The vulnerability, dubbed Peekaboo, would allow cybercriminals to remotely hack into cameras via a remote code execution vulnerability in NUUO software — one of the leading global video surveillance solution providers. For example, they could replace a live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.
The impact of Peekaboo is significant as NUUO integrates with hundreds of leading brands. Their ecosystem of supported devices means that more than 100 brands and 2,500 different models of cameras could be made vulnerable by the access Peekaboo grants to usernames and passwords. Preliminary estimates show that up to hundreds of thousands of cameras could be manipulated and taken offline worldwide.
NUUO software and devices are commonly used for web-based video monitoring and surveillance in industries such as retail, transportation, education, government and banking. The vulnerable device, NVRMini2, is a network-attached storage device and network video recorder. Once exploited, Peekaboo would give cybercriminals access to the control management system (CMS), exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage. Just last year, the NUUO NVR devices were specifically targeted by the Reaper IoT Botnet.
“Our world runs on technology. It helps us monitor, control and engage with each other and our environments. And it’s one of the many reasons we’ve seen a massive surge in connected devices recently,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe. As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organisations.”
Tenable Research disclosed the vulnerability, which affects firmware versions older than 3.9.0, to NUUO following standard procedures outlined in its vulnerability disclosure policy. As of September 17 at 11am ET, a patch has not been issued. NUUO has informed Tenable that a patch is being developed and affected customers should contact NUUO for further information.
In the meantime, users are urged to control and restrict access to their NUUO NVRMini2 deployments and limit this to legitimate users from trusted networks only. Owners of devices connected directly to the internetare especially at risk, as potential attackers can target them directly over the internet. Affected end users must disconnect these devices from the internet until a patch is released. Unfortunately, many users will be unaware that their devices are vulnerable because NUUO software is also integrated into products from other vendors. In these cases, users should contact their video surveillance vendors to confirm whether they are exposed and when a patch will be released.
Tenable has released a plugin to assess whether organizations are vulnerable to Peekaboo. Click here for more details.
For more information on Peekaboo, read the Tenable Research Advisory blog post.
