A parental webcam app targeted at nurseries, to reduce parents’ stress and keep an eye on toddlers, allegedly comes with a number of security flaws. These flaws allow any person, authorized or not, to view footage remotely. Some of the problems appear to have been known for years.
Big Mother is Watching
The app in question, NurseryCam, is a nifty app that allows parents to view live video footage of their children in nurseries or pre-schools. Each room is fitted with digital video cameras that are connected to a video server. When parents login, they can click from room to room to watch their child play, learn, have fun, interact with staff and peers, and ensure they’re happy and content.
Nursery webcams have existed in the United States since at least the mid-nineties. They are now becoming more and more popular across the Atlantic too, especially in the United Kingdom. Surveillance is widely accepted in the UK. There are around 4 to 6 million CCTV cameras installed in Britain’s streets. That’s close to 8 cameras for every 100 people, the third-highest in the world, behind the US and China.
The use of webcams in nurseries and preschools, however, has been the subject of fierce debate. Although they can be effective to put parent’s minds at rest, many people believe webcams in a childcare setting are obtrusive. Moreover, as with any IoT device, networked devices are a challenge from a cybersecurity point of view.
“Safer Than Online Banking”
According to NurseryCam, security is their highest priority. ‘It’s security to the extreme!”, claims the parent info pack. NurseryCam insists that “all points are protected by multi-layered security features” to ensure the safety of the whole system.
Firstly, images are encrypted and data is transmitted through a secure VPN tunnel. Secondly, each parent has an individual password and must obtain a secret PIN from their nursery. Thirdly, only authorized managers can approve, suspend or delete accounts and set restrictions. Like providing viewing access to only certain rooms or on certain days.
Further, the system is also protected with a firewall, 24-hour security monitoring and, apparently, “watchdogs are programmed to routinely check all gateways and detect any suspicious activity or multiple failed attempts”.
Daycare Camera App Riddled with Flaws
However, the daycare camera app that parents use to gain access to their child’s room is apparently so poorly designed that unauthorized persons can peep in too.
Security researcher Andrew Tierney has found disturbing security flaws, including some very basic, but serious issues. “The statements that NurseryCam make about the security of their system do not align with reality”, he plainly states.
For example, the connection to the digital video recorder (DVR) linked to the cameras, is using HTTP, not HTTPS. Further, the app does not use TLS encryption to encrypt nurserys’ video streams. Tierney has also discovered that even parents whose accounts have been revoked on the web platform can still login directly to the camera system. Parents can even view footage from other rooms.
It’s All About Passwords and IPs
When they log in, parents receive an unencrypted list of IP addresses, ports, usernames and passwords, to connect directly to the daycare’s camera system. In addition, a default admin password is used, which is the same for all parents with access to the system. “This is analogous to your local bank giving you the keys to their vault and just trusting that you will only take your money,” said Tierney.
The password for the DVR is publicly available on the internet in the “DVR Manager user Guide”. “The only missing piece of the puzzle is the IP address of the nursery”, explains Tierney. According to the security researcher, it would be possible to scan the entirety of the UK for DVRs using this username and password in a matter of days.
Problems Dating Back to 2015
To make matters worse, one parent found almost identical issues in NurseryCam back in 2015. The parent realized that they could view any video feed by simply changing the URL in the web browser. He informed NurseryCam about the flaw but the company allegedly brushed off his complaints. Nonetheless, NurseryCam did eventually fix the vulnerability.
Tierney reported the issues to the NurseryCam developer on 6 February 2021. He posted a blog about his concerns on 12 February as a warning to NurseryCam’s users. He also called on the developer to take the system offline. In his blog, he wants to ensure all nurseries and preschools that use the system change the camera password or make sure it is not directly accessible from the internet. And lastly, inform all users about the vulnerabilities.