UK: Kindergarten surveillance cameras shut down due to data leak

A surveillance camera system for kindergartens in the UK has to be shut down because a serious data breach threatens confidentiality. A security hole in the surveillance system called NurseryCam exposes the credentials of the participating parents. First the IT portal  The  Register reported about it.

Free access passwords

NurseryCam is installed in a number of kindergartens in the UK and allows parents to remotely observe their offspring after they have been weaned there. To do this, it uses several cameras and a digital video recorder (DVR). For this purpose, the company behind the FootfallCam surveillance system provides parents with login information. However, a serious security gap in the system has led to the fact that data from parental accounts can be read out at will – including username, password, real name and email address, reports

 The  Register.

 The  company then informed those affected and switched off its servers until the problem was resolved. 40 kindergartens in Great Britain are affiliated.

An unspecified person had made NurseryCam aware of the vulnerability and asked them to improve security.

 The  company said the person – apparently a well-meaning ‘white hat’ hacker – had behaved “responsibly” and apparently did not want to cause any damage with the data. In addition, the company believes that neither kindergarten children nor the staff were illegally observed, but does not provide any evidence to support this assumption.

 The  company calls the shutdown of the servers a precautionary measure, reports the BBC.

Administrator access for everyone

 The  company also informed the British Information Commissioner’s Office (ICO) about the incident. Firms in the UK are required to report data breaches of “significant impact” to the ICO within 24 hours. NurseryCam itself was informed of the vulnerability on Friday.

However, as

 The  Register continues, the security of the camera system was already conspicuous. Everybody was able to gain administrator access via the associated mobile app and thus avoid logging in as a user.

 The  company is said to have been made aware of this as early as 2015, but downplayed the discovery and only closed this gap later.

 The  IT security specialist Andrew Tierney (also known as “Cybergibbons”) also became aware of the vulnerability in NurseryCam and also contacted the person who discovered the vulnerability. He published a warning to everyone who uses the system, in which he describes in detail the functionality and weaknesses of the system (and also addresses the gap from 2015).

(tiw)