The UK kindergarten security camera system must be shut down as a serious data breach threatening confidentiality. The vulnerability in the NurseryCam surveillance system reveals the credentials of the participating parents. First, the IT portal reported this.
Free access passwords
NurseryCam has been installed in a number of kindergartens in the UK and allows parents to remotely monitor their offspring after they are weaned. To do this, several cameras and a digital video recorder (DVR) are used. For this purpose, the company behind FootfallCam monitoring system provides parents with login information. However, a serious security hole in the system has led to the fact that data can be read from parent accounts at will – including username, password, real name, and email address, Log reports. The company then informed the affected people and shut down its servers until the issue was resolved. 40 affiliated kindergartens in Great Britain.
An unspecified person reported the vulnerability to NurseryCam and asked them to improve security. The company said the person – an apparently well-intentioned “white hat” hacker – acted “responsibly” and appeared not to want to cause any damage to the data. In addition, the company believes that neither the kindergarten children nor the employees have been illegally monitored, but it does not provide any evidence for this assumption. The server shutdown is what the company calls a precaution BBC reports.
Admin access to all
The company has also reported the incident to the British Information Commissioner’s Office (ICO). UK companies are required to report “high impact” data breaches to the ICO within 24 hours. NurseryCam itself was informed of the vulnerability on Friday.
However, as the record went on, the security of the camera system was previously notable. Everyone was able to obtain administrator access via the associated mobile application, thus avoiding logging in as a user. The company is said to have known about this early in 2015, but played down the significance of the discovery and closed this gap at a later date.
IT security specialist Andrew Tierney (also known as “Cybergibbons”) became aware of the NurseryCam vulnerability and also contacted the person who discovered the vulnerability. He posted Warning everyoneWho use the system and describe in detail the functionality and weaknesses of the system (also addresses the gap since 2015).