UK's National Cyber Security Centre sidles in to help firm behind hacked NurseryCam product secure itself

Plus: User passwords were stored in plain text after all

The UK's National Cyber Security Centre is now helping IoT gadget firm FootfallCam Ltd secure product lines following the recent digital burglary of its nursery webcam operation.

Company director Melissa Kao confirmed to The Register that the NCSC, a sibling of UK spy agency GCHQ, was helping the company shore up security after its NurseryCam product was hacked last week.

"We are aware of this incident and working to fully understand its impact," an NCSC spokesman told The Register.

FootfallCam Ltd is the operator of the NurseryCam brand of web-connected camera services. As its name suggests, NurseryCam is a product deployed in daycare centres so parents can have a look at how junior is getting on.

The company needs NCSC's help: although we previously reported that users' passwords were hashed in storage, emails from the company shown to The Register by horrified parents confirmed that they were, in fact, being stored without any encryption at all.

"It was a design decision to store passwords in plaintext, which was used for image decryption. The same practice is also made in platforms such as Facebook, Twitter and GitHub," said an email from the firm, adding: "Moving forward, we will be changing to using hashed passwords to improve security measures."

The Register was contacted last week by a hacker who said he had obtained copies of usernames, passwords, users' forenames and surnames, and registered email addresses. On top of that, he also claimed to have accessed the rest of FootfallCam Ltd's web services – including those of its sister company, Meta Technologies.

The point of access was, we were told, a poorly secured Odoo business apps server instance that used a default admin password for its web interface, seemingly relying on security through obscurity.

He told The Register: "Though operating the admin panel requires a password, that password is the same as the default password documented on the main page of the admin panel."

IoT infosec researcher Andrew Tierney, who closely scrutinised the NurseryCam product, confirmed to The Register that the Odoo instance existed not long after we were tipped off about it, though it has since been made inaccessible.

Footfallcam first came to our attention earlier this month after a spat between Laurens Leemans of SignIPS, who analysed a sample of the firm's Footfallcam 3D Plus product, and the firm itself, which had threatened him with a police report unless he deleted tweets he'd made criticising the product's design.

The NCSC has yet to respond to The Register's request for additional comment. ®

Similar topics

Other stories you might like

  • Research finds consumer-grade IoT devices showing up... on corporate networks

    Considering the slack security of such kit, it's a perfect storm

    Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models.

    According to Greg Day, VP and CSO EMEA of the US-based enterprise networking firm: "When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents."

    The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org's networks.

    Continue reading
  • Huawei appears to have quenched its thirst for power in favour of more efficient 5G

    Never mind the performance, man, think of the planet

    MBB Forum 2021 The "G" in 5G stands for Green, if the hours of keynotes at the Mobile Broadband Forum in Dubai are to be believed.

    Run by Huawei, the forum was a mixture of in-person event and talking heads over occasionally grainy video and kicked off with an admission by Ken Hu, rotating chairman of the Shenzhen-based electronics giant, that the adoption of 5G – with its promise of faster speeds, higher bandwidth and lower latency – was still quite low for some applications.

    Despite the dream five years ago, that the tech would link up everything, "we have not connected all things," Hu said.

    Continue reading
  • What is self-learning AI and how does it tackle ransomware?

    Darktrace: Why you need defence that operates at machine speed

    Sponsored There used to be two certainties in life - death and taxes - but thanks to online crooks around the world, there's a third: ransomware. This attack mechanism continues to gain traction because of its phenomenal success. Despite admonishments from governments, victims continue to pay up using low-friction cryptocurrency channels, emboldening criminal groups even further.

    Darktrace, the AI-powered security company that went public this spring, aims to stop the spread of ransomware by preventing its customers from becoming victims at all. To do that, they need a defence mechanism that operates at machine speed, explains its director of threat hunting Max Heinemeyer.

    According to Darktrace's 2021 Ransomware Threat Report [PDF], ransomware attacks are on the rise. It warns that businesses will experience these attacks every 11 seconds in 2021, up from 40 seconds in 2016.

    Continue reading

Biting the hand that feeds IT © 1998–2021