UPDATED 21:37 EST / SEPTEMBER 17 2018

INFRA

Peekaboo vulnerability exposes hundreds of thousands of security cameras to hacking

A new vulnerability discovered in firmware from NUUO Inc. allows malicious actors to view and tamper with video surveillance recordings, according to researchers from security firm Tenable Inc.

Dubbed “Peekaboo,” the “zero day” or heretofore undiscovered vulnerability affects firmware versions older than 3.9.0. It could allow cybercriminals to view video surveillance feeds remotely and tamper with recordings using administrator privileges.

In an example straight out of a Hollywood heist movie, the researchers noted that a hacker could replace a live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

Although it’s not a household name, NUUO is an original equipment manufacturer, or OEM, meaning that while producing its own products, it also makes them for other companies.

“The zero-day could affect up to hundreds of thousands of global video surveillance network recorders or CCTVs,” a spokesperson from Tenable told SiliconANGLE. “The vulnerability was originally found in NUUO NVRmini2 security network recorder, but because the technology is used by OEM partners in a host of supported rebranded recorders, the impact of this vulnerability goes far beyond NUUO.”

The researchers estimated that more than 100 brands and 2,500 different models of cameras could be made vulnerable by the access the Peekaboo firmware grants to usernames and passwords. Preliminary estimates show that up to hundreds of thousands of cameras could be manipulated and taken offline worldwide in industries including retail, transportation, education, government and banking.

“Our world runs on technology,” Renaud Deraison, Tenable’s co-founder and chief technology officer, said in a statement. “It helps us monitor, control and engage with each other and our environments. And it’s one of the many reasons we’ve seen a massive surge in connected devices recently. The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe.”

The response from NUUO isn’t any better than the vulnerability itself. The company said only that “a patch is being developed and affected customers should contact NUUO for further information,” despite the company getting a heads-up well in advance of the vulnerability disclosure.

Users of NUUO or other devices using the firmware are being advised to restrict access to their deployments and limit it to legitimate users only from trusted networks.

“Owners of devices connected directly to the internet are especially at risk, as potential attackers can target them directly over the internet,” the researchers noted. “Affected end users must disconnect these devices from the internet until a patch is released.”

Image: Nuuo

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU