NurseryCam hacked, company shuts down IoT camera service
Real names, usernames, and what appeared to be SHA-1 hashed passwords* exposed
Updated Daycare camera product NurseryCam was hacked late last week with the person behind the digital break-in coming forward to tip us off.
News of NurseryCam's compromise was conveyed to the company by The Register just after 5pm on Friday, leading the firm to tell parents: "On 17:18 Friday 19th February 2021, it has come to our attention of a cyber incident detected in our NurseryCam system."
The BBC reported the news on Saturday, following NurseryCam's emailed notification to its parent users. Around 40 nurseries across the UK use the service, according to the Beeb.
The service was suspended on Saturday in order to lock it down. It was still down at the time of publication.
A spokesperson for the UK's data watchdog, the Information Commissioner's Office (ICO), told The Reg today: "NurseryCam has reported a possible data breach to us and we will be assessing the information provided."
El Reg reported on the company's security shortcomings last week after its inappropriate attempts to strongarm an infosec researcher into deleting a Twitter thread detailing vulnerabilities in its FootfallCam product.
Names, email addresses, login credentials dumped online
A hacker contacted El Reg on Friday to say they had obtained real names, usernames, passwords and email addresses for 12,000 NurseryCam users' accounts – and had then dumped them online (although the individual apparently went to the trouble of hashing passwords with the SHA-1 algorithm for the dump. It's worth mentioning here that use of the algo for hashing is not recommended due to its vulnerability to collision attacks, and most vendors have dropped support for the 160-bit hash function*.)
Although this person claimed to have "redacted" those details, the redaction was so poor it was trivial to figure out the real names and contact details of NurseryCam's parent users. El Reg, together with IoT security expert Andrew Tierney, verified that the credentials were genuine before notifying NurseryCam of the breach. The company began emailing parents the following day after taking its cameras offline.
NurseryCam is produced and maintained by two companies: FootfallCam Ltd and Meta Technologies Ltd, both UK-registered businesses.
Melissa Kao, a director of FootfallCam Ltd and Meta Technologies, told the BBC: "The person who identified the loophole has so far acted responsibly.
"He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures."
She confirmed to The Reg that work was underway to secure the product.
The firm was warned multiple times
A FootfallCam corporate customer who asked not to be named said: "Over the four years we have had the devices we have highlighted some other issues to FootfallCam. At one point the FTP server which houses the 'verification videos' was publicly available."
The customer added that he was able to browse "data for other customers" by simply changing URL parameters in his browser – a textbook description of an insecure direct object reference (IDOR) vulnerability. He showed The Register a link which returned raw JSON exposing information about the FootfallCam user database schema.
"Literally sub in the ******** and ******…" said the aghast customer, adding: "Although the company name is part of the URL, it seems to make zero difference."
Several thousand variations of the URL responded to unauthenticated web queries with valid JSON, we are told.
Meanwhile, a NurseryCam user told us he had reported vulns in that product to the company in 2020 and had received an unsatisfactory response. Other parents told El Reg they had reported insecurities in the years 2015 and 2019. Both independently said that the specific problems they highlighted were patched. ®
* Updated to add at 11:41 UTC on 25 February 2021 to add:
This article has been updated from an earlier version that said that SHA-1 hashed passwords had been exposed. This is due to the fact that they were apparently hashed in the data dump. The Register has since been informed by our sources that the passwords had in fact been stored in plaintext.