Nurserycam horror show: 'Secure' daycare video monitoring product beamed DVR admin creds to all users

bought one webcam 2 years

Reputable shop in Switzerland. All marks were ticked on the box. 200 CHF anyway.

When I read the config instructions, I couldn't believe what I was reading:

- USB cable was only for power, so no config here

- config guide:

- download an app for a smartphone (done by a chinses manufacturer)

- configure wifi just for the app (why it couldn't use my smartphone one was not said)

- wifi key could only be between 5 chars and 12. No idea why.

- then after press of buttons, the CAM would emit some sort sound, yes *morse* style then autoconfig, using the phone mic whatever that meant

Needless to say, the sound stuff never worked. One hour after, everything went back into parcel.

I did some research and this manufacturer, call Swisstel is known nowhere. And after looking again, I discovered the look and specs were *entirely* the same as some known reputable model.

Yup, counterfeit !

Went to the shop saying it doesn't work and they gave my money back.

I also told them they're fake, but they never wanted to believe me.

Shittest product I ever bought for 200CHF !

FootfallCam

Makes the antics of Travis Kalanick, author of "How to nearly drive (sic) a buisness into the ground" look tame

> any Nurserycam video feed could be viewed by simply changing the URL in the web browser: a flaw known in infosec as sheer incompetent dumbassery

FTFY

I will be forwarding this article to all my relativces who have small children. Not that any of them will understand it or pay any attention but at least I will have tried.

Scary

> El Reg has reviewed evidence showing the firm seemed more concerned with knowledge of the flaws being made public than with remediation, similar to last week's Footfallcam debacle (where Kao's fellow Footfallcam Ltd director, Edward Wong, threatened an infosec bod with a police report unless he deleted Twitter criticism of another product's poor design).

This is the bit that's _really_ scary. All products have bugs (some serious, like this, others minor).

What really sets companies/products apart is how they handle this reality. Do they

- Actively look for bugs/weaknesses and/or fix quickly when issues are reported to them

- Yell "nananana can't hear you" and/or "I'll sue you" at anyone who points out flaws

It's not just the flaws in Nurserycam/Footfallcam that should put them out of business, but the fact that they were aware of significant and trivial flaws in their product, and did nothing, and then when they were told about it again, tried to confuse the issue so that they could - again - do nothing.

That kind of "fuck you, I'm not fixing it" mindset does not belong anywhere near *anything* that gets even remotely close to kids (or, adults really).

So, people get all upset when a camera that is made to be watched, is watched? Or are they annoyed because nobody watches the watcher?

This is GDPR infose stage 2 - denial

Stage one was - ignore it

Most major vendors I've run into in the last 12-24 months have successfully completed GDPR stage 1 which was to completely ignore the legislation and pretend nothing was happening. This allowed them to avoid any additional costs for development work that would have been needed to actually be compliant with GDPR.

Since most existing customers were already in contracts the ICO allowed these to continue under the old DPA, so as far as the vendors were concerned all was well.

We're now well into stage 2 - Now that those old DPA 1998 contract are expiring savvy customers are now asking difficult questions about product compliance with GDPR (DPA 2018). Since those vendors did fuck all in the years they should have been getting ready for GDPR and preparing for the post DPA 2018 world their products now look woefully inadequate in terms of security. However not to worry, especially if you are a near monopoly provider. Just deny the insecurity in your products, state it's secure 'enough' safe in the knowledge your customer has nowhere to go and the ICO is pretty likely to do bugger all unless you get hacked. If you do get hacked don't forget your handy "Dido Harding" phrase book - sophisticated hack, personal data is our top priority yadda yadda yadda.

Personally I'm keenly awaiting stage 3 -blind panic.

This will come after a couple of major hacks when ministers feel they have to get of their arses and pass the blame onto someone. The ICO will pick a few juicy targets to take tro court and fall out should make enough waves in the market that someone might actually open the coffers enough to get things brought up to minimum standards.

BTW if you are a vendor and relying on username and password to protect a web exposed system processing personal or special category data it really isn't fucking good enough, and a PIN sent via email is not "taking consideration of the state of the art" under Article 32 of the Regulation.

If you don't really know what MFA is stop trying to bullshit the people who do know, you just look stupid

And for this bucch of muppets "Melissa Kao, a director of Footfallcam Ltd, the firm behind Nurserycam, insisted to The Register that what infosec researchers had found was "legacy non-functional codes" [sic] that were "there to distract hackers" '. I really wish I was there to hear to say that crap to the ICO

Such an ethical company

I'm sure people are falling over themselves to do business with them....

After all, what could possibly go pearshaped?

I wonder what they'd do if someone took "legacy non-functional codes" [sic] that were "there to distract hackers" literally and twiddled a few of these non-functional codes to not change the user IDs and passwords - which they obviously can't change if they're non-functional. At a guess scream that they've been hacked.

obvious words

"obvious words followed by 888"? Why hide the crap under such a mellow phrase?

"admin888" is the default admin password for a LOT of Chinese-made IPTV stuff, including Huawei / Hikvision / Dahua NVRs and cameras.

It's not something specific to the nursery cams, they just re-packaged the standard stuff that everyone ships from China.

Some Chinese-made devices don't even allow you to change the admin password... the "change password" option is simply missing on those.

e.g. i saw this thing on some Mio MiVue WiFi dashcams... they don't allow changing the WiFi password for the dashcam ("12345678" - wifi is used for admin access to the camera)

Also, their app for windows PCs only runs with administrative rights. It also downloads and executes software from Mio's website without using https or even at least digitally signed executables.

It basically runs unsigned remote code directly, without any origin authentication for the executables.

All you have to do is spoof and change on-the-fly anything coming from http://download.mio.com/dvr/pctool/tw/version.ini

(yep, China doesn't do https - just in case they need to deliver remote execution state-controlled shitware)

... and if you feed it a high enough version number so that it trips the automatic update mechanism, their app will execute with administrative rights any executable that you feed it via that INI file, without even checking for a digital signature.

Oh dear Elizabeth

What is it about females in corporate boardrooms that they think they can be more persuasively mendacious than male equivalents? As in this case, with the claim by Elizabeth of 'legacy non-functional codes to distract hackers'.

* An Apology:

Not 'Elizabeth', but Melissa.

Don't know how I could've got that muddled up.

Seems standard behaviour with child service providers

In the UK a company handles loads of child data (rhymes with daby's bays). Try to report any sort of risks to them (like the child care provider being the only people able to set credentials for parent access) and you will receive abuse and threats, and a quick look online will reveal their tactic of denying any problem means they still have 'care' over a vast number of childrens' data and lots of shill reviews. At least mumsnet has some honest views about their rudeness and behaviour

WebCam And Video Everywhere

What is it with this obsession with have "live feeds" and Internet based video recording for monitoring, security etc? All this used to be CCTV and whilst there were some breaches, it was nothing compared to the endless problems we have now.

Everything has to be "connected". All the data is stored "in the cloud" because it is perceived to be cheaper. All sorts of people who should never ever have access are given access so that they can "monitor" something.

At my place of work we have cameras all over the place yet if there is an issue you are lucky if security actually get there in time to do anything or even better, if the footage is needed for evidence, apparently the quality is not good enough for evidential purposes.

Invariably if something needs investigating they cannot find the footage or it has been left so long it has aged out.

This is not an online system with data in the cloud (yet) however we still have issues with cameras that have default settings, reset themselves to defaults and become accessible. Theoretically they are supposed to be on separate vlans however IP cameras are just too easy to configure, mis-configure or default to an open state, recording. At least if the default was off, they would not be vulnerable.

ICO should be shamed

"When an organisation buys in products or services that will be involved in the processing, they need to ensure that they choose ones that are designed with data protection in mind. This is part of a data protection by design approach and can help them to protect children's personal information. Organisations should consider these issues when doing their risk assessment."

What a deplorable cop-out by the ICO. While I agree that any place employing such a system should do it's due diligence the ICO should be giving heavy fines to any company that is targeting that market and failing so badly.

Trading Standards goes after companies which make dangerously faulty products, it seems like the ICO would be going after the customers for purchasing such faulty products.

How much for de children? I want to buy your children

Poor little tackers

A whole life of internet based abuse lies ahead of them

Nurserycam on the BBC

Aaannd, we're back in the news again

https://www.bbc.com/news/technology-56141093