Security Week 09: Nurserycam Infosec Drama

2 min

Last week, a lingering scandal surrounding Footfallcam, a UK-based manufacturer of specialized webcams, has escalated. The Register’s edition their material gives a background: it all started with messages Dutch researcher OverSoftNL, in which he described serious problems with the security of devices of this company in early February.

As the expert found out, the Footfallcam, designed to count people passing by, is built on a Raspberry Pi board. Firmware analysis showed not only debug files “forgotten” by the developer (and one music track), but also a fixed password for access to the Wi-Fi network of a standard Raspbian OS user with a default password, as well as enabled SSH access. In other words, when added to the corporate network, the device was a huge security hole. But this was not the only manufacturer’s product with a strange approach to protection.

The drama began in a private conversation between the researcher and the producer. Footfallcam representatives asked OverSoftNL and his company for penetration testing services, but after a preliminary estimate of the cost, the researcher was publicly accused of extortion and promised to report to the police. Here, another researcher, Andrew Tierney, joined the story. published overview of problems in another device from the same manufacturer. This time it was about Nurserycams. They are installed in kindergartens, and parents are invited to download an application through which they can access the video streaming.

The utility imposes a number of restrictions on access so that only parents can get it and only at a certain time. As it turned out, Nurserycam not only communicates with the application over an insecure HTTP protocol, but also an administrator password that does not change to authorized parents to access the webcam. Although passwords were not directly exposed in the application, they were easy to pull from the data stream. In this case, the webcam manufacturer tried to ignore the current problems, calling admin access “bait for hackers”. At the same time happened some changes in the API for working with cameras, which, however, did not fix anything.

The final chord of history was a leak user data, presumably as a result of hacking of the company’s servers. It became known on February 22: information about 12,000 Nurserycam clients, including clear-text passwords, was made public. Based on the analysis of vulnerabilities, we can talk about many years of ignoring the basic means of protecting user data. This is also indicated by testimonials from Nurserycam customers: a few years ago, someone discovered that direct access to any video stream can be obtained by iterating over the numbers in the URL, and the archive of records was on FTP for some time without a password.

Among other things, this story is an example of disgusting communication between security professionals and vendors. The information about the vulnerabilities was made public before the manufacturer could react to it. But he also did everything possible for such an outcome, instead of constructive communication, sending threats and attacking researchers publicly from fake Twitter accounts. Anything that could go wrong went wrong.

What else happened

Experts reiterate the dangers of skills (essentially third-party software) for Amazon Alexa smart speakers (news, study). A number of security holes allow, in theory, to use the skills for phishing attacks on users and other things. Amazon representatives (however, as in other similar cases) deny the possibility of malicious attacks on smart voice devices.

Kaspersky Lab specialists published fresh research on the activities of the Lazarus group, in part related with a recent attack on security researchers.

In another report by Kaspersky Lab illuminate the evolution of stalker software for illegal surveillance of people.

In India discovered a large-scale leak of data on those who passed the coronavirus test.

In Cisco Nexus 3000 and Nexus 9000 switches found (and closed) a critical vulnerability, which was rated at 9.8 points on the CvSS scale – it made it possible to remotely get root rights.


Leave a Reply