Security News > 2021 > February > Nurserycam horror show: 'Secure' daycare video monitoring product beamed DVR admin creds to all users
Anyone could have logged into Nurserycam's DVRs thanks to poor design choices - and a decision to "Authenticate" logins by passing the device's admin username and password to parents, claimed a reverse engineer who looked into the matter.
Internet of Things security prober Andrew "Cybergibbons" Tierney published a warning to Nurserycam's users after realising how insecure the product was.
Nurserycam is an internet-connected DVR with a port-forwarding firewall in front of it, taking its feed from CCTV cameras deployed inside nurseries and pointed at the children.
Several nurseries around the UK appear to have deployed the system, judging by search results for the Nurserycam name.
A parent who spoke to The Register and asked not to be named said he had reported similar flaws to Nurserycam back in 2015 - and was brushed off by Kao.
At the time, this father had realised that any Nurserycam video feed could be viewed by simply changing the URL in the web browser: a flaw known in infosec as an insecure direct object reference vulnerability.