Sponsored by:
Senator JEFF VAN DREW
District 1 (Atlantic, Cape May and Cumberland)
SYNOPSIS
Requires Internet-connected baby monitors to include security features.
CURRENT VERSION OF TEXT
As introduced.
An Act concerning baby monitor security features and supplementing P.L.1960, c.39 (C.56:8-1 et seq.).
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. a. A baby monitor that broadcasts audio or video through an Internet connection and is manufactured, sold, offered for sale, or distributed in this State shall:
(1) provide end-to-end encryption;
(2) provide Certificate-based Authentication for manufacturer access when obtaining updates, registering, or relaying audio or video between Internet servers;
(3) prohibit unauthenticated access, including prohibiting implied third-party trusted access;
(4) prevent a consumer from disabling security measures; and
(5) include instructions notifying consumers about the proper use of the baby monitor and its security enhancement. The instructions shall be conspicuous and easily understandable to consumers.
b. It shall be an unlawful practice and a violation of P.L.1960, c.39 (C.56:8-1 et seq.) to manufacture, sell, offer for sale, or distribute any baby monitor that does not meet the requirements of subsection a. of this section.
c. The Director of the Division of Consumer Affairs in the Department of Law and Public Safety, in consultation with the Commissioner of the Department of Children and Families, shall adopt, pursuant to the “Administrative Procedure Act,” P.L.1968, c.410 (C.52:14B-1 et seq.), rules and regulations necessary to effectuate the purposes of this act.
2. This act shall take effect on the first day of the seventh month next following the date of enactment.
STATEMENT
This bill requires any baby monitor that broadcasts audio or video online and is manufactured, sold, or offered for sale in this State to:
(1) provide end-to-end encryption;
(2) provide Certificate-based Authentication for manufacturer access when obtaining updates, registering, or relaying audio or video between Internet servers;
(3) prohibit unauthenticated access, including prohibiting implied third-party trusted access;
(4) prevent a consumer from disabling security measures; and
(5) include instructions notifying consumers about the proper use of the baby monitor and its security enhancement, which are to be conspicuous and easily understandable to consumers.
The bill provides that it would be an unlawful practice under the consumer fraud act, P.L.1960, c.39 (C.56:8-1 et seq.), to sell, offer for sale, or distribute any baby monitor that does not meet the requirements set forth in the bill. An unlawful practice is punishable by a monetary penalty of not more than $10,000 for a first offense and not more than $20,000 for any subsequent offense. Additionally, a violation can result in cease and desist orders issued by the Attorney General, the assessment of punitive damages, and the awarding of treble damages and costs to the injured.
Baby monitors that broadcast live audio and video feeds over the Internet can be viewed on a computer, cellular telephone, tablet, or other Internet-connected device. The possibility of an unknown individual watching a person’s baby is frightening for many parents who have come to rely on these devices. Recent news articles highlight the vulnerabilities of Internet-connected baby monitors that lack basic security features, making them vulnerable to even simple hacking attempts. In addition, a hacked camera could provide access to other Wi-Fi-enabled devices in a person’s home, such as a personal computer or security system.
The Office of Technology, Research and Investigation in the Federal Trade Commission (FTC) studied five baby monitors that broadcast live audio and video feeds over the Internet and found that some have minimal security protections. Only one required a complex password while the others allowed users access with simple passwords, such as “password,” making them vulnerable to hackers. To prevent hackers from guessing a password, basic security procedures lock down an account in response to multiple password failures; however, three of the five monitors allowed repeated entry of incorrect password attempts.
An Internet-connected baby monitor first sends its feed to a home wireless router, and then over the Internet so the feed can be viewed remotely. Two of the five baby monitors the FTC studied did not encrypt the feed between the monitor and the home router, while another did not encrypt the feed between the router and Internet, resulting in additional vulnerabilities.