A hacker was able to shout abuse at a two-year-old child by exploiting a vulnerability in a camera advertised as an ideal “baby monitor”.
ABC News revealed how a couple in Houston, Texas, heard a voice saying lewd comments coming from the camera, made by manufacturer Foscam.
Vulnerabilities in Foscam products were exposed in April, and the company issued an emergency fix.
Foscam said it was unable to provide a statement at this time.
ABC reported that Marc Gilbert and wife Lauren were left shaken when they heard a “British or European accent” coming from the camera.
Mr Gilbert said the voice directed offensive, sexualised words at their daughter Allyson, who was asleep in bed.
The family believed the hacker was able to call the child by her name because it was spelt out on the bedroom’s wall.
The two-year-old is deaf, something the couple described as “something of a blessing” in the circumstances.
It is not clear whether the family had updated the camera with the latest software.
The BBC has found evidence of hackers sharing information on how to access insecure Foscam cameras via several widely-used forums.
Using specialist search engines, people can narrow their results by location.
On one forum, internet addresses for cameras – not all made by Foscam – were listed with descriptions such as “school/daycare?” and “kids room”.
In April, security firm Qualys uncovered a weakness in Foscam’s devices.
The company said that various attack techniques exposed the camera’s remote monitoring access – the simplest of which was simply scraping Foscam’s website for unique identifying codes for each customer.
Around two out of every 10 Foscam cameras monitored by the researchers were insecure, Qualys said – using just “admin” to log in, and requiring no password.
Foscam is not the only company to find itself the target of hackers. Last year, camera company Trendnet had to rush out an update to fix a security hole that left thousands of cameras exposed.
In June, Foscam issued a fix for some of the issues raised by Qualys. In a blog post, the company said it appreciated the “constructive criticisms and advice”.
Visitors to the firm’s homepage do not see any notice of the critical upgrade.
The company did however publish a blog post to publicise the patch, and users who had signed up to a firmware update newsletter should have been informed by email.
Discussion forums on the Foscam website show several other customers having security problems with their devices.
User pianomama00 wrote: “My husband heard something in babies room.
“He went in and a guy started talking to him and said he wasn’t a neighbour and lived in a different state! Be careful everyone!”
Another user criticised the firm’s customer service, saying: “I can’t call, can’t chat online and I’ve sent email with no response.”
A technical support number listed on the UK website remained on hold for 30 minutes when contacted by the BBC. A separate sales number gave an estimate of a “47-minute” wait to speak to an advisor.
A link to find out more information about the company and its location led to a broken page.
Foscam products in the UK are also sold under the trading name of GadgetFreakz – as well as being sold through Amazon.
A sales number on the GadgetFreakz website was also unanswered – instead redirecting to a mobile voicemail mailbox.