The Nursery Under Surveillance
In October 2025, a Colorado mother heard a stranger's voice coming through her baby monitor. She ran in and unplugged it immediately. [1]
She's not alone. Parents across the country have reported hackers speaking to their infants, playing music at 3 AM, or silently watching through nursery cameras. [2]
The US baby monitor market is expected to hit $740 million by 2033. [3] Many devices have critical security flaws. Smart toys routinely violate children's privacy laws. And the footage from hacked baby cameras has ended up on underground websites.
The device meant to protect your child might be exposing them instead.
When Strangers Speak to Sleeping Babies
The Stripling family in Arkansas thought their password was strong enough. Then a stranger hacked into their home and spoke to their baby through the monitor. [2]
"I want to burn it," said Stephanie Stripling. They've since switched to an offline monitor and won't use WiFi monitors "whatsoever."
How Hackers Get In
Baby monitor hacks typically happen through: [4]
- Default passwords: Many parents never change factory settings
- Weak WiFi security: Hackers break into the network, then access connected devices
- Device vulnerabilities: Unpatched software with known security holes
- Internet sweeping: Automated tools scan for unsecured cameras with default credentials
Families don't have to be targeted specifically. Hackers sweep the internet looking for any camera still using factory settings. [5]
What Hackers Can Do
- Watch silently: View your baby, your home, your daily routines
- Speak through the speaker: Talk to your child without your knowledge
- Record footage: Capture video that may end up on illicit websites
- Control the camera: Pan and zoom to see more of your home
- Access your network: Use the monitor as an entry point to other devices
Research Reveals "Child's Play" Vulnerabilities
In 2024, security researchers from Bitdefender revealed that hacking IoT baby monitors is "child's play." [6]
What They Found
- Critical security flaws in popular smart baby monitors
- Weak authentication that can be bypassed
- Unencrypted communications allowing interception
- Third-party connections to servers parents don't know about
One research team discovered that some monitors regularly contacted a server in Beijing that didn't belong to the manufacturer. [7] These third-party relationships are common in IoT devices but rarely disclosed.
Euroconsumers Testing
Belgian and Portuguese consumer groups tested digital baby monitors and found: [8]
- Serious security flaws across multiple products
- Lack of basic protections in wearables and tablets aimed at kids
- Children's information and location wide open to hackers
The $740 Million Nursery Surveillance Market
Baby monitors have evolved from simple audio devices to sophisticated surveillance systems:
Market Size
- $370 million in 2024 [3]
- $740 million projected by 2033
- 8.11% CAGR growth rate
Features Collected
- HD video (often 1080p+)
- Two-way audio
- Night vision
- Temperature/humidity
- Motion and sound alerts
- Cloud storage of recordings
Privacy Concerns
- WiFi monitors most vulnerable
- Cloud storage = third-party access
- App permissions often excessive
- Data sold to train AI algorithms
Where Your Baby's Data Goes
Baby monitors are now technically similar to home surveillance products, and often made by security companies. [7] This creates concerning possibilities:
- Training data for AI: Video from baby monitors could feed algorithms for other surveillance devices
- Third-party sharing: Many apps share data with analytics and advertising companies
- Cloud storage risks: Your baby's video stored on servers you don't control
- Cross-device tracking: App permissions may access other data on your phone
Smart Toys and COPPA Violations
It's not just monitors. Connected toys, tablets, and wearables aimed at children routinely violate privacy laws.
FTC vs. Apitor (September 2025)
The FTC took action against robot toy maker Apitor for allowing "a Chinese third party to collect sensitive data from children using its product, in violation of COPPA." [9]
What happened:
- Third party collected geolocation data from children
- Parents were not notified about the data collection
- No parental consent was obtained
- Children under 13 had their data collected illegally
Apitor faced a $500,000 penalty (suspended because they couldn't pay) and must delete the illegally collected data. [9]
The Updated COPPA Rule (January 2025)
The FTC strengthened children's privacy protections in January 2025: [10]
- Separate parental consent required for sharing children's data with third parties for targeted advertising
- Cannot retain data indefinitely, only as long as "reasonably necessary"
- Parents must opt in to targeted advertising (not opt out)
- Prohibition on monetizing children's data without active permission
The Enforcement Problem
Despite the rules, violations continue. Alan Butler of the Electronic Privacy Information Center (EPIC) noted: [11]
"For any new device coming onto the market, if it's not complying with COPPA, then it's breaking the law... there's a lot of toys on the market [using AI] and there's a need to ensure that they're all complying."
The problem: there's no pre-clearance review of toys before they're sold. [11] Companies can sell privacy-violating toys until someone catches them.
The Amazon Alexa Problem
In 2023, the FTC found that Amazon had: [12]
- Ignored parents' requests to delete children's voice data
- Kept children's voice recordings and location data for years
- Violated COPPA (Children's Online Privacy Protection Act)
Amazon paid $25 million to settle. Many families use Alexa-enabled devices as baby monitors or in children's rooms, meaning kids' voices have been collected and retained for years without proper consent.
Types of Baby Monitors: Security Comparison
Safer Options
Audio-Only Monitors (Non-WiFi)
- No internet connection = no remote hacking
- Limited range reduces interception risk
- No video means less sensitive data
- Cannot be accessed from outside your home
FHSS (Frequency-Hopping) Monitors
- Rapidly switches frequencies, making interception difficult
- Often considered safest from hackers [4]
- Still local-only (no cloud)
- More expensive but more secure
Higher Risk Options
WiFi/IP Cameras
- Connected to your home network and internet
- Can be accessed remotely (by you, and potentially hackers)
- Often use cloud storage
- Most hack incidents involve these devices
Smart Monitors with Apps
- App may have excessive permissions
- Data transmitted to manufacturer servers
- Third-party integrations increase attack surface
- AI features may use your baby's data for training
How to Protect Your Family
If You Use a WiFi Baby Monitor
Immediate Steps
- Change the default password, use a strong, unique password
- Update firmware, check for security patches regularly
- Enable two-factor authentication if available
- Disable remote access if you don't need to view the monitor outside your home
- Check for unknown logins in the app's access history
Network Security
- Secure your WiFi with WPA3 or WPA2 and a strong password
- Create a separate network for IoT devices (guest network or VLAN)
- Disable UPnP on your router
- Keep router firmware updated
Ongoing Practices
- Turn off the camera when not needed
- Point it away from sensitive areas when possible
- Review app permissions and revoke unnecessary access
- Monitor for unusual behavior (camera moving on its own, LED lights when not in use)
Signs Your Baby Monitor May Be Hacked
- Camera moves or pans without your input
- Strange voices or sounds from the speaker
- LED indicator on when you're not using the app
- Settings changed that you didn't modify
- Unfamiliar devices in the app's access list
- Higher than normal data usage on your network
Safer Alternatives
- Non-WiFi monitors: Cannot be hacked remotely
- Local-only cameras: Store footage on SD card, no cloud
- Audio-only monitors: Less data to compromise
- Direct connection: Monitors that connect directly to a parent unit, not through your network
Smart Toys: What Parents Should Know
Before You Buy
- Research the manufacturer: Have they been fined for privacy violations?
- Check for an internet connection: Does the toy need WiFi to work?
- Read the privacy policy: What data is collected and where does it go?
- Look for encryption: Is data transmission secured?
- Consider "dumb" alternatives: Does the toy really need to be "smart"?
Connected Toy Red Flags
- Requires account creation with child's information
- Has microphone or camera capabilities
- Connects to servers in countries with weak privacy laws
- App requests excessive permissions
- No clear way to delete data
If Your Child Already Has Smart Toys
- Review what data has been collected in the app or account settings
- Disable features you don't need (especially microphones/cameras)
- Update firmware for security patches
- Consider disconnecting from WiFi if the toy works offline
- Delete data periodically if the option exists
What Needs to Change
A Cyber Resilience Act is in development in Europe that will require consumer IoT devices to be "cybersecure by design and by default." [13] But it won't require third-party security assessments, manufacturers will verify their own products.
What parents need:
- Pre-market security review: Test devices before they're sold, not after breaches
- Mandatory encryption: All baby monitors should encrypt video transmission
- No default passwords: Require unique passwords at setup
- Clear data practices: Obvious disclosure of what's collected and where it goes
- Automatic updates: Security patches installed without parent intervention
- COPPA enforcement: Actually fine companies that violate children's privacy
The Bottom Line
Baby monitors are being hacked. Smart toys violate children's privacy laws. And the footage from your nursery could end up anywhere.
The US baby monitor market will hit $740 million by 2033. Security researchers call hacking these devices "child's play." Parents have heard strangers speaking to their infants, and companies like Amazon have illegally retained children's voice data for years.
The FTC updated COPPA rules in 2025, but enforcement is reactive, toys can violate the law until someone catches them. There's no pre-clearance review.
To protect your family:
- Consider non-WiFi monitors if remote access isn't essential
- If using WiFi monitors: Change default passwords, update firmware, enable 2FA
- Secure your home network and isolate IoT devices
- Be skeptical of smart toys that require internet connections
- Disable microphones and cameras on toys when not needed
- Monitor for signs of compromise (camera movement, strange sounds)
The device watching over your baby should be working for you, not for hackers, advertisers, or anyone else. Until manufacturers prioritize security over features, parents have to fill that gap themselves.
References
- CBS Colorado - Colorado mom says she heard a stranger talking through her baby monitor (October 2025)
- THV11 - Searcy family says stranger spoke to baby through hacked monitor
- GlobeNewswire - United States Baby Monitor Forecast Report 2025: A $740 Million Market by 2033
- Baby Gear Essentials - Can a Baby Monitor Be Hacked? How To Protect Your Privacy
- NPR - S.C. Mom Says Baby Monitor Was Hacked; Experts Say Many Devices Are Vulnerable
- Bitdefender - Hacking these IoT baby monitors is child's play, researchers reveal
- TechPolicy.Press - How Secure Is a Smart Baby Monitor? Finding Out Is Far Too Difficult
- Euroconsumers - Baby beware: critical security flaws found in smart baby monitors
- FTC - FTC Takes Action Against Robot Toy Maker for Allowing Collection of Children's Data (September 2025)
- FTC - FTC Finalizes Changes to Children's Privacy Rule (January 2025)
- The Regulatory Review - Can Privacy Regulations Outsmart Smart Toys?
- Malwarebytes - Amazon's COPPA violations and children's data retention
- SEC Consult - Internet Of Babies - When Baby Monitors Fail To Be Smart