I am not disclosing these issues lightly. They impact real people: children and parents.
I am not following the disclosure policy I follow normally as part of professional work due to the severity.
Given how the owner of FootFallCam have behaved, I cannot hold these back. The business managing these systems have not demonstrated they can handle data this important, and cannot handle this honestly.
Given the serious issues in FootfallCam, it concerned me that the same company could be handling the sensitive data like this.
This application is called com.metatechnology.
This application has some serious issues. Recent reviews are from 2021, strongly indicating that this is still actively used.
The application does not use TLS to secure communications between it and API endpoints. There is no reason to not use TLS in 2021.
This has been unacceptable for years.
The application sends the username and password of the parent in the URL to the endpoint http://nurserycam.
The username and password are passed in the URL directly.
When logging in, the parent is returned a list of “ParentAccessModel” as JSON. This data is passed in plaintext, unencrypted
ParrentAccessModel is a list of nursery IP addresses, ports, usernames, and passwords to connect directly to the DVRs.
These are not per-parent credentials.
The user is admin.
The password are obvious words followed by 888.
These are accessible to any parent using the system.
Today, now, and in the past.
The connection, directly to the nurseries, is then made over HTTP with the username and password of the DVR passed in the URL.
There is no encryption.
Any access control enforced by their API would not be enforced by the DVRs.
The parent already has the IP address, port, username and password for the DVR.
Any controls around time limits, or locking out of accounts would not work.
The parents have credentials for the DVRs.The access controls are ineffective. The child may even leave the nursery and the parents account could be revoked on the web plarform, but they still have access to the DVR.
There is no means for NurseryCam to remotely audit access to these DVRs. If the usernames and passwords have been used by a malicious party, there are no means of knowing this.
Summary of issues
The system directly exposes the DVRs in nurseries on HTTP. The username and password of the parents are passed without encryption, and then return the connection details for the DVR without encryption. Then, without encryption, the parents can log directly into the DVR. There is no means to stop them viewing the DVR whenever they want.
This is a massive difference from the claims on their site:
We are not talking about slight differences. The linked page is so far away from reality it’s unreal.
These are issues of critical severity. The implementation of this system places children at direct risk.
I make the following requests of NurseryCam:
1. Take down the NurseryCam service (mobile application and web application) before Monday 8th February 2021, 0800 GMT.
2. Within the next week (by Saturday 13th February) take action to ensure that the nurseries running DVRs have either changed the DVR passwords to something secure, or stop them being exposed to the Internet.
3. Within the next 4 weeks (by Saturday 6th March) send a communication to all nurseries and parents (current and former) informing them of these security issues. You should inform these people that you have no reasonable way to determine if anyone has watched their children.