NurseryCam, a webcam service used across 40 daycare centers in the U.K. by parents who want to keep a watchful eye on their babies, has shut down following a data breach. The breach exposed the personal data of about 12,000 users to an attacker who said he or she was trying to improve the service’s security.
The attacker was able to find a “loophole” in the system, according to reports; NurseryCam was said to be alerted to the breach last Friday afternoon, prompting the company to send a notice to its users. By Saturday, the NurseryCam service was shut down while a fix is being sorted out.
The person behind the attack told the Register that they were able to get real names, usernames, email addresses and encrypted passwords for 12,000 accounts and dump them online.
NurseryCam told the BBC that it doesn’t believe anyone watched the webcam without permission; instead, the director for NurseryCam and sister companies Meta Technologies and FootfallCam, Melissa Kao, told BBC the person behind the breach contacted the company to report the incident.
“He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures,” she said.
NuseryCam’s Well-Known Vulnerabilities
This latest incident comes after the company was given repeated warnings by users and infosec professionals that their internet-of-things (IoT) system’s security was deeply flawed.
IoT security researcher Andrew Tierney has been raising the alarm about NurseryCam’s security dating back to 2015, when it became clear that the IP address, username and password for the DVR in the daycare center, “are leaked in the HTML source when viewing the cameras using ActiveX,” he wrote.
In January, Tierney reported that the usernames and passwords given to parents to access the remote video baby monitor are all very similar to one another if not exactly the same in some cases. That means that whoever had access at one time or another could access live streams indefinitely.
Further, he warned that the system is not protected with TLS to encrypt the nursery’s video streams, and that the service shared administrator usernames and passwords with parents, with credentials used across multiple nurseries.
“This is analogous to your local bank giving you the keys to their vault and just trusting that you will only take your money,” Tierney told Bitdefender.
Several months later, another parent, reported the admin username and password were visible in the browser. And just days ago, Tierney reported another parent said they were issued the same username and password from 2015.
“I disclosed the same issue in NurseryCam, inferred from the reverse engineering of their mobile app,” Tierney said. “Once a parent had confirmed the issues had been disclosed previously, I publicly disclosed immediately.”
The Register spoke with a business customer of FootfallCam who asked not to be identified, but said, “Over the four years we have had the devices we have highlighted some other issues to FootfallCam,” the customer told The Register. “At one point the FTP server which houses the ‘verification videos’ was publicly available.”
Parents who use the NurseryCam service told The Register they had reported vulnerabilities to the company, some were addressed, while others felt the response was inadequate.
Tierney told BBC he was also contacted by the attacker who was able to steal NurseryCam’s user data last Friday and reached out to the company to offer his assistance. Kao told BBC she did not think the previous vulnerabilities reported by Tierney has anything to do with the latest breach.
“NurseryCam sincerely apologizes to all our parent users and nurseries for the incident. We are very sorry,” she said.
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.