New Bug Leaves Surveillance Cameras Vulnerable to Hacking

Tenable Research discovered a bug in NUUO’s network video recorder software, leaving almost 800,000 surveillance cameras feeds exposed to attackers.

New Bug Leaves Surveillance Cameras Vulnerable to Hacking

Peekaboo vulnerabilities allow hackers to gain access to video camera feeds remotely and potentially tamper with recordings using administrator privileges.

Tenable Research, a cybersecurity company and creators of the “world’s first Cyber Exposure platform,” has discovered two critical vulnerabilities that leave up 800,000 surveillance cameras open to attack.

The vulnerabilities, dubbed ‘Peekaboo,’ were found in NUUO’s network video recorder (NVR) software. The first is a critical unauthenticated stack buffer overflow, and the second is a backdoor in leftover debug code, according to the company.

Tenable assessed and tested the vulnerabilities in the NUUO NVRMini2, a network-attached storage device and network video recorder.

“Once exploited, Peekaboo gives cyber criminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras. Using root access on the NVRMini2 device, cyber criminals could disconnect the live feeds and tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras,” Tenable researchers say.

NUUO is a Taiwan-based provider of video surveillance hardware and software. NUUO also OEMs to over 100 partners, including companies like Axis, Bosch, Dahua, Toshiba and many more. However, it is not known how many partners may use the vulnerable firmware.

NUUO is expected to release a patch for the vulnerability today, according to Threatpost. In the meantime, Tenable advises affected end users to restrict and control network access to the vulnerable devices to authorized and legitimate users only.

Customers with further questions should should contact NUUO directly.

Update 9/20/2018

Axis has issued the following statement: “The cybersecurity of our products and our customers’ data is of the utmost importance at Axis Communications. Axis products are not affected by the surveillance camera vulnerability recently identified in NUUO’s network video recorder software. We will continue to monitor this situation and take any necessary action to continue to ensure customer protection.”

This article originally ran in Campus Safety’s sister publication, Security Sales & Integration.

Read More Articles Like This… With A FREE Subscription

Campus Safety magazine is another great resource for public safety, security and emergency management professionals. It covers all aspects of campus safety, including access control, video surveillance, mass notification and security staff practices. Whether you work in K-12, higher ed, a hospital or corporation, Campus Safety magazine is here to help you do your job better!

Get your free subscription today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters
Campus Safety HQ