Nurserycam horror show: 'Secure' daycare video monitoring product beamed DVR admin creds to all users

Company has a habit of reacting badly to vuln disclosures


Updated A parental webcam targeted at nursery schools was so poorly designed that anyone who downloaded its mobile app gained access to admin credentials, bypassing intended authentication, according to security pros – with one dad saying its creators brushed off his complaints about insecurities six years ago.

Anyone could have logged into Nurserycam's DVRs thanks to poor design choices – and a decision to "authenticate" logins by passing the device's admin username and password to parents, claimed a reverse engineer who looked into the matter.

Melissa Kao, a director of Footfallcam Ltd, the firm behind Nurserycam, insisted to The Register that what infosec researchers had found was "legacy non-functional codes" [sic] that were "there to distract hackers".

Footfallcam Ltd was recently seen on The Register after it threatened an infosec researcher with a baseless police report unless he deleted a Twitter thread pointing out one of its products' shortcomings.

Internet of Things security prober Andrew "Cybergibbons" Tierney published a warning to Nurserycam's users after realising how insecure the product was. He wrote: "These issues would allow any parent, past or present, to access the video feeds from the nursery. There is also the chance that anyone on the Internet could have accessed them."

Nurserycam is an internet-connected DVR with a port-forwarding firewall in front of it, taking its feed from CCTV cameras deployed inside nurseries and pointed at the children. The idea is to let parents monitor their children remotely. Several nurseries (daycare centres for preschool kids aged six months to five years) around the UK appear to have deployed the system, judging by search results for the Nurserycam name.

You get an admin password, you get an admin password, you too!

Tierney held that if a person knew the IP address for one of Nurserycam's DVRs, they could log into the device and view live camera feeds thanks to the system's poor design. They could even have viewed up to 18 months of footage featuring children and nursery workers, he added.

Tierney, who spoke extensively to The Register, explained in his blog: "For all parents connecting to a given nursery, they are given the same username and password for the DVR. In the examples I have been shown, the username is admin and the password are obvious words followed by 888. This means that the parents, past and present, have all been given the administrator password for the DVR."

We understand that the admin credentials were visible in the source of the webpage shown to parents using Nurserycam's web app to access the live camera feeds of children. Moreover, those admin passwords were not unique to each DVR.

Nurserycam's Kao insisted that the DVRs' default passwords were changed after installation. Tierney told El Reg that parent users of the app at different nurseries had confirmed to him this was not true.

Pattern of behaviour

A parent who spoke to The Register and asked not to be named said he had reported similar flaws to Nurserycam back in 2015 – and was brushed off by Kao. At the time, this father had realised that any Nurserycam video feed could be viewed by simply changing the URL in the web browser: a flaw known in infosec as an insecure direct object reference (IDOR) vulnerability.

While the vuln was eventually fixed, the dad recounted to us how Kao had phoned him after his initial report direct to the company – and had initially refused to identify herself.

El Reg has reviewed evidence showing the firm seemed more concerned with knowledge of the flaws being made public than with remediation, similar to last week's Footfallcam debacle (where Kao's fellow Footfallcam Ltd director, Edward Wong, threatened an infosec bod with a police report unless he deleted Twitter criticism of another product's poor design). While there were no specific threats made, it appeared removing this criticism was of greater importance to the company than fixing its product's security shortcomings, which seemingly were still a problem six years later.

Controversies in the lively UK infosec world over insecure IoT products and poor responses by industry to security issues are not unusual. However, when live video feeds of young children are freely available online to anyone with just a little technical knowhow, the people behind that system have a moral imperative to act fast.

It is also important that end users of those products – nurseries and parents alike – are aware that Nurserycam's claims that its video streams were "safer than online banking" were simply not true.

While Footfallcam Ltd claims it has fixed the vulnerabilities Tierney (and others) highlighted, it appears, at the time of writing, that these fixes apply only a basic level of security that ought to have been in place for years.

We have asked the Information Commissioner's Office for comment. ®

Bootnote

A Twitter thread prompted by the controversies over this company's practices makes eye-opening reading, though The Register has not verified its contents.

Updated to add

An ICO spokesperson said: "Children's personal information – including images – requires specific protection under data protection law. Any company or organisation processing children's data must make sure they have appropriate security measures in place to protect this data, and should carry out a risk assessment beforehand.

"When an organisation buys in products or services that will be involved in the processing, they need to ensure that they choose ones that are designed with data protection in mind. This is part of a data protection by design approach and can help them to protect children's personal information. Organisations should consider these issues when doing their risk assessment."

Broader topics

Narrower topics


Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022