Tenable Research, a cybersecurity company and creators of the “world’s first Cyber Exposure platform,” has discovered two critical vulnerabilities that leave up 800,000 surveillance cameras open to attack.
The vulnerabilities, dubbed ‘Peekaboo,’ were found in NUUO’s network video recorder (NVR) software. The first is a critical unauthenticated stack buffer overflow, and the second is a backdoor in leftover debug code, according to the company.
Tenable assessed and tested the vulnerabilities in the NUUO NVRMini2, a network-attached storage device and network video recorder.
“Once exploited, Peekaboo gives cyber criminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras. Using root access on the NVRMini2 device, cyber criminals could disconnect the live feeds and tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras,” Tenable researchers say.
NUUO is a Taiwan-based provider of video surveillance hardware and software. NUUO also OEMs to over 100 partners, including companies like Axis, Bosch, Dahua, Toshiba and many more. However, it is not known how many partners may use the vulnerable firmware.
NUUO is expected to release a patch for the vulnerability today, according to Threatpost. In the meantime, Tenable advises affected end users to restrict and control network access to the vulnerable devices to authorized and legitimate users only.
Customers with further questions should should contact NUUO directly.
Update 9/20/2018
Axis has issued the following statement: “The cybersecurity of our products and our customers’ data is of the utmost importance at Axis Communications. Axis products are not affected by the surveillance camera vulnerability recently identified in NUUO’s network video recorder software. We will continue to monitor this situation and take any necessary action to continue to ensure customer protection.”
This article originally ran in Campus Safety’s sister publication, Security Sales & Integration.