2 min read

NurseryCam has serious security issues, claims researcher

Graham CLULEY

February 15, 2021

Promo Protect all your devices, without slowing them down.
Free 30-day trial
NurseryCam has serious security issues, claims researcher

* System widely used by nurseries to allow parents to watch their children playing.
* Claims made that NurseryCam was first informed of issues six years ago, but they still remain.

Security consultant Andrew Tierney, perhaps better known by the moniker “Cybergibbons”, has found disturbing security holes in a widely-used CCTV service designed to let parents remotely watch their children playing at nursery.

The NurseryCam service, which is promoted as “safer than online banking”, appears – according to Tierney – to suffer from some serious vulnerabilities.

Tierney claims that the system is not protected with TLS to encrypt the nursery’s video streams (opening them to eavesdropping by unauthorised parties), that parents of children who are no longer at the nursery are still able to access video feeds, that cameras parents are not entitled to view video from (such as rooms which their child does not use) are accessible.

Furthermore, the sharing of administrator usernames and passwords to parents – credentials that are used across multiple nurseries – opens opportunities for anyone on the internet to access the live video streams of children.

“This is analogous to your local bank giving you the keys to their vault and just trusting that you will only take your money,” says Tierney.

Tierney says that he informed NurseryCam about the security issues on 6 February 2021, and last week blogged about his initial concerns.

The researcher called upon NurseryCam to take down its service, and ensure that nurseries either changed their passwords to something more secure or stopped them from being exposed to the internet. In addition, Tierney said that nurseries, as well as current and former parents with children at exposed nurseries should be informed of the issues.

There is no indication that anything like this has yet happened.

To make matters worse, Tierney says that he was contacted by one parent who had found “almost identical issues” in NurseryCam in 2015, but they had clearly not been resolved in the years since.

At the time of writing there is no warning published on the NurseryCam website. Tierney, who believes that the NurseryCam system needs to be “almost completely redesigned” to resolve the security issues, has stark advice for affected nurseries:

  • Unplug the network connection from the DVR.
  • Contact NurseryCam and ask that they inform all impacted nurseries immediately.
  • Ask why the system you have been paying for isn’t the one that is described on the NurseryCam site.

tags


Author


Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like

Bookmarks


loader