NurseryCam data breach: Personal data records accessed by hacker
NurseryCam, a popular webcam service used by atleast 40 nurseries across the UK to help parents to keep a tab on their children, suffered a major security breach recently that exposed vast amounts of personal information to a hacker.
The security incident affected NurseryCam occurred due to a
vulnerability in the webcam system that exposed details like names, email
addresses, usernames, and passwords to unauthorised access.
Footfallcam Ltd., the company that owns NurseryCam, said
that the security incident did not expose any footage of any individual,
youngsters or staff, being watched without their permission. Dr Melissa Kao,
director of Footfallcam Ltd., said that "the person who identified the
loophole has so far acted responsibly. He stated he has no intention to use
this to do any harm [and] wants to see NurseryCam raise the overall standards
of our security measures."
NurseryCam came to know about the security incident on
Friday evening and notified the Information Commissioner’s Office (ICO) about
the incident. Also, as a precautionary measure, Footfallcam Ltd. shut down the
NurseryCam server to control further damage and will resume services once the
vulnerability is patched.
Footfallcam Ltd. advertises NurseryCam as a secure webcam
service that allows parents to see live images of their children in childcare
centres and day nurseries securely. It was found in 2002 by sisters Liz Makins
and Jo Callaghan to enable parents to keep tabs on their children in nurseries
and day care facilities.
Footfallcam Ltd. faced similar allegations of poor security
controls earlier when parents alleged that the application had security
vulnerabilities and anyone who downloaded the mobile app could view admin
credentials without going through an authentication process.
Security researcher Andrew Tierney contacted the hacker and
offered his help to NurseryCam to resolve the security snafu. “These issues
would allow any parent, past or present, to access the video feeds from the
nursery. There is also the chance that anyone on the Internet could have
accessed them. I don't know who this guy is but what I've done is send
NurseryCam the weak points in its system that I had spotted over the last
couple of weeks,” he added.
Ms Kao has issued a public apology and has stressed that the
security vulnerability is not related to the previous allegation brought
against the company. "NurseryCam sincerely apologises to all our parent
users and nurseries for the incident. We are very sorry," she added.
Commenting on the security flaw affecting the webcam
service, Sam Curry, Chief Security Officer at Cybereason, said, "Kudos to
the white hat hacker that stepped forward after discovering the vulnerability
and to NurseryCam for its transparency in disclosing the security flaws in its
webcams. It is important that NurseryCam didn't try to play the victim card as
no one will want to hear it.
"There is an easy solution and it is fixing the
security flaws in the system as soon as possible. Similarly to the NurseryCam
vulnerability, there have been many headlines over the years regarding baby
monitor hacks that led to homes being scanned and unidentifiable voices
speaking to babies or shouting expletives.
"That being said, the vast majority of baby monitors
don't get hacked and parents need not worry about the safety of their children.
I am confident NurseryCam will take the proper steps to reduce risks in the
future so that parents can have peace of mind knowing that no unauthorised
people are eavesdropping on their children," he added.
Private webcams, and indeed many other Internet-connected
devices, have previously been found lacking strong security controls to prevent
the leakage of stored data or to defend against vulnerability exploitation by
malicious actors. Earlier, Avishai Efrat, working as a white hat researcher for
WizCase, discovered the presence of as many as 15,000 internet-connected
private webcams sold by multiple companies worldwide that could be accessed by
anyone with an Internet connection because of their lack of security
protections.
Efrat found that these vulnerable private webcams belonged
to various device types such as AXIS net cameras, Cisco Linksys webcam, IP
Camera Logo Server, IP WebCam, IQ Invision web camera, Mega-Pixel IP Camera,
Mobotix, WebCamXP 5, and Yawcam.
This is because these devices featured easily predictable
and standard default credentials for admin access that could easily be
second-guessed by cyber criminals. Once admin access was obtained, a hacker
could not only view private videos recorded by these webcams, but could also
manipulate them, edit their settings, and gain additional privileges.
All the affected private webcams were being used by
individuals, businesses, private institutions, places of worship, and other
organisations in a large number of countries, including the UK, USA, Germany,
France, Australia, Canada, Spain, and Japan.
Comments
Post a Comment