Buy It Fix It Warns of a Privacy Problem Plaguing a Popular "Smart" Baby Monitor System

Pseudonymous YouTuber "Buy it Fix it," hereafter simply "BIFI," took on the challenge of repairing a faulty second-hand smart baby monitor designed to stream video to a dedicated receiver — but which, he discovered, was also storing videos locally, recoverable by anyone willing to put in the effort.

"It said in the listing that the camera wasn't talking to the screen," BIFI explains of the VTech 5" Smart Wi-Fi 1080p Video Monitor, to give the streaming camera system its full and proper name, which was listed on a popular auction site as spares or repair. "I paid £13 [around $17] for this, plus about £3 [around $4] postage."

The system looks, on the surface, like any other video baby monitor on the market. There's a camera unit, which is designed to be placed watching over the child's crib, and a handheld receiver with controls to the side of a 5" LCD display. When it's working, the camera streams live video to the display — good for 12 hours per charge, the manufacturer claims, and with the option to talk back over the camera unit or have it play a choice of music, "soft ambient sounds," or activate a seven-color nightlight.

Also in the feature list, though easy to overlook, is the promise of "30 event local recording," allowing the unit to capture video based on motion for later review. An investigation of both the camera and the parent unit, though, revealed nothing in the way of removable storage — and with the two no longer on speaking terms, there's no obvious way for the seller to make sure their data had been properly erased before the system found its new owner.

While tearing the units down, BIFI found a serial port — and, when connected, it revealed the unsurprising presence of a single-board computer running a cut-down Linux. It would only boot part-way, though, which led BIFI to decide the best way to investigate the problem was to remove the flash storage chip from the unit and dump its contents.

Analysis of the dump revealed a serious issue: recoverable video, presumably recorded by the "30 event local recording" system, showing the previous owner's home and child. "I think there's a bit of a privacy issue there," BIFI notes, "especially if you've got one of these cameras and you sell it on eBay: it might contain a lot of the last recordings still."

The full tear-down process is documented in the video above and on BIFI's YouTube channel.