Incident Details

Incident: Smart Bassinet Software Vulnerabilities: Potential Remote Control and Volume Issues

Published Date: 2020-04-16

Postmortem Analysis
Timeline	1. The software failure incident involving the Snoo Smart Bassinet happened in April 2019 [Article 98218].
System	1. Snoo Smart Bassinet software [98218]
Responsible Organization	1. The Happiest Baby Company [98218] 2. Red Balloon, an embedded-device security firm [98218]
Impacted Organization	1. The Happiest Baby Company was impacted by the software failure incident [98218].
Software Causes	1. The software failure incident with the Snoo Smart Bassinet was caused by two authentication and infrastructure issues that allowed an attacker on the same Wi-Fi network to take total control of the device [98218]. 2. Additionally, the researchers discovered remotely exploitable vulnerabilities in the Snoo's software that could be used to mount attacks, which were later patched by the Happiest Baby Company [98218].
Non-software Causes	1. The Snoo Smart Bassinet had hardware vulnerabilities related to the motor's output limiter and the lack of a physical volume limiter for the speaker [98218]. 2. The lack of physical hardware protections to prevent remote manipulation of the bassinet's motor and speaker beyond intended levels [98218].
Impacts	1. The software failure incident in the Snoo Smart Bassinet exposed troubling bugs that allowed potential attacks exploiting authentication and infrastructure issues, enabling an attacker on the same Wi-Fi network to take total control of the device [98218]. 2. The vulnerabilities discovered in the software of the Snoo Smart Bassinet could have allowed attackers to remotely manipulate the device's motor, generating more force than intended, which could potentially harm infants [98218]. 3. The software failure incident also revealed that the Snoo Smart Bassinet lacked physical limiters for volume control, allowing the speaker to be pushed beyond its intended operating volume, potentially exposing babies to louder sounds than considered safe [98218]. 4. Despite the company's claims that the vulnerabilities were patched and no real-world harm was reported, the software failure incident highlighted the importance of securing hardware in addition to software in connected devices to prevent potential risks to users [98218].
Preventions	1. Implementing rigorous security testing during the software development process to identify and address vulnerabilities before the product is released [98218]. 2. Conducting regular security audits and assessments to proactively identify and patch any potential software flaws or bugs [98218]. 3. Incorporating physical limiters in the hardware design to prevent excessive rocking or sound levels that could pose a risk [98218]. 4. Ensuring prompt and efficient patching of software vulnerabilities through over-the-air updates to mitigate potential risks [98218]. 5. Providing users with the option to physically disconnect the device from the internet, reducing the attack surface and potential exploitation [98218].
Fixes	1. Patching software vulnerabilities: The software flaws and potential attacks exploiting them were quickly identified and patched by the Happiest Baby Company [98218]. 2. Implementing additional software checks: The company pushed out additional checks on the software side to ensure sound levels are not too loud [98218]. 3. Addressing root causes of unintended behaviors: Researchers emphasize the importance of addressing the root causes of unintended behaviors in IoT devices, even if they don't pose an immediate physical threat [98218].
References	1. Red Balloon - The articles gather information about the software failure incident from the embedded-device security firm Red Balloon, which conducted research on the vulnerabilities in the Snoo smart bassinet software [98218]. 2. The Happiest Baby Company - Information about the software vulnerabilities, patches, and company statements regarding the Snoo smart bassinet incident is gathered from The Happiest Baby Company, the maker of the Snoo [98218].

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization	(a) The software failure incident related to the Snoo Smart Bassinet has happened again within the same organization, the Happiest Baby Company. The article mentions that the Red Balloon researchers found and disclosed additional remotely exploitable vulnerabilities in Snoo's software that could be used to mount the same attacks. The Happiest Baby Company patched the software vulnerabilities in less than two weeks after being notified by the researchers [98218]. (b) The software failure incident related to the Snoo Smart Bassinet has not been reported to have happened at other organizations or with their products and services.
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase can be seen in the case of the Snoo Smart Bassinet. Researchers from the embedded-device security firm Red Balloon discovered authentication and infrastructure issues in the Snoo's software that would have allowed an attacker on the same Wi-Fi network to take total control of the device [98218]. These vulnerabilities were related to the design of the software and its interaction with the hardware components of the bassinet, highlighting the importance of getting security right in the development phase of connected devices. (b) The software failure incident related to the operation phase is evident in the potential risks posed by leaving the Wi-Fi enabled on the Snoo bassinet. Red Balloon researchers found that with Wi-Fi enabled, users could be exposed to software vulnerabilities that could be exploited remotely if an attacker compromised the Wi-Fi network [98218]. This highlights the importance of proper operation and maintenance procedures, such as disabling unnecessary features like Wi-Fi when not needed, to mitigate the risks associated with software vulnerabilities in operational settings.
Boundary (Internal/External)	within_system	(a) The software failure incident related to the Snoo Smart Bassinet can be categorized as within_system. The vulnerabilities discovered by the researchers from Red Balloon were related to authentication and infrastructure issues within the Snoo's software that allowed attackers on the same Wi-Fi network to take total control of the device [98218]. Additionally, the researchers found software vulnerabilities that could be exploited to mount remote attacks on the Snoo, indicating that the failures originated from within the system itself.
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: The software failure incident with the Snoo Smart Bassinet was primarily due to software flaws and potential attacks exploiting them, which were discovered by researchers from the embedded-device security firm Red Balloon [98218]. These vulnerabilities allowed an attacker on the same Wi-Fi network as the bassinet to take total control of the device without physical access, enabling them to send commands to the motor, speaker, and microphones remotely. Additionally, the researchers found hardware choices in the Snoo devices that were problematic, such as the motor's output limiter and the lack of a physical limiter for controlling the speaker's volume maximums [98218]. (b) The software failure incident occurring due to human actions: The vulnerabilities in the Snoo Smart Bassinet were discovered and disclosed by researchers from Red Balloon, who identified authentication and infrastructure issues in the software that could be exploited by attackers on the same Wi-Fi network as the bassinet [98218]. The Happiest Baby Company, the maker of the Snoo, patched the software vulnerabilities after being notified by the researchers. The researchers also found additional remotely exploitable vulnerabilities in the software, which were later patched by the company [98218].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident related to hardware in the Snoo Smart Bassinet involved two problematic hardware choices that were not as easy to patch or fix. One issue was with the Snoo motor's output limiter, which despite having protections built in, could still be manipulated remotely to generate more force than intended [98218]. (b) The software failure incident related to software in the Snoo Smart Bassinet included authentication and infrastructure issues that allowed an attacker on the same Wi-Fi network to take total control of the device. These vulnerabilities were patched, but additional remotely exploitable vulnerabilities in the software were later found and disclosed by researchers [98218].
Objective (Malicious/Non-malicious)	malicious, non-malicious	(a) The software failure incident related to the Snoo Smart Bassinet involved malicious factors introduced by humans with the intent to harm the system. Researchers from the embedded-device security firm Red Balloon discovered authentication and infrastructure issues in the Snoo's software that would have allowed an attacker on the same Wi-Fi network to take total control of the device, including sending commands to the motor, speaker, and microphones [98218]. The researchers were able to exploit these vulnerabilities to remotely manipulate the bassinet's motor, driving it faster and generating more force than intended, as demonstrated in their lab testing with a life-sized doll [98218]. Additionally, the researchers found remotely exploitable vulnerabilities in the Snoo's software that could be used to mount attacks, which were disclosed to the Happiest Baby Company and subsequently patched [98218]. (b) The software failure incident also involved non-malicious factors, as the vulnerabilities discovered by Red Balloon were not initially reported to have caused any real-world harm to infants using the Snoo. The Happiest Baby Company emphasized that the built-in hardware limiters in the Snoo prevented the bed's calming sensations from exceeding safe levels, and the sounds and rocking produced by the researchers would not be loud or vigorous enough to harm a baby [98218]. Despite the vulnerabilities identified, the company stated that no one had ever reported a hack or breach of a Snoo, and the risk of real-world exploitation or injury was considered low [98218].
Intent (Poor/Accidental Decisions)	poor_decisions, accidental_decisions	(a) The software failure incident related to the Snoo Smart Bassinet involved poor decisions made in the design and implementation of the software. Researchers from Red Balloon discovered authentication and infrastructure issues in the software that could allow an attacker on the same Wi-Fi network to take total control of the device, including sending commands to the motor, speaker, and microphones [98218]. Additionally, the researchers found problematic hardware choices in the Snoo devices that were not easy to patch or fix, such as the motor's output limiter and the lack of a physical limiter for the speaker volume [98218]. (b) The software failure incident also involved accidental decisions or unintended consequences. Despite the Happiest Baby Company's assertion that the sounds and rocking produced by the researchers would not be loud or vigorous enough to harm a baby, the vulnerabilities identified by Red Balloon could potentially lead to unintended effects on the device, such as exceeding safe sound levels or generating excessive rocking force [98218].
Capability (Incompetence/Accidental)	development_incompetence	(a) The software failure incident in the Snoo Smart Bassinet was primarily due to development incompetence. Researchers from the embedded-device security firm Red Balloon discovered authentication and infrastructure issues in the Snoo's software that allowed an attacker on the same Wi-Fi network to take total control of the device [98218]. These vulnerabilities were patched after being reported to the Happiest Baby Company. Additionally, the researchers found hardware choices in the Snoo devices that were problematic and not easy to patch, such as the motor's output limiter and the lack of a physical volume limiter for the speaker [98218]. (b) The software failure incident was not accidental but rather a result of deliberate exploitation of vulnerabilities by the researchers from Red Balloon. They conducted tests to manipulate the Snoo's motor remotely and exceed the intended operating volume of the speaker by sending specially crafted commands to the device [98218]. The vulnerabilities were identified through intentional research efforts to uncover security flaws in the smart bassinet's software and hardware.
Duration	temporary	The software failure incident related to the Snoo Smart Bassinet can be categorized as a temporary failure. The incident involved software flaws and potential attacks exploiting them, which were discovered by researchers from Red Balloon [98218]. These vulnerabilities were subsequently patched by the Happiest Baby Company after being disclosed by the researchers. The vulnerabilities allowed an attacker on the same Wi-Fi network as the bassinet to take total control of the device, sending commands to the motor, speaker, and microphones remotely. The vulnerabilities were addressed through software patches and additional checks on the firmware side to ensure the safety of the device [98218].
Behaviour	omission, value, other	(a) crash: The software failure incident related to the Snoo Smart Bassinet involved potential attacks exploiting software flaws that could have allowed an attacker on the same Wi-Fi network as the bassinet to take total control of the device, including sending commands to the motor, speaker, and microphones [98218]. (b) omission: The software vulnerabilities discovered in the Snoo Smart Bassinet could have allowed attackers to remotely manipulate the device's motor, speaker, and microphones without physical access, potentially omitting the intended functions of the bassinet's safety features [98218]. (c) timing: The software vulnerabilities in the Snoo Smart Bassinet did not directly relate to timing issues, as the primary concern was the potential for attackers to take control of the device remotely rather than the timing of its functions [98218]. (d) value: The software vulnerabilities in the Snoo Smart Bassinet could have led to the system performing its intended functions incorrectly, such as manipulating the motor to generate more force than intended or playing sounds at higher decibel levels than designed [98218]. (e) byzantine: The software vulnerabilities in the Snoo Smart Bassinet did not exhibit byzantine behavior, as the focus was on potential attacks exploiting the flaws rather than inconsistent responses or interactions within the system [98218]. (f) other: The software vulnerabilities in the Snoo Smart Bassinet led to concerns about potential attacks exploiting the flaws, including remotely manipulating the device's motor and speaker, playing sounds at higher decibel levels, and taking total control of the bassinet [98218].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, actuator, network_communication, embedded_software	(a) sensor: The software failure incident related to the Snoo Smart Bassinet involved vulnerabilities in the sensor and actuator components of the device. Researchers from Red Balloon discovered authentication and infrastructure issues that would have allowed an attacker on the same Wi-Fi network as the bassinet to take total control of the device, including sending commands to the motor, speaker, and microphones without physical access [98218]. (b) actuator: The vulnerabilities discovered in the Snoo Smart Bassinet also affected the actuator component. The researchers found that despite hardware safeguards, they could send specially crafted commands to manipulate the device's motor from afar, driving it faster and generating more force than intended, potentially putting infants at risk [98218]. (c) processing_unit: The software vulnerabilities in the Snoo Smart Bassinet did not directly involve issues with the processing unit. The vulnerabilities primarily focused on authentication, infrastructure, and control of the sensor and actuator components of the device [98218]. (d) network_communication: The software failure incident in the Snoo Smart Bassinet was related to network communication errors. The vulnerabilities discovered by Red Balloon allowed attackers on the same Wi-Fi network as the bassinet to exploit flaws in the device's network communication, enabling them to take control of the device remotely [98218]. (e) embedded_software: The software failure incident in the Snoo Smart Bassinet was directly related to vulnerabilities in the embedded software of the device. Researchers identified and exploited software flaws that allowed for remote control of the bassinet's functions, such as the motor, speaker, and microphones, highlighting the importance of securing embedded software in connected devices [98218].
Communication	connectivity_level	The software failure incident related to the communication layer of the cyber-physical system that failed in the Snoo Smart Bassinet was at the connectivity level. The vulnerabilities discovered by Red Balloon researchers were related to authentication and infrastructure issues that allowed attackers on the same Wi-Fi network to take total control of the device, sending commands to the motor, speaker, and microphones [98218]. These vulnerabilities were exploited through the Wi-Fi network, indicating a failure at the network layer of the communication system.
Application	TRUE	The software failure incident related to the Snoo Smart Bassinet was indeed related to the application layer of the cyber physical system. The failure was due to software vulnerabilities that allowed attackers on the same Wi-Fi network to take total control of the device, sending commands to the motor, speaker, and microphones without physical access [98218]. The vulnerabilities were exploited through authentication and infrastructure issues in the software, which were later patched by the company after being disclosed by researchers [98218]. Additionally, the researchers found and disclosed additional remotely exploitable vulnerabilities in the software that could be used to mount similar attacks, prompting further software patches by the company [98218].

Other Details

Category	Option	Rationale
Consequence	non-human	(a) death: The software failure incident related to the Snoo Smart Bassinet did not result in any reported deaths. The vulnerabilities discovered by Red Balloon researchers could potentially allow attackers to remotely manipulate the bassinet's motor and speaker, but there were no reported instances of actual harm or fatalities [98218]. (b) harm: While the software vulnerabilities in the Snoo Smart Bassinet could potentially allow attackers to remotely control the device's motor and speaker, leading to physical harm, there were no reported cases of individuals being physically harmed due to the software failure incident [98218]. (c) basic: The software failure incident related to the Snoo Smart Bassinet did not impact people's access to food or shelter [98218]. (d) property: The software vulnerabilities in the Snoo Smart Bassinet could potentially allow attackers to manipulate the device's motor and speaker, but there were no reported cases of individuals losing material goods, money, or data due to the software failure incident [98218]. (e) delay: There were no reported delays in activities caused by the software failure incident related to the Snoo Smart Bassinet [98218]. (f) non-human: The software failure incident impacted the non-human entity, the Snoo Smart Bassinet itself. The vulnerabilities discovered by Red Balloon researchers could potentially allow attackers to remotely control the bassinet's functions, such as the motor and speaker, without physical access to the device [98218]. (g) no_consequence: The software failure incident did not result in any real observed consequences, such as reported injuries or hacks, outside of the controlled lab setting where the vulnerabilities were tested [98218]. (h) theoretical_consequence: There were potential consequences discussed in the articles regarding the software failure incident, such as the ability for attackers to remotely manipulate the Snoo Smart Bassinet's motor and speaker. However, the Happiest Baby Company emphasized that the vulnerabilities were patched, and no actual harm or breaches were reported [98218]. (i) other: There were no other consequences described in the articles beyond those related to potential harm, death, property loss, or delays caused by the software failure incident involving the Snoo Smart Bassinet [98218].
Domain	health	(a) The software failure incident discussed in the articles is related to the health industry. The incident involves the Snoo Smart Bassinet, which is designed to combat sudden infant death syndrome (SIDS) by keeping babies on their backs and soothing them with gentle rocking and white noise [Article 98218]. The vulnerabilities discovered in the Snoo's software and hardware could potentially impact the safety and functionality of the device, which is crucial for infant sleep and well-being in the health sector.

Sources

Hackers Made the Snoo Smart Bassinet Shake and Play Loud Sounds - WIRED - Published on: 2020-04-16
Article ID: 98218

Back to List