UK's National Cyber Security Centre sidles in to help firm behind hacked NurseryCam product secure itself

The UK's National Cyber Security Centre is now helping IoT gadget firm FootfallCam Ltd secure product lines following the recent digital burglary of its nursery webcam operation.

Company director Melissa Kao confirmed to The Register that the NCSC, a sibling of UK spy agency GCHQ, was helping the company shore up security after its NurseryCam product was hacked last week.

"We are aware of this incident and working to fully understand its impact," an NCSC spokesman told The Register.

FootfallCam Ltd is the operator of the NurseryCam brand of web-connected camera services. As its name suggests, NurseryCam is a product deployed in daycare centres so parents can have a look at how junior is getting on.

The company needs NCSC's help: although we previously reported that users' passwords were hashed in storage, emails from the company shown to The Register by horrified parents confirmed that they were, in fact, being stored without any encryption at all.

"It was a design decision to store passwords in plaintext, which was used for image decryption. The same practice is also made in platforms such as Facebook, Twitter and GitHub," said an email from the firm, adding: "Moving forward, we will be changing to using hashed passwords to improve security measures."

The Register was contacted last week by a hacker who said he had obtained copies of usernames, passwords, users' forenames and surnames, and registered email addresses. On top of that, he also claimed to have accessed the rest of FootfallCam Ltd's web services – including those of its sister company, Meta Technologies.

The point of access was, we were told, a poorly secured Odoo business apps server instance that used a default admin password for its web interface, seemingly relying on security through obscurity.

He told The Register: "Though operating the admin panel requires a password, that password is the same as the default password documented on the main page of the admin panel."

IoT infosec researcher Andrew Tierney, who closely scrutinised the NurseryCam product, confirmed to The Register that the Odoo instance existed not long after we were tipped off about it, though it has since been made inaccessible.

Footfallcam first came to our attention earlier this month after a spat between Laurens Leemans of SignIPS, who analysed a sample of the firm's Footfallcam 3D Plus product, and the firm itself, which had threatened him with a police report unless he deleted tweets he'd made criticising the product's design.

The NCSC has yet to respond to The Register's request for additional comment. ®