Full Report
A dangerous vulnerability in a nursery monitoring system gave cyber criminals an opportunity to seamlessly access any live camera feed in any location.
Analysis Summary
# Vulnerability: Default Credentials and Exposed DVRs in Nursery Monitoring System
## CVE Details
- CVE ID: Not explicitly provided in the text (Described as a series of flaws reported by Cybergibbons)
- CVSS Score: Not explicitly provided (The severity is implied by the impact, suggesting High)
- CWE: CWE-259: Use of Hard-coded Credentials (Implied by static username/password) and potentially CWE-284: Improper Access Control.
## Affected Systems
- Products: NurseryCam monitoring system (Services approximately 40 nurseries across the UK). This vulnerability affects the Digital Video Recorder (DVR) component accessible via the NurseryCam service.
- Versions: Not specified, but the vulnerabilities persisted for at least 6 years.
- Configurations: Any installation using the default credentials for the DVR component, accessible via a connection established when parents log into the web portal or mobile application.
## Vulnerability Description
The vulnerability stems from two critical flaws exploited against the networked Digital Video Recorder (DVR) systems used by NurseryCam:
1. **Bypassable Firewall:** Threat actors could bypass the system's firewalls via "port forwarding" to gain direct network access to the DVRs.
2. **Hardcoded Default Credentials:** The DVRs utilize static, common credentials for all users: **Username: admin**, **Password: admin888**. These credentials were also publicly available in the vendor's instruction manuals, allowing anyone knowing a DVR's IP address to log in and access live camera feeds and recordings seamlessly.
## Exploitation
- Status: **Exploited in the wild** (A hacker breached parent viewing accounts, acquiring emails, passwords, usernames, and names, forcing the vendor to acknowledge the issues).
- Complexity: **Low** (Relied on publicly known credentials and a known technique (port forwarding) to bypass perimeter defenses).
- Attack Vector: **Network** (Remote access via the internet to the exposed DVR IP).
## Impact
- Confidentiality: **High** (Exposure of live video feeds from nurseries, and subsequent theft of parent account credentials, including usernames and passwords).
- Integrity: **Low** (No indication of data modification, though unauthorized control over the camera stream is possible).
- Availability: **Low** (The primary impact was data disclosure, not Denial of Service).
## Remediation
### Patches
- Specific patch versions were not detailed in the article, but the vendor was compelled to "significantly strengthen their security posture" following the public disclosure and breach. **Action required is contacting the vendor for mandatory updates/configuration changes.**
### Workarounds
- Remove or disable the functionality that relies on the insecure DVR connection method (e.g., review firewall rules to block unauthorized port forwarding exposure to DVRs).
- **Immediately change the default 'admin'/'admin888' credentials on all associated DVR units.**
- If possible, segment the DVR network from external access, ensuring access is only granted through secure, authenticated vendor services (if they truly exist).
## Detection
- Indicators of Compromise (IoCs):
- Unauthorized outbound connections from the DVR to external, unknown IP addresses.
- Unusual login activity on DVR management interfaces using default credentials.
- Reports of unauthorized access to video streams from parents.
- Detection Methods and Tools: Network monitoring tools capable of inspecting traffic patterns associated with the DVR units and reviewing DVR system logs for anomalous login attempts using default credentials.
## References
- Vendor advisories: None explicitly linked (Information derived from security researcher report and subsequent media coverage).
- Relevant links:
- Vendor/Product Background: hXXps://www.nurserycam.co.uk/
- General context on the breach research: hXXps://www.upguard.com/blog/sensitive-data