This blog post is intended for a less technical audience – specifically parents and nurseries using the NurseryCam system.
NurseryCam is a camera system that is installed in nurseries, allowing parents to view their children remotely. There are tens of nurseries stating that they use this system. News articles go back as far as 2004.
Serious security issues have been found in the system. The statements that NurseryCam make about the security of their system do not align with reality.
These issues would allow any parent, past or present, to access the video feeds from the nursery. There is also the chance that anyone on the Internet could have accessed them.
I am a full-time security consultant who specialises in the security of the Internet of Things, including camera systems. The issues with NurseryCam are about as serious as it gets. NurseryCam were informed of these as early as February 2015 – 6 years ago.
A Digital Video Recorder (DVR) is installed in the nursery, connected to cameras. These are like normal CCTV DVRs, used across thousands of businesses and homes in the UK.
The DVR has a web interface that can be viewed in a browser, but it would normally only be possible to view this when you are connected directly to the nursery’s network. This is because the DVR is behind the router’s firewall.
To allow the DVR to be viewed remotely, something called port forwarding is used. This opens a hole in the nursery’s firewall, allowing the DVR to be accessed from the Internet.
To log in to the DVR, you need to know the username, password, and IP address.
When a parent wants to view the cameras, they log in to the NurseryCam website or mobile application. In the background, the parent is given the details for the DVR, including the username and password.
The parent then establishes a direct connection to the DVR, allowing them to view the camera.
For all parents connecting to a given nursery, they are given the same username and password for the DVR. In the examples I have been shown, the username is admin and the password are obvious words followed by 888.
This means that the parents, past and present, have all been given the administrator password for the DVR.
There are no indications that this password changes over time.
There is no need for the parent to login to the NuseryCam website to access the DVR.
With these details, the parent could connect directly to the DVR at any time of the day, view it for however long they want, and view all of the cameras, including ones you have not given them permission to view.
You can lock or delete the parent account on the NurseryCam website, but the username and password for the DVR will not change.
There is no way to stop the parent from logging into the DVR directly.
Anyone logging into the DVR would be seen as the admin user. It would be incredibly difficult for a nursery to determine if the login was from a genuine parent or someone else.
To make matters worse, the connection to the DVR is using HTTP, not HTTPS. It is unencrypted, allowing someone to eavesdrop on the video feed, username, and password.
Any given parent for a given nursery could login to the DVR and view any and all cameras.
This could include:
- A current parent viewing cameras for longer than they are meant to.
- A current parent viewing cameras that they are not entitled to, such as rooms their child does not use.
- A parent whose child no longer attends the nursery viewing the cameras.
- Any parent who has been prevented from accessing the system (e.g. separation, abuse) viewing the cameras.
Worse still, because the password for the DVRs is common across multiple nurseries and openly documented on NurseryCam’s website, there is the potential for anyone on the Internet to access the DVR.
The only missing piece of the puzzle is the IP address of the nursery. It would be possible to scan the entire of the UK for DVRs using this username and password in a matter of days.
Staff at NurseryCam would know the password and be able to access the DVRs without restriction.
NurseryCam state that their system is “safer than online banking”.
This is certainly not the case with the system seen here.
A common, shared, and openly documented login for the DVRs is passed to each parent.
There is no encryption used. There are no VPNs.
This is analogous to your local bank giving you the keys to their vault and just trusting that you will only take your money.
The same claims are repeated across multiple nursery websites.
When security researchers find problems like this, we try to report them to the company so that they can be fixed. The aim is to keep users of the system safe. We call this disclosure.
I reported these to NurseryCam on 6th February 2021.
On 12th February 2021, I blogged about these initial concerns and Tweeted them.
Former parents reading my Twitter feed got in touch, with one parent confirming that they had informed NurseryCam of almost identical issues in February 2015 – six years ago.
Even six years ago, the claims made about security did not line up with reality.
They have been aware of serious security issues for 6 years and have not fixed them.
How were these found?
The NurseryCam Android mobile application was downloaded and then examined. By viewing the code, it was possible to see how the system operates.
Several parent users of the system have contacted me. They confirmed that the system operated as I suspected and that the DVR usernames and passwords were the same each time they logged in.
There has been no attempt to hack NurseryCam webservers.
These issues were trivial to uncover, taking no more than 15 minutes.
What should you do?
In my professional opinion, you cannot quickly fix a system that is this badly broken. You also cannot regain the trust that has been lost by selling a product that is described so inaccurately.
If you, as a nursery, operate one of these systems:
- Unplug the network connection from the DVR.
- Contact NurseryCam and ask that they inform all impacted nurseries immediately.
- Ask why the system you have been paying for isn’t the one that is described on the NurseryCam site.
If you are a parent, I would advise contacting your nursery and request that they carry out the above steps.
Changing the username and password for the DVR is not a genuine fix – the username and password are still sent to the parents.
Adding encryption to the connections is not a fix – the username and password are still sent to the parents.
These issues are obvious and fundamental. They should not have existed in the first place.
Without the system being almost completely redesigned, it is hard to see how it can be secured adequately.
I have not tested their website, or looked at any of their other security practices.
Ask yourself if you could ever trust this company again with children’s data.