A popular daycare camera system has come under cyberattack, according to numerous UK media sites. Initially reported by the BBC, then reported in detail via The Register, NurseryCam (which is owned by FootfallCam Ltd and Meta Technologies Ltd) has, in the words of the Information Commissioner’s Office (ICO), “reported a possible data breach.” NurseryCam is an Internet of Things (IoT) service that allows parents to check-in on a daycare where their children are. The idea is that, should a parent be concerned at any point that their child is not doing well in daycare, they can access the CCTV system to check on them. With over 15,000 users in the UK, a hack would be disastrous.
The Register claims in their report to have made contact with the hacker responsible. In the following excerpt, the hacker explains just what they gained from the NurseryCam attack:
A hacker contacted El Reg on Friday to say they had obtained real names, usernames, what appeared to be SHA-1 hashed passwords, and email addresses for 12,000 NurseryCam users’ accounts — and had then dumped them online.
Although this person claimed to have “redacted” those details, the redaction was so poor it was trivial to figure out the real names and contact details of NurseryCam’s parent users. El Reg, together with IoT security expert Andrew Tierney, verified that the credentials were genuine before notifying NurseryCam of the breach. The company began emailing parents the following day after taking its cameras offline.
What is concerning about this NurseryCam hack is that it was entirely preventable. The Register indicated that security-aware customers and InfoSec researchers have found vulnerabilities in the past. In one insane and very recent instance, gray hat hackers publicly disclosed vulnerabilities to FootfallCam Ltd. Instead of immediately taking action and patching the exploitable vulnerabilities, the company accused the individuals of extortion and threatened legal action. Going back to 2015, the company seems to have a pattern of trying to quash threat reports instead of doing the right thing and fixing the problem. By having a toxic relationship with the cybersecurity community and also apparently having vulnerable products, the company seemed to just be asking for a major incident.
This certainly qualifies as a significant incident, and quite honestly, a bizarre one.
Featured image: Pixabay