On Friday, The Register become aware of the compromise of the NurseryCam network. NurseryCam is produced by the companies FootfallCam Ltd and Meta Technologies Ltd.
In response to the incident, the company shut down its IoT camera service on Saturday and reported the security breach to the parents.
“On 17:18 Friday 19th February 2021, it has come to our attention of a cyber incident detected in our NurseryCam system.” reads the security noticed sent by the company to the parents.
NurseryCam is a webcam solution that allows parents to watch their children while at nursery school. The service was used by about 40 nurseries across the UK.
NurseryCam has also reported a possible data breach to the UK’s data watchdog, the Information Commissioner’s Office (ICO).
The attackers exploited a “loophole” in its systems to obtain data from parents’ viewing accounts, exposed data includes usernames, hashed passwords, names, email addresses.
“The person who identified the loophole has so far acted responsibly,” said Dr Melissa Kao, director of FootfallCam Ltd and Meta Technologies “He stated he has no intention to use this to do any harm [and] wants to see NurseryCam raise the overall standards of our security measures.”
According to El Reg the security breach impacted 12,000 NurseryCam users’ accounts, the attackers dumped them online.
The El Reg reported that a FootfallCam corporate customer that has used the devices has found some security issues and reported them to FootfallCam. The customer explained that he was able to browse “data for other customers” by simply manipulating URL parameters in his browser.
Another NurseryCam user told El Reg he had reported multiple flaws in the product to the vendor in 2020, but it had received an unsatisfactory response.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, IoT)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.