A dangerous vulnerability in a nursery monitoring system gave cyber criminals an opportunity to seamlessly access any live camera feed in any location.
NurseryCam allows parents to remotely log into the nursery minding their child to check up on them. NurseryCam services about 40 nurseries across the UK for children aged between 5 months and 6 years.
Internet of Things security prober Andrew Tierney (Cybergibbons) documented the vulnerabilities exposing NurseryCam’s sensitive data.
Tierney noted that the firewalls surrounding NurseryCams could be easily bypassed through a process known as ‘port forwarding’, allowing access to the Digital Video Recorder (DVR) installed in the targeted nursery.
Whenever a parent logs into NurseryCam’s web portal or mobile application, a connection is autonomously established to their associated DVR. The credentials for such a connection are the same for all NurseryCam users:
This means anyone could directly log into any DVR and access its footage just by knowing its IP address and login credentials.
These login credentials wouldn’t be hard to find either, NurseryCam has included them in a public instruction manual on their website.
Tierney reported these gaping vulnerabilities to NurseryCam on 6th February, and then later tweeted them on 12th February. A parent contacted Tierney telling him that they had informed NurseryCam of the same vulnerabilities 6 years ago.
The concerned parent realized that any NurseryCam could be accessed with just a few simple URL edits.
NurseryCam repeatedly diluted these accusations claiming that their security framework is even safer than “online banking.”
But an unknown hacker has finally forced NurseryCam to admit its shortcomings by breaching their sensitive data. The hacker accessed parent viewing accounts, acquiring email addresses, passwords, usernames, and names.
The hacker wasn't a threat, the motivation behind the attack was to force NurseryCam to raise their security standards.
Dr. Melissa Kao, Director of Footfallcam - the firm behind NurseryCam, advised BBC that the exposed vulnerabilities in this breach are different to the ones highlighted by Tierney.
Thankfully, the NurseryCam hacker had noble intentions. Most hackers don't.
In 2018 a threat actor assumed control of a WiFi baby monitoring system to broadcast kidnapping threats. The mortified parents rushed to the 4-month-old’s room, finding him peacefully asleep to the sinister voice spouting from the monitor speakers.
NurseryCam didn’t secure their vulnerabilities for 6 years. It took multiple tweets and an actual data breach to finally convince them to significantly strengthen their security posture.
Such complacency is, unfortunately, common among vendors, placing businesses at a heightened risk of third-party attacks
In the absence of certainty, organizations need to take ownership of their vendor security with third-party attack surfacing monitoring solutions. Otherwise, it may take a data breach to finally convince vendors to evaluate their security efforts.