Researchers at cybersecurity firm Tenable published an advisory Monday revealing a software vulnerability affecting a popular brand of surveillance cameras, which could be exploited to gain access to video feeds and potentially “allow attackers to remotely view feeds and tamper with recordings.”
The zero-day vulnerability, known as “Peekaboo,” allows potential hackers to exploit software made by NUUO, which produces closed circuit television (CCTV), surveillance and video software and hardware.
“NUUO software and devices are commonly used for web-based video monitoring and surveillance in industries such as retail, transportation, education, government and banking,” Tenable said, calling the company a “market leader” with “more than 100,000 installations worldwide.”
“NUUO also OEMs and white labels its software to more than 100 brands and 2,500 models of cameras. In fact, preliminary estimates show that Peekaboo could affect up to hundreds of thousands of web-based cameras and devices worldwide,” Tenable added.
Peekaboo enables remote code execution in the NUUO software, and could allow a hacker to not only take control of cameras, but also corrupt and change the video feeds. The implications are particularly grave: surveillance footage could be altered to run on a loop, hackers could use cameras to spy on properties and individuals, among several other conceivable horror scenarios.
“Even worse, once they’ve hacked the camera, they can access the camera feeds of any other device it’s connected to,” Tenable said. “Cyberattackers can steal specifics about all the networked cameras, including key data like login credentials as well as the make and model, IP address and port. All this can happen in the span of a few seconds, without the admins’ knowledge.”
The cybersecurity shortcomings of Internet of Things (IoT) devices, such as these network video recorders, highlight recent Federal agency efforts regarding the technology. The National Institute of Standards and Technology has placed IoT trust concerns on the map for further research and discussion, and the Departments of Commerce and Homeland Security are vying for the imposition of baseline security standards.
MeriTalk’s attempts to contact NUUO were not immediately returned, and the company website notes, “We are currently experiencing phone issues at our US office.”
Tenable began the disclosure process with NUUO on June 1, but as of yesterday, a patch for the Peekaboo vulnerability has not been made available.