by carwyn on 2/14/21, 10:00 PM with 72 comments
by neilv on 2/15/21, 12:54 AM
"OK, folks, let's start briefly with bridging firewall/NAT/non-static-IP-addr/UX by network port-forwarding, and then move on to the protocol scenario event trace diagrams..." :)
I appreciate this writer's work to document the surprising technical failings, and to try to protect people. And there's some good effort to make it accessible to non-technical audience, though some of it seemed a bit confusing/intimidating.
This might be a good occasion for coaching from (or collaboration with) a professional journalist or other writer. As a techie myself, I can only guess what the result of expert help might be, but maybe even more inverted-pyramid writing style for this audience's perspectives, getting into understandable threats/implications near the top, and then supporting that with the minimum technical explanation necessary. With a pointer to a very technical separate post, for credibility, and for the benefit of journalists and other techies.
BTW, maybe my contemporary US cultural bias is showing here (and the article mentioned UK)... I saw some mentions of "parent" where it seemed some of the threats might be more understandable, and more persuasive to some of the people who could benefit, were it to include something to the effect of "...or ill-intentioned computer-savvy person, outside the daycare, or even anywhere on the Internet". Not to promote paranoia over stranger-danger, but those aren't hypothetical additional vulnerabilities to which I think a parent would want their child exposed for (what appears to be) absolutely no reason.
by Rainymood on 2/15/21, 7:57 AM
# Summary
Let me get straight to the point.
If you (or your daycare) uses NurseryCam, ANYONE CAN SPY ON YOUR CHILDREN.
Let me repeat that.
If you (or your daycare) uses NurseryCam, ANYONE CAN SPY ON YOUR CHILDREN. ANYONE.
Hi, my name is John Doe and I'm a cyber-security consultant who specialises online video security.
NurseryCam is a camera system that is installed in nurseries, allowing parents to view their children remotely. There are tens of nurseries stating that they use this system. News articles go back as far as 2004.
The problem is that NurseryCam's system contains serious security issues. The worst part is that NurseryCam is lying about it. NurseryCam were informed of these as early as February 2015 – 6 years ago and still haven't done anything to fix them. These issues would allow any parent, past or present, to access the video feeds from the nursery. There is also the chance that anyone on the Internet could have accessed them.
So if you use NurseryCam, anyone can spy on your children. Do you really want that?
If you are a concerned parent now, please do not hesitate to reach out to me on john@doe.com.
If you want more technical details, keep reading on down below.
# Technical details
...
by mleonhard on 2/15/21, 1:16 AM
What is the proper way to provide certificates to devices with embedded servers?
- Generate a self-signed certificate with the appropriate IP address and train users to bypass the browser's scary warnings?
- Buy certificates for every deployed device. Make each device download a new certificate when its current one expires. Set up dynamic DNS so the user can reach the device at a URL that matches the certificate.
- Make the device use an ACME server to provision its certificate. The device must be publicly accessible so the ACME server can reach it.
- Proxy all device connections through a central server. This could be expensive for high-bandwidth uses like streaming video.
All of these options are poor. Why has nobody solved this problem? Is it because the powerful browser makers (first Microsoft and now Google) prefer lucrative centralized technology? Google will make a lot less money when everyone can easily run their own server to do shared docs and messaging. Or is it because IoT companies prefer centralization so they can sell subscriptions to users and gather user behavior data? Or is it just that nobody has put in enough effort to solve it yet?
by KaiserPro on 2/14/21, 10:39 PM
Its the same people who shipped the "people counting" raspberry pi system with the bruno mars mp3s in them.
First they try and report the security consultants to the police, then they claim that they are too expensive to work with.
Then even more bizarrely they launch a halfarsed sock puppet campaign using the CEO's wife's account.
Then they start publishing reviews on their own staff, including private health info.
Just utterly bat shit insane
by YeBanKo on 2/15/21, 1:13 AM
1. They did not just give unauthorized access, they gave admin access.
2. It’s been going on for 6 years.
3. It seems very basic.
4. Not using HTTPS is another big red flag
5. Having this secure access feature is one of their selling points, by not providing it they essentially defrauded the public.
Mistakes happen, and it worse when it happens in security field. But this is not an honest mistake, this is negligence.
by Animats on 2/14/21, 10:59 PM
For all parents connecting to a given nursery, they are given the same username and password for the DVR. In the examples I have been shown, the username is admin and the password is either admin888 or nurserycam888.
Sigh.
by carwyn on 2/14/21, 10:42 PM
https://cybergibbons.com/security-2/serious-issues-in-nurser...
by orf on 2/14/21, 11:01 PM
Good idea, but the article is full of specific technical details + technical diagrams that are irrelevant to getting the point across.
by vmception on 2/15/21, 12:34 AM
Should it be patched, sure. I see it as different than some random IOT device in the crib, this is at the nursery itself.
Why are parents given access to particular feeds at a nursery?
Why does it matter that they can watch other kids at a nursery if you’re already giving this access?
Yeah I get that now ANYONE can watch them too, ooh scary men in trench coats and top hats watching children.
I’m missing something about the wording of this:
“The issues with NurseryCam are about as serious as it gets.”
Is it though?
by imdsm on 2/15/21, 11:46 AM
by quickthrower2 on 2/15/21, 5:47 AM
by exikyut on 2/15/21, 5:22 AM
- I image-searched "nurserycam dvr" and immediately found a video, from NurseryCam itself, showing how to reboot the DVR
- I also found a PDF with some "HDD reset" instructions and noticed the PDF had a closeup of the control panel buttons
- Googling the button labels from found me some extremely hazy model info - your standard "but which manufacturer?!" fare, it seems to be around the midpoint of "full AliExpress" at one end and actual reputability at the other
- After image-searching "<manufacturer> web interface" I stumble on a screenshot of a directory service that registers DVRs via DNS and gives them a domain
- "site:*.<domain>" found a few results
- visit one of them, open devtools, and yes, there's a unique Server: string
Then it was your standard
- how to into applet in 2021? oh, FF 52.0 ESR, ok
- download java 8
- find random website with java 8 .tar.gz because Oracle
- unpack java 8, create symlink, yay!
- security exception. oh.
- replace with java 7
- [A LONG TIME LATER] ohhhh, firefox updated itself and that's why everything looks wrong and the plugin stopped working
- okay let's go through shoda... actually you know what this is really boring.
TL;DR: it look about 3 hours to install Java and about 25 minutes to figure out what brand of DVR this company is using. Security through... ADHD incompatibility, anybody?
by netsharc on 2/14/21, 11:05 PM
Hmm, then again, if someone was filming my children, I'd be creeped out. And if someone was using this to identify kids and their day-to-day patterns (e.g. pick up hours), they could theoritically show up 10 minutes earlier, say they're there sent by the parents to pick up someone, and "the kid is wearing a blue top and yellow shorts" or whatever. But IMO kidnap scares are overblown, and if a nursery falls for that trick without calling the parents first, they should be shut down for being too stupid.