To evaluate security, our testers use the same protocol that we employ for wireless security cameras. We start by evaluating each company’s public documentation, such as privacy policies and terms of service, to see what claims the manufacturer makes about the way it handles customers’ data. The tests include inspection of the user interface and network traffic from each camera and its companion smartphone app to make sure it’s using encryption, adhering to manufacturer policies, and not sharing your data with irrelevant third parties. Additionally, we attempt to find security vulnerabilities that cybercriminals could exploit.
Only the Nanit Pro, the Owlet, and the Motorola VM64 (a model with both a separate display and smartphone capability) earn strong scores for security. However, all three still fall short of CR’s top-rated security cameras based on other factors.
Common security problems include less-than-secure log-in rules, meaning the device doesn’t require a complex password or multifactor authentication. In fact, Motorola, Owlet, Lollipop, and Safety 1st don’t even support multifactor authentication, which provides important protection against anyone who tries to access your account using a stolen password.
In the case of the Safety 1st WiFi Video Baby Monitor, we uncovered a vulnerability that could have allowed an outsider to gain full control of the device. After Consumer Reports contacted the company, Safety 1st pushed out a software update that resolved the issue; we’ve confirmed that the update was effective.
Other companies contacted by CR have addressed relatively low-risk security vulnerabilities. The lone exception is Lollipop, which has not responded to repeated inquiries from us. Without describing it in detail, we can say that the Lollipop vulnerability could allow a sophisticated, determined attacker to remotely take control of certain device functions.
On the privacy front, only some of the manufacturers provide clear information in the user documentation on how they collect and use data, and how long they keep it. Just four companies—Motorola, Nanit, Owlet, and Safety 1st—say they’ll let you get a copy of the data they’ve collected as you set up and use their baby monitors. On a more positive note, all the companies other than Miku say you can contact them to have them delete the data they’ve collected.
Overall, just one internet-connected baby monitor—the Nanit Pro—scores highly enough on security and privacy, in combination with its other scores, to earn an overall CR recommendation.