Updated A parental webcam targeted at nursery schools was so poorly designed that anyone who downloaded its mobile app gained access to admin credentials, bypassing intended authentication, according to security pros – with one dad saying its creators brushed off his complaints about insecurities six years ago.
Anyone could have logged into Nurserycam's DVRs thanks to poor design choices – and a decision to "authenticate" logins by passing the device's admin username and password to parents, claimed a reverse engineer who looked into the matter.
Melissa Kao, a director of Footfallcam Ltd, the firm behind Nurserycam, insisted to The Register that what infosec researchers had found was "legacy non-functional codes" [sic] that were "there to distract hackers".
Footfallcam Ltd was recently seen on The Register after it threatened an infosec researcher with a baseless police report unless he deleted a Twitter thread pointing out one of its products' shortcomings.
Internet of Things security prober Andrew "Cybergibbons" Tierney published a warning to Nurserycam's users after realising how insecure the product was. He wrote: "These issues would allow any parent, past or present, to access the video feeds from the nursery. There is also the chance that anyone on the Internet could have accessed them."
Nurserycam is an internet-connected DVR with a port-forwarding firewall in front of it, taking its feed from CCTV cameras deployed inside nurseries and pointed at the children. The idea is to let parents monitor their children remotely. Several nurseries (daycare centres for preschool kids aged six months to five years) around the UK appear to have deployed the system, judging by search results for the Nurserycam name.
You get an admin password, you get an admin password, you too!
Tierney held that if a person knew the IP address for one of Nurserycam's DVRs, they could log into the device and view live camera feeds thanks to the system's poor design. They could even have viewed up to 18 months of footage featuring children and nursery workers, he added.
Tierney, who spoke extensively to The Register, explained in his blog: "For all parents connecting to a given nursery, they are given the same username and password for the DVR. In the examples I have been shown, the username is admin and the password are obvious words followed by 888. This means that the parents, past and present, have all been given the administrator password for the DVR."
We understand that the admin credentials were visible in the source of the webpage shown to parents using Nurserycam's web app to access the live camera feeds of children. Moreover, those admin passwords were not unique to each DVR.
Nurserycam's Kao insisted that the DVRs' default passwords were changed after installation. Tierney told El Reg that parent users of the app at different nurseries had confirmed to him this was not true.
Pattern of behaviour
A parent who spoke to The Register and asked not to be named said he had reported similar flaws to Nurserycam back in 2015 – and was brushed off by Kao. At the time, this father had realised that any Nurserycam video feed could be viewed by simply changing the URL in the web browser: a flaw known in infosec as an insecure direct object reference (IDOR) vulnerability.
While the vuln was eventually fixed, the dad recounted to us how Kao had phoned him after his initial report direct to the company – and had initially refused to identify herself.
El Reg has reviewed evidence showing the firm seemed more concerned with knowledge of the flaws being made public than with remediation, similar to last week's Footfallcam debacle (where Kao's fellow Footfallcam Ltd director, Edward Wong, threatened an infosec bod with a police report unless he deleted Twitter criticism of another product's poor design). While there were no specific threats made, it appeared removing this criticism was of greater importance to the company than fixing its product's security shortcomings, which seemingly were still a problem six years later.
Controversies in the lively UK infosec world over insecure IoT products and poor responses by industry to security issues are not unusual. However, when live video feeds of young children are freely available online to anyone with just a little technical knowhow, the people behind that system have a moral imperative to act fast.
It is also important that end users of those products – nurseries and parents alike – are aware that Nurserycam's claims that its video streams were "safer than online banking" were simply not true.
While Footfallcam Ltd claims it has fixed the vulnerabilities Tierney (and others) highlighted, it appears, at the time of writing, that these fixes apply only a basic level of security that ought to have been in place for years.
We have asked the Information Commissioner's Office for comment. ®
A Twitter thread prompted by the controversies over this company's practices makes eye-opening reading, though The Register has not verified its contents.
Updated to add
An ICO spokesperson said: "Children's personal information – including images – requires specific protection under data protection law. Any company or organisation processing children's data must make sure they have appropriate security measures in place to protect this data, and should carry out a risk assessment beforehand.
"When an organisation buys in products or services that will be involved in the processing, they need to ensure that they choose ones that are designed with data protection in mind. This is part of a data protection by design approach and can help them to protect children's personal information. Organisations should consider these issues when doing their risk assessment."