Security researchers at Tenable revealed their discovery in a blog post this week, explaining how they had uncovered a critical remote code execution vulnerability in the IoT network video recorders used by video surveillance systems.
The vulnerability, dubbed “Peekaboo”, exists in NUUO’s Network Video Recorder software and aside from allowing remote hackers to snoop on and even alter CCTV footage, can even be abused to steal data such as credentials for all connected security cameras, IP addresses, and other data related to the devices.
The implications of the vulnerability are serious for a number of reasons.
First of all, scale.
NUUO is a leading member of the video surveillance industry, whose devices are deployed at more than 100,000 installations around the globe. However, there are also many organisations which may have put their trust in NUUO’s vulnerable software without even knowing that their surveillance cameras used it, as NUUO’s code is integrated into a wide variety of third-party surveillance systems.
According to some estimates there might be anything between 180,000 and 800,000 CCTV cameras in public usage that are vulnerable to “Peekaboo”.
Secondly, hackers could exploit the root access they gain on vulnerable devices to disconnect live video feeds, or even tamper with security footage. For instance, a live video feed could be replaced with a static, unmoving image of the area under surveillance allowing criminals to gain access undetected.
Although warning of the vulnerability, Tenable’s researchers are not publishing details of how it can be exploited. Instead, they informed NUUO in June about the problem, and have only made a public disclosure now having waited 105 days (in vain, so far) for a patch to be issued.
The good news is that NUUO is believed to be working on a patch. The bad news is that each camera is likely to need to be updated manually once a patch is made available. And, as we all know, when a patch has to be applied manually it will often never be applied at all.
Questions must remain, especially as so many third-party devices depend on NUUO’s firmware, as to how likely it is that many of the vulnerable security cameras will ever get patched.
There is no indication yet as to when that patch might be available. If you have NUUOs code inside your organisation you might be wise to think now about who has network access to the at-risk surveillance cameras, and put restrictions in place to ensure that only authorised, legitimate users (and not hackers on the other side of the world) can access them.
This is not the first time that NUUO’s network video recorders found themselves in the news for the wrong reasons. They were also on the list of IoT devices targeted by the Reaper botnet last year.