NurseryCam Pwned After Security Shortcomings Reported To The Register

This is a bit complicated so hang with me in a bit.

Daycare camera product NurseryCam was apparently hacked late last week. The BBC reported the news on the weekend and the company has shut the service down to lock it down. But here’s where things get interesting. The company was contacted by a security researcher who discovered flaws in the service. And according to The Register….. :

El Reg reported on the company’s security shortcomings last week after its inappropriate attempts to strongarm an infosec researcher into deleting a Twitter thread detailing vulnerabilities in its FootfallCam product.

When companies do that sort of thing, it never ends well. This incident was no exception:

A hacker contacted El Reg on Friday to say they had obtained real names, usernames, what appeared to be SHA-1 hashed passwords, and email addresses for 12,000 NurseryCam users’ accounts – and had then dumped them online.

Although this person claimed to have “redacted” those details, the redaction was so poor it was trivial to figure out the real names and contact details of NurseryCam’s parent users. El Reg, together with IoT security expert Andrew Tierney, verified that the credentials were genuine before notifying NurseryCam of the breach. The company began emailing parents the following day after taking its cameras offline.

This is likely now under investigation by the Information Commissioner’s Office and this might not end well for the company behinds this service. Especially since warnings about the lax security of this service have been floating around for years. It sucks to be the company behind this product.

Leave a Reply

%d bloggers like this: