Report: New Bug Leaves Up to 800,000 Surveillance Cameras Vulnerable to Hacking

Tenable Research discovered vulnerabilities in NUUO’s network video recorder software that can be used by attackers to remotely view feeds and more.

Tenable Research, a cybersecurity company and creators of the “world’s first Cyber Exposure platform,” have discovered two critical vulnerabilities that leave up 800,000 surveillance cameras open to attack.

The vulnerabilities, dubbed ‘Peekaboo,’ were found in NUUO’s network video recorder (NVR) software. The first is a critical unauthenticated stack buffer overflow, and the second is a backdoor in leftover debug code, according to the company.

Tenable assessed and tested the vulnerabilities in the NUUO NVRMini2, a network-attached storage device and network video recorder.

“Once exploited, Peekaboo gives cyber criminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras. Using root access on the NVRMini2 device, cyber criminals could disconnect the live feeds and tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras,” Tenable researchers say.

NUUO is a Taiwan-based provider of video surveillance hardware and software. NUUO also OEMs to over 100 partners, including companies like Axis, Bosch, Dahua, Toshiba and many more. However, it is not known how many partners may use the vulnerable firmware.

NUUO is expected to release a patch for the vulnerability today, according to Threatpost. In the meantime, Tenable advises affected end users to restrict and control network access to the vulnerable devices to authorized and legitimate users only. Customers with further questions should should contact NUUO directly.

Update 9/20/2018

Axis has issued the following statement: “The cybersecurity of our products and our customers’ data is of the utmost importance at Axis Communications. Axis products are not affected by the surveillance camera vulnerability recently identified in NUUO’s network video recorder software. We will continue to monitor this situation and take any necessary action to continue to ensure customer protection.”

If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

Security Is Our Business, Too

For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.

A FREE subscription to the top resource for security and integration industry will prove to be invaluable.

Subscribe Today!

Leave a Reply

Your email address will not be published. Required fields are marked *

Get Our Newsletters