[BreachExchange] Peekaboo vulnerability exposes hundreds of thousands of security cameras to hacking

Tue Sep 18 23:18:14 EDT 2018

https://siliconangle.com/2018/09/17/peekaboo-vulnerability-exposes-hundreds-thousands-security-cameras-hacking/

A new vulnerability discovered in firmware from NUUO Inc. allows
malicious actors to view and tamper with video surveillance
recordings, according to researchers from security firm Tenable Inc.

Dubbed “Peekaboo,” the “zero day” or heretofore undiscovered
vulnerability affects firmware versions older than 3.9.0. It could
allow cybercriminals to view video surveillance feeds remotely and
tamper with recordings using administrator privileges.

In an example straight out of a Hollywood heist movie, the researchers
noted that a hacker could replace a live feed with a static image of
the surveilled area, allowing criminals to enter the premises
undetected by the cameras.

Although it’s not a household name, NUUO is an original equipment
manufacturer, or OEM, meaning that while producing its own products,
it also makes them for other companies.

“The zero-day could affect up to hundreds of thousands of global video
surveillance network recorders or CCTVs,” a spokesperson from Tenable
told SiliconANGLE. “The vulnerability was originally found in NUUO
NVRmini2 security network recorder, but because the technology is used
by OEM partners in a host of supported rebranded recorders, the impact
of this vulnerability goes far beyond NUUO.”

The researchers estimated that more than 100 brands and 2,500
different models of cameras could be made vulnerable by the access the
Peekaboo firmware grants to usernames and passwords. Preliminary
estimates show that up to hundreds of thousands of cameras could be
manipulated and taken offline worldwide in industries including
retail, transportation, education, government and banking.

“Our world runs on technology,” Renaud Deraison, Tenable’s co-founder
and chief technology officer, said in a statement. “It helps us
monitor, control and engage with each other and our environments. And
it’s one of the many reasons we’ve seen a massive surge in connected
devices recently. The Peekaboo flaw is extremely concerning because it
exploits the very technology we rely on to keep us safe.”

The response from NUUO isn’t any better than the vulnerability itself.
The company said only that “a patch is being developed and affected
customers should contact NUUO for further information,” despite the
company getting a heads-up well in advance of the vulnerability
disclosure.

Users of NUUO or other devices using the firmware are being advised to
restrict access to their deployments and limit it to legitimate users
only from trusted networks.

“Owners of devices connected directly to the internet are especially
at risk, as potential attackers can target them directly over the
internet,” the researchers noted. “Affected end users must disconnect
these devices from the internet until a patch is released.”