A surveillance camera system for kindergartens in the UK has to be shut down because a serious data breach threatens confidentiality. A security hole in the surveillance system called NurseryCam exposes the credentials of the participating parents. First the IT portal The Register reported about it.
Free access passwords
NurseryCam is installed in a number of kindergartens in the UK and allows parents to remotely observe their offspring after they have been weaned there. To do this, it uses several cameras and a digital video recorder (DVR). For this purpose, the company behind the FootfallCam surveillance system provides parents with login information. However, a serious security gap in the system has led to the fact that data from parental accounts can be read out at will – including username, password, real name and email address, reports
The company then informed those affected and switched off its servers until the problem was resolved. 40 kindergartens in Great Britain are affiliated.
The company said the person – apparently a well-meaning ‘white hat’ hacker – had behaved “responsibly” and apparently did not want to cause any damage with the data. In addition, the company believes that neither kindergarten children nor the staff were illegally observed, but does not provide any evidence to support this assumption.
The company calls the shutdown of the servers a precautionary measure, reports the BBC.
Administrator access for everyone
The company also informed the British Information Commissioner’s Office (ICO) about the incident. Firms in the UK are required to report data breaches of “significant impact” to the ICO within 24 hours. NurseryCam itself was informed of the vulnerability on Friday.
The company is said to have been made aware of this as early as 2015, but downplayed the discovery and only closed this gap later.
The IT security specialist Andrew Tierney (also known as “Cybergibbons”) also became aware of the vulnerability in NurseryCam and also contacted the person who discovered the vulnerability. He published a warning to everyone who uses the system, in which he describes in detail the functionality and weaknesses of the system (and also addresses the gap from 2015).