Security Week 09: Nurserycam Infosec Drama

Last week, a lingering controversy surrounding Footfallcam, a UK-based manufacturer of specialized webcams, has developed. The Register in its material gives a background: it all started with the messages of the Dutch researcher OverSoftNL, in which he described serious problems with the security of devices of this company at the beginning of February.







As the expert found out, the Footfallcam, designed to count people passing by, is built on a Raspberry Pi board. Firmware analysis showed not only debug files "forgotten" by the developer (and one music track), but also a fixed password for access to the Wi-Fi network of a standard Raspbian OS user with a default password, as well as enabled SSH access. In other words, when added to the corporate network, the device was a huge security hole. But this was not the only manufacturer's product with an odd approach to protection.



The drama began in the course of a private conversation between the researcher and the producer. Footfallcam representatives asked OverSoftNL and his company for penetration testing services, but after a preliminary estimate of the cost, the researcher was publicly accused of extortion and promised to report to the police. Here, another researcher, Andrew Tierney, joined the story by posting an overview of problems in another device from the same manufacturer on February 14 . This time it was about Nurserycams. They are installed in kindergartens, and parents are encouraged to download an application through which they can access video streaming.



The utility imposes a number of restrictions on access so that only parents can get it and only at a certain time. As it turned out, Nurserycam not only communicates with the application over an insecure HTTP protocol, but the authorized parents are given an administrator password to access the webcam, which does not change. Although passwords were not directly exposed in the application, they were easy to pull out of the data stream. In this case, the manufacturer of webcams tried to ignore the current problems, calling admin access "bait for hackers". At the same time, there were some changes in the API for working with cameras, which, however, did not fix anything.



The final chord of the story was the leakuser data, presumably as a result of hacking of the company's servers. It became known on February 22: information about 12,000 Nurserycam clients, including clear-text passwords, was made public. Based on the analysis of vulnerabilities, we can talk about many years of ignoring the basic means of protecting user data. This is also indicated by testimonials from Nurserycam customers: a few years ago, someone discovered that direct access to any video stream can be obtained by iterating over the numbers in the URL, and the archive of records was for some time on FTP without a password.



Among other things, this story is an example of disgusting communication between security professionals and vendors. The information about the vulnerabilities was made public before the manufacturer could react to it. But he also did everything possible for such an outcome, instead of constructive communication, sending threats and attacking researchers publicly from fake Twitter accounts. Anything that could go wrong went wrong.



What else happened



Experts reiterate the dangers of skills (essentially third-party software) to Amazon Alexa smart speakers ( news , research ). A number of security holes allow, in theory, to use the skills for phishing attacks on users and other things. Amazon representatives (however, as in other similar cases) deny the possibility of malicious attacks on smart voice devices.



Kaspersky Lab specialists have published a fresh study on the activities of the Lazarus group, in part related to the recent attack on security researchers.



Another report by Kaspersky Lab coversevolution of stalker software for illegal surveillance of people.



In India , a large-scale leak of data on those who passed the coronavirus test was discovered .



In the Cisco Nexus 3000 and Nexus 9000 switches, we found (and closed) a critical vulnerability, which was rated at 9.8 points on the CvSS scale - it made it possible to remotely get root rights.



All Articles