In newly published research, security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage.
The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks, and schools around the globe.
The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device.
“This is particularly devastating because not only is an attacker able to control the NVR [camera] but the credentials for all the cameras connected to the NVR are stored in plaintext on disk,” Tenable writes.
Tenable provides more details on potential exploits tested with one of NUUO’s NVRMini2 devices on its Github page. One exploit “grabs the credentials to the cameras that are connected to the NVR, creates a hidden admin user, and disconnects any cameras that are currently connected to the NVR.” Not great.
Tenable set its disclosure to NUUO in motion on June 1. NUUO committed to a September 13 patch date to fix the issue but the date was later pushed to September 18, when anyone with affected equipment can expect to see firmware version 220.127.116.11. Organizations that might be vulnerable can use a plugin from the researchers to determine if they’re at risk or contact the manufacturer directly. TechCrunch reached out to NUUO about its plans to push a patch and notify affected users.
What what makes matters worse with this vulnerability is that NUUO actually licenses its software out to at least 100 other brands and 2,500 camera models. Tenable estimates that the vulnerability could put hundreds of thousands of networked surveillance cameras at risk around the world and many of the groups that operate those devices might have no idea that the risk is even relevant to the systems they rely on.