Trusting criminals and baby monitors

Danny Brugmann

8 min read
Share
Trusting criminals and baby monitors

Five Cyber Stories - May 17, 2026 - Issue 008

And we're back! Sorry for the pause last week, but I have returned with five cyber stories featuring more about the Canvas hack, vulnerable baby monitors, and yes, three more stories.

Let's get into it!

Negotiating with Cybercriminals

Reporting from Cyberscoop's Matt Kapko and The Register's Jessica Lyons

The demands: Though I paused the newsletter last week, I did manage to share the major story of Ed-Tech platform Canvas being compromised by hackers. This week, boy did the story continue. Canvas' parent company, Instructure, seemingly paid the demanded ransom to the group behind the breach, ShinyHunters, and both victim and culprit claim the data has been "returned" and deleted. Meanwhile, the U.S. House's Homeland Security Committee is seeking answers.

The receipts: There's a lot happening in this story. For starters, there's Instructure's assumed (though not fully confirmed) decision to pay the ransom. This goes against most cybersecurity experts' advice, as reported by TechCrunch's Zack Whittaker. Despite Instructure's claim of "... [receiving] digital confirmation of data destruction (shred logs)," there's no way to be 100% certain the data was truly deleted. Just ask victims of the PowerSchool hack and those who took down the ransomware gang Lockbit. To emphasis the risks, The Register's Jessica Lyons wrote a piece, "Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data" which highlights the character of some ransomware hackers:

"Other ransomware scum have gone to horrifying extremes, posting pictures and addresses of preschool children in an effort to get a payday, leaking cancer patients’ nude photos and threatening them with swatting attacks.

Mandiant Consulting CTO Charles Carmakal previously told The Register that ransomware infections have morphed into 'psychological attacks' with crooks SIM swapping executives’ kids to pressure their parents into paying."

The Verge's Jess Weatherbed additionally raises ($) "...the question of how said data was also 'returned'..." I'm also very curious about that element of the story. This is a digital crime after all. Did they mail Instructure a hard drive?

More seriously, Jessica Lyons reported in an earlier article that Congress would like a briefing on the situation directly from Instructure. She notes that this is the second ShinyHunters initiated cyberattack related to Instructure in less than a year.

It's stories like this that once again prove this newsletter's thesis. Cybersecurity affects everyone. It's tempting to dismiss these types of attacks and data breaches as someone else's problem reserved to the world of "nerds," but the type of data involved (usernames, email addresses, course names, enrollment information, and messages) can have major consequences on students' lives. Cynthia Keiser of Halycon's Ransomware Research Center says the company expects there to be "waves" of phishing attacks as a result of this hack.

I can imagine messages to and from students and teachers regarding grades or coursework could contain very personal information. We owe it to ourselves to take these types of cyberattacks seriously.

Who is watching the baby?

Reporting from The Verge's Sean Hollister

Baby cam: The same security researcher who discovered security issues with DJI's Romo vacuums ($) is back with another disturbing cyber vulnerability. Sammy Azdoufal writes on GitHub that he originally looked into a baby monitor's security for a colleague, and he uncovered 1.1 million exposed cameras including baby monitors. This included thousands of images from said cameras publicly accessible via the open web. Azdoufal also claims:

"None of this looks like a platform that took a wrong turn. It looks like a platform built to harvest customer data at scale, secured by defaults that nobody on the inside ever planned to [update]."

Privacy monitor: Though many of the security issues now appear to be fixed, I recommend never having an internet enabled camera in one's house. It's stories like this that affirm that take. If you own cameras branded for ..."(Arenti, BOIFUN, COCOCAM, PetTec, SV3C, Joystek, Luvion, Vimar, etc)...", researcher Azdoufal gives these recommendations.

If you own a CloudEdge camera, or one of the 300+ white-label brands sharing com.meari.sdk (Arenti, BOIFUN, COCOCAM, PetTec, SV3C, Joystek, Luvion, Vimar, etc.), this is you. Easier test: open your camera's app, check what hostname it talks to. If it's apis.meari.com.cn or mqtts*.meari.com.cn, this is you.

The MQTT and OSS findings are platform-side. A firmware update on your device won't fix them. The fix has to come from Meari, on the broker. You can't do it from the camera.

What you can do: physically unplug the camera when you're not using it. Pointed at a wall, it can't leak what it can't see.

What you should not do: assume "it's password-protected" means it's not on a wildcard subscribe. The password protects you from logging in. It doesn't stop the broker from broadcasting your device's events to anyone with their own account.

Baby monitors specifically (firmID=8, Baby6 family): every alert snapshot the camera ever uploaded is recoverable and decryptable from public information (CVE-2026-33359 + CVE-2026-33361). You can't delete those from the cloud as a customer. Retention policy is the vendor's.

Doorbells: same as above for snapshots. Cloud video segments also broadcast on the same MQTT channel.

EU residents wanting to file a GDPR complaint: relevant authorities are CNIL (France), AEPD (Spain), BfDI (Germany), Garante (Italy). The brand on your box doesn't change which authority is competent. Your country of residence does.

Lots of vibes

Reporting from The Verge's David Pierce and Wired's Andy Greenberg.

Vibe coding: The Verge's David Pierce wrote a great piece this week about the "personal software revolution." Over the past year (or so), new A.I. agents such as Anthropic's Claude Code and OpenAI's ChatGPT Codex have allowed people who can't code to make their own software. These agents’ capabilities have given rise to "vibe coding" as coined by Andrej Karpathy. The practice uses AI LLMs or chatbots to empower anyone to make/generate software that meets their specific needs or use case.

Vibe consequences: While I largely think "vibe coding" has a robust future, I wanted to reshare another article from last week. Andy Greenberg at Wired wrote how "Thousands of Vibe-Coded Apps" were essentially leaking data ($), and this leaked data included "medical information." The A.I. agents doing the coding failed to incorporate cybersecurity best practices into the vibe coded applications. Add these security flaws to the fact that A.I. tools are getting ever better at empowering hackers, and the privacy implications become an urgent issue. While I've anecdotally found most users' default belief is that their software is safe, vibe coding makes it even more important to question any application's security.

Be like Gandalf when it comes to software, especially vibe coded software.

David Pierce writes, "Your bespoke apps don’t come with a support line or a customer service team. They haven’t been thoroughly tested and make no security guarantees." He goes on to say those vulnerabilities are why it's unlikely big corporations will hop on the vibe coding trend anytime soon. Also, while we’re on the subject of privacy and chatbots, legal advice entered into a chatbot may not be considered protected under attorney client privilege.

So, whether it's a note taking app or a check-list for your vacation, it's important to consider the security of vibe coded apps. If you're ever using or making a vibe-coded app in the future, here's my quick list of questions to consider:

  • Am I comfortable with the information in this custom app leaking?
  • Do I own all of the information in this vibe coded app?
  • Is this app disconnected from the wider internet?

If you answered yes to all of these questions, vibe code away! And if not, maybe just take a second (even two or three) to consider the pros and cons.

Out foxed ($)

Reporting from Wired's Lily Hay Newman

The conn: Foxconn confirmed this week that it suffered a cyberattack at some of its North American Factories. The company is famous for manufacturing as much as "...70 percent of iPhones," ($). Nitrogen group, the party claiming responsibility for the attack, says it has stolen data ($) related to manufacturing jobs for Apple, Google, Nvidia and others. BleepingComputer's Sergiu Gatlan featured a screenshot of the hackers' alleged "proof of leakage" though Halycon's Cynthia Kaiser told Cyberscoop's Matt Kapko that there are some doubts about the proof.

Affecting your pocket: Though details are scarce, this story is another great reminder of how digital disruptions can jump into the physical realm. I've written about cybersecurity affecting iPhones' software, and now, this cyberattack is potentially affecting iPhones' hardware. That's just the Apple angle. Foxconn is one of the largest manufacturers on the planet, and this could affect numerous other companies including Intel, AMD, Dell, and more, in addition to those already mentioned.

Hacked by theft ($)

Reporting from Wired's Matt Burgess

Lost phone: There's an entire industry devoted to reselling and hacking stolen iPhones. Though physical theft is as old as time, Wired's Matt Burgess recently reported ($) on Infoblox's findings showcasing the digital theft element. Dan Guido, the CEO of Trail of Bits, tells Burgess, "...a stolen phone may only be worth $50 to $200 when it is locked. 'But if you unlock it, it’s worth $500, or it’s worth $1,000.'” The article goes on to describe some of the tools and methods thieves are utilizing to break into stolen iPhones including phishing kits, which automate phishing attacks.

Found security features: While I assume everyone tries to avoid having our phones stolen or misplaced, there is something we can do to protect iPhones from being hacked in the case of theft. Enabling iOS's Stolen Device Protection setting makes it harder for thieves to exploit stolen phones. For a quick how-to-guide to turn-on the feature, check out this video starting at the 1:20 mark.

Wrap up

That's the end of my five cyber stories for this week, but before I go, here's a quick list of interesting reads from this week in cyber security news:

See you next week!

Danny

Read more