NurseryCam hacked, company shuts down IoT camera service

Real names, usernames, and what appeared to be SHA-1 hashed passwords* exposed

Updated Daycare camera product NurseryCam was hacked late last week with the person behind the digital break-in coming forward to tip us off.

News of NurseryCam's compromise was conveyed to the company by The Register just after 5pm on Friday, leading the firm to tell parents: "On 17:18 Friday 19th February 2021, it has come to our attention of a cyber incident detected in our NurseryCam system."

The BBC reported the news on Saturday, following NurseryCam's emailed notification to its parent users. Around 40 nurseries across the UK use the service, according to the Beeb.

The service was suspended on Saturday in order to lock it down. It was still down at the time of publication.

A spokesperson for the UK's data watchdog, the Information Commissioner's Office (ICO), told The Reg today: "NurseryCam has reported a possible data breach to us and we will be assessing the information provided."

El Reg reported on the company's security shortcomings last week after its inappropriate attempts to strongarm an infosec researcher into deleting a Twitter thread detailing vulnerabilities in its FootfallCam product.

Names, email addresses, login credentials dumped online

A hacker contacted El Reg on Friday to say they had obtained real names, usernames, passwords and email addresses for 12,000 NurseryCam users' accounts – and had then dumped them online (although the individual apparently went to the trouble of hashing passwords with the SHA-1 algorithm for the dump. It's worth mentioning here that use of the algo for hashing is not recommended due to its vulnerability to collision attacks, and most vendors have dropped support for the 160-bit hash function*.)

Although this person claimed to have "redacted" those details, the redaction was so poor it was trivial to figure out the real names and contact details of NurseryCam's parent users. El Reg, together with IoT security expert Andrew Tierney, verified that the credentials were genuine before notifying NurseryCam of the breach. The company began emailing parents the following day after taking its cameras offline.

NurseryCam is produced and maintained by two companies: FootfallCam Ltd and Meta Technologies Ltd, both UK-registered businesses.

Melissa Kao, a director of FootfallCam Ltd and Meta Technologies, told the BBC: "The person who identified the loophole has so far acted responsibly.

"He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures."

She confirmed to The Reg that work was underway to secure the product.

The firm was warned multiple times

A FootfallCam corporate customer who asked not to be named said: "Over the four years we have had the devices we have highlighted some other issues to FootfallCam. At one point the FTP server which houses the 'verification videos' was publicly available."

The customer added that he was able to browse "data for other customers" by simply changing URL parameters in his browser – a textbook description of an insecure direct object reference (IDOR) vulnerability. He showed The Register a link which returned raw JSON exposing information about the FootfallCam user database schema.

"Literally sub in the ******** and ******…" said the aghast customer, adding: "Although the company name is part of the URL, it seems to make zero difference."

Several thousand variations of the URL responded to unauthenticated web queries with valid JSON, we are told.

Meanwhile, a NurseryCam user told us he had reported vulns in that product to the company in 2020 and had received an unsatisfactory response. Other parents told El Reg they had reported insecurities in the years 2015 and 2019. Both independently said that the specific problems they highlighted were patched. ®

* Updated to add at 11:41 UTC on 25 February 2021 to add:

This article has been updated from an earlier version that said that SHA-1 hashed passwords had been exposed. This is due to the fact that they were apparently hashed in the data dump. The Register has since been informed by our sources that the passwords had in fact been stored in plaintext.

Broader topics

Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022