New Bug Leaves Surveillance Cameras Vulnerable to Hacking

Tenable Research discovered a bug in NUUO’s network video recorder software, leaving almost 800,000 surveillance cameras feeds exposed to attackers.

New Bug Leaves Surveillance Cameras Vulnerable to Hacking

Peekaboo vulnerabilities allow hackers to gain access to video camera feeds remotely and potentially tamper with recordings using administrator privileges.

Tenable Research, a cybersecurity company and creators of the “world’s first Cyber Exposure platform,” has discovered two critical vulnerabilities that leave up 800,000 surveillance cameras open to attack.

The vulnerabilities, dubbed ‘Peekaboo,’ were found in NUUO’s network video recorder (NVR) software. The first is a critical unauthenticated stack buffer overflow, and the second is a backdoor in leftover debug code, according to the company.

Tenable assessed and tested the vulnerabilities in the NUUO NVRMini2, a network-attached storage device and network video recorder.

“Once exploited, Peekaboo gives cyber criminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras. Using root access on the NVRMini2 device, cyber criminals could disconnect the live feeds and tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras,” Tenable researchers say.

NUUO is a Taiwan-based provider of video surveillance hardware and software. NUUO also OEMs to over 100 partners, including companies like Axis, Bosch, Dahua, Toshiba and many more. However, it is not known how many partners may use the vulnerable firmware.

NUUO is expected to release a patch for the vulnerability today, according to Threatpost. In the meantime, Tenable advises affected end users to restrict and control network access to the vulnerable devices to authorized and legitimate users only.

Customers with further questions should should contact NUUO directly.

Update 9/20/2018

Axis has issued the following statement: “The cybersecurity of our products and our customers’ data is of the utmost importance at Axis Communications. Axis products are not affected by the surveillance camera vulnerability recently identified in NUUO’s network video recorder software. We will continue to monitor this situation and take any necessary action to continue to ensure customer protection.”


This article originally ran in Campus Safety’s sister publication, Security Sales & Integration.

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century

This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ