The news this week that NurseryCam CCTV devices can be very easily accessed by anyone again highlights the security weaknesses of smart devices. In this case, the default administrator password was accessible to anyone looking at the source code of the web page used to login to the camera. This would allow anyone with the correct IP address of a NurseryCam camera to use this password to access both the camera’s live stream and 18 months of recording history stored on the device. Default passwords – that is, passwords set by the manufacturer and not changed – are an inherent problem in many smart devices. In fact, I highlighted this as a problem 4 years ago on ITV’s “Good Morning Britain” by hacking presenter Charlotte Hawkins’s nursery camera (with her permission) in an almost identical way to this latest case.
In this case, the possible motivation for accessing cameras pointing at nursery children is too disturbing to discuss. However, this problem is not unique to cameras, and affects many smart devices. Hackers can exploit this to take control of these devices in order to access the information stored on them, or in some cases take control of huge numbers of the devices and use them to conduct denial of service attacks on websites (effectively using the Internet connectivity of the devices to bombard the target website with so much information that it stops working).
Usually there is a simple fix. Both as a business and as consumers, all devices we purchase that have a default password (these will be usually something very simple) should be changed as a matter of routine. Unfortunately in the case of NurseryCam the problem is with the manufacturer themselves as they publish the default password within the source code of the login page, which isn’t something you as the owner of the device can control. It has been reported that NurseryCam knew about security lapses in their devices for years before this latest incident yet did not address the flaws. Manufacturers need to make more of an effort to embed security into devices to ensure that businesses and individuals can buy them and plug them in without having to worry about someone else accessing them.
As a business, it is likely that you have a large number of devices connected to your network. Whether it be ‘dumb’ devices such as printers, scanners, routers and switches, or smart devices such as building management systems, if you haven’t been changing default passwords then it’s likely these can be exploited by hackers. If these have a connection to the internet then the risk is very serious as it would then be an avenue for a hacker to gain access to your network – effectively causing a data breach.
At Falanx we can help in a number of ways: through our penetration testing services in order to identify vulnerable devices, and through our incident response expertise should you believe one of your devices, or your network, has been compromised.
Contact us now to book your penetration test or to discuss your incident response needs.