2 min read

"Peekaboo" zero-day lets hackers view and alter surveillance camera footage

Graham CLULEY

September 19, 2018

"Peekaboo" zero-day lets hackers view and alter surveillance camera footage

Hundreds of thousands of security cameras are believed to be vulnerable to a zero-day vulnerability that could allow hackers to spy on feeds and even tamper with video surveillance recordings.

Security researchers at Tenable revealed their discovery in a blog post this week, explaining how they had uncovered a critical remote code execution vulnerability in the IoT network video recorders used by video surveillance systems.

The vulnerability, dubbed “Peekaboo”, exists in NUUO’s Network Video Recorder software and aside from allowing remote hackers to snoop on and even alter CCTV footage, can even be abused to steal data such as credentials for all connected security cameras, IP addresses, and other data related to the devices.

The implications of the vulnerability are serious for a number of reasons.

First of all, scale.

NUUO is a leading member of the video surveillance industry, whose devices are deployed at more than 100,000 installations around the globe. However, there are also many organisations which may have put their trust in NUUO’s vulnerable software without even knowing that their surveillance cameras used it, as NUUO’s code is integrated into a wide variety of third-party surveillance systems.

According to some estimates there might be anything between 180,000 and 800,000 CCTV cameras in public usage that are vulnerable to “Peekaboo”.

Secondly, hackers could exploit the root access they gain on vulnerable devices to disconnect live video feeds, or even tamper with security footage. For instance, a live video feed could be replaced with a static, unmoving image of the area under surveillance allowing criminals to gain access undetected.

Although warning of the vulnerability, Tenable’s researchers are not publishing details of how it can be exploited. Instead, they informed NUUO in June about the problem, and have only made a public disclosure now having waited 105 days (in vain, so far) for a patch to be issued.

The good news is that NUUO is believed to be working on a patch. The bad news is that each camera is likely to need to be updated manually once a patch is made available. And, as we all know, when a patch has to be applied manually it will often never be applied at all.

Questions must remain, especially as so many third-party devices depend on NUUO’s firmware, as to how likely it is that many of the vulnerable security cameras will ever get patched.

There is no indication yet as to when that patch might be available. If you have NUUOs code inside your organisation you might be wise to think now about who has network access to the at-risk surveillance cameras, and put restrictions in place to ensure that only authorised, legitimate users (and not hackers on the other side of the world) can access them.

This is not the first time that NUUO’s network video recorders found themselves in the news for the wrong reasons. They were also on the list of IoT devices targeted by the Reaper botnet last year.

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Google Prepares to Reset App Permissions on Billions of Devices Google Prepares to Reset App Permissions on Billions of Devices
Silviu STAHIE

September 20, 2021

1 min read
Sideloading Android Apps - Bane or Blessing for Android Users Sideloading Android Apps - Bane or Blessing for Android Users
Silviu STAHIE

September 20, 2021

2 min read
FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches FTC Says Companies Operating Health Apps and Connected Devices Must Inform Users of Data Breaches
Silviu STAHIE

September 17, 2021

1 min read