib is also fitted with a motor and a mobile app that connects to WiFi — and security researchers found that they could hack into it and cause the device to shake at high speeds.
Researchers with Red Balloon Security discovered several vulnerabilities with the Snoo after digging into its firmware last year, Red Balloon founder and CEO Ang Cui told Business Insider. By connecting to the crib using the same WiFi network, researchers were able to take control of its microphones, speaker, and motor. Red Balloon’s findings were first reported by WIRED Thursday.
“You literally strap the baby into a device connected to a motor and speaker, and it’s also connected to the internet. When I see that, the first thing I think is cybersecurity,” Cui told Business Insider. “In this case, you can make the motor shake the baby way harder than you’re supposed to.”
Researchers from Red Balloon, which also contracts with the Department of Homeland Security, found they could overcome the motor’s output limiter and put the motor into overdrive, exerting g-force of up to 1.8 G on a nine-pound baby. And they overcame its speaker limits, blasting sound from the crib’s speakers up to 113 decibels — louder than a blender or a helicopter heard from 100 feet away.
The Happiest Baby, the company that sells the Snoo Smart Bassinet, patched the flaws after Red Balloon flagged them earlier this year. There are no reports of hackers exploiting the vulnerabilities, or of babies being injured in a Snoo device, which were designed to hold babies in a position that decreases the risk of sudden infant death syndrome.
A spokesperson for The Happiest Baby told Business Insider that “these findings never presented any safety risk because they could not be reasonably replicated in real-world conditions,” pointing to Snoo’s hardware limiters that prevent the bed’s engine from going above a safe level. The spokesperson also said that even the rocking speeds achieved by Red Balloon would not threaten a baby’s safety.
“Our world-class team of doctors and engineers spent five years building, testing, and perfecting this special bassinet. Happiest Baby is continuously fortifying Snoo’s safeguards to protect against intrusion,” the spokesperson said.
But more broadly, the episode illustrates the security risks inherent to “internet of things” smart devices that aren’t necessarily exclusive to the Snoo.
“We’ve never in the history of computers made a useful internet connected tool that wasn’t also exploitable by people on the internet,” Cui said. “We used to joke that if you hacked a smart lightbulb, nobody would get hurt, but clearly this is different.”
WIRED notes that Red Balloon’s lead investor, Bain Capital, is also the lead investor of 4moms, which makes a Snoo competitor. Red Balloon and The Happiest Baby also share a venture capital investor, Greycroft.
Parents who are still worried about hacks despite the fact that the vulnerabilities have been patched can take another step to secure their Snoo Smart Bassinet: disconnect it from WiFi. Unlike many IoT devices, Snoo includes a switch that instantly turns WiFi off.