The issue described in the previous blog about Nurserycam has been present for a number of years.
This post collates the previous times that it was disclosed to Nurserycam that I know of. If you also reported an issue, please use the contact form on this page, or DM me on Twitter. I will not disclose any information you are not happy disclosing.
My opinion is that the root cause on all of these reports is identical. A direct connection is established to the DVR using admin credentials.
All four parents agree that this is the case.
There is the possibility that Nurserycam did have a system that didn’t rely on this mechanism to connect. This may have existed prior to 2015, or it may have existed on a subset of their customer systems. This misses the point – the weakest link in the chain is the one that matters.
February 2015
A parent reports security issues to NurseryCam and to their nursery. One of the issues (amongst others) is that the IP address, admin username, and admin password of the DVR in the nursery are leaked in the HTML source when viewing the cameras using ActiveX. The password is the one documented on the Nurserycam website. This makes it trivial to for any parent to access any camera in the nursery and bypass the (ineffective) access restrictions.
Furthermore, the non-activeX mode serves images from the DVR without authentication or encryption, so anyone with the URL can see the live images from any computer. Communications from NurseryCam infer that something illegal has happened.
This parent agrees that the issue they reported is the same as the issue in my blog.
January 2020
A parent reports to their nursery that the connection is made directly to the DVR, and that the username and password are leaked to parents. The password is a derivative of the one found on the Nurserycam website, and is found to be common across a multiple nurseries in a chain.
This parent agrees that the issue they reported is the same as the issue in my blog.
October 2020
A parent reports to their nursery that they can see the admin username and password in the browser. Nurserycam take some action to resolve the issue for this particular nursery. As before, the password is as documented on the NurseryCam website.
This parent agrees that the issue they reported is the same as the issue in my blog.
February 2021
Another parent reports security issuses via their nursery. Again, this concerns the disclosure of the IP address, username and password to the parents. The password is the one documented on the Nurserycam website, as in 2015. Nurserycam take some action to resolve the issue for this particular nursery.
This parent agrees that the issue they reported is the same as the issue in my blog.
February 2021
I disclose the same issue in NurseryCam, inferred from the reverse engineering of their mobile app. Once a parent had confirmed the issues had been disclosed previously, I publicly disclosed immediately.