Tenable Research Discovers “Peekaboo” Zero-Day Vulnerability in Global Video Surveillance Software

The vulnerability, which could affect up to hundreds of thousands of cameras worldwide, would allow cybercriminals to view and tamper with video surveillance footage

Tenable®, Inc., the Cyber Exposure company, today announced that its research team has discovered a zero-day vulnerability which would allow cybercriminals to view and tamper with video surveillance recordings via a remote code execution vulnerability in NUUO software — one of the leading global video surveillance solution providers.

The vulnerability, dubbed Peekaboo by Tenable Research, would allow cybercriminals to remotely view video surveillance feeds and tamper with recordings using administrator privileges.

For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

The impact of Peekaboo is significant as NUUO integrates with hundreds of leading brands. Their ecosystem of supported devices means that over 100 brands and 2,500 different models of cameras could be made vulnerable by the access Peekaboo grants to usernames and passwords. Preliminary estimates show that up to hundreds of thousands of cameras could be manipulated and taken offline worldwide.

NUUO software and devices are commonly used for web-based video monitoring and surveillance in industries such as retail, transportation, education, government and banking. The vulnerable device, NVRMini2, is a network-attached storage device and network video recorder. Once exploited, Peekaboo would give cybercriminals access to the control management system (CMS), exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage. Just last year, the NUUO NVR devices were specifically targeted by the Reaper IoT Botnet.

“Our world runs on technology. It helps us monitor, control and engage with each other and our environments. And it’s one of the many reasons we’ve seen a massive surge in connected devices recently,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe. As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organizations. Tenable Research is committed to reducing this Cyber Exposure gap by identifying new, potential attack vectors and arming customers with the insight they need to reduce their exposure.”

Tenable Research disclosed the vulnerability, which affects firmware versions older than 3.9.0, to NUUO following standard procedures outlined in our vulnerability disclosure policy. As of September 17 at 11 AM ET, a patch has not been issued. NUUO has informed Tenable that a patch is being developed and affected customers should contact NUUO for further information. In the meantime, users are urged to control and restrict access to their NUUO NVRMini2 deployments and limit this to legitimate users from trusted networks only. Owners of devices connected directly to the internet are especially at risk, as potential attackers can target them directly over the internet. Affected end users must disconnect these devices from the internet until a patch is released. Unfortunately, many users will be unaware that their devices are vulnerable because NUUO software is also integrated into products from other vendors. In these cases,users should contact their video surveillance vendors to confirm whether they are exposed and when a patch will be released.

Tenable has released a plugin to assess whether organizations are vulnerable to Peekaboo. Click here for more details.

For more information on Peekaboo, read the Tenable Research Advisory blog post.

The vulnerability, which could affect up to hundreds of thousands of cameras worldwide, would allow cybercriminals to view and tamper with video surveillance footage

Tenable®, Inc., the Cyber Exposure company, today announced that its research team has discovered a zero-day vulnerability which would allow cybercriminals to view and tamper with video surveillance recordings via a remote code execution vulnerability in NUUO software — one of the leading global video surveillance solution providers.

The vulnerability, dubbed Peekaboo by Tenable Research, would allow cybercriminals to remotely view video surveillance feeds and tamper with recordings using administrator privileges.

For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

The impact of Peekaboo is significant as NUUO integrates with hundreds of leading brands. Their ecosystem of supported devices means that over 100 brands and 2,500 different models of cameras could be made vulnerable by the access Peekaboo grants to usernames and passwords. Preliminary estimates show that up to hundreds of thousands of cameras could be manipulated and taken offline worldwide.

NUUO software and devices are commonly used for web-based video monitoring and surveillance in industries such as retail, transportation, education, government and banking. The vulnerable device, NVRMini2, is a network-attached storage device and network video recorder. Once exploited, Peekaboo would give cybercriminals access to the control management system (CMS), exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage. Just last year, the NUUO NVR devices were specifically targeted by the Reaper IoT Botnet.

“Our world runs on technology. It helps us monitor, control and engage with each other and our environments. And it’s one of the many reasons we’ve seen a massive surge in connected devices recently,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe. As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organizations. Tenable Research is committed to reducing this Cyber Exposure gap by identifying new, potential attack vectors and arming customers with the insight they need to reduce their exposure.”

Tenable Research disclosed the vulnerability, which affects firmware versions older than 3.9.0, to NUUO following standard procedures outlined in our vulnerability disclosure policy. As of September 17 at 11 AM ET, a patch has not been issued. NUUO has informed Tenable that a patch is being developed and affected customers should contact NUUO for further information. In the meantime, users are urged to control and restrict access to their NUUO NVRMini2 deployments and limit this to legitimate users from trusted networks only. Owners of devices connected directly to the internet are especially at risk, as potential attackers can target them directly over the internet. Affected end users must disconnect these devices from the internet until a patch is released. Unfortunately, many users will be unaware that their devices are vulnerable because NUUO software is also integrated into products from other vendors. In these cases,users should contact their video surveillance vendors to confirm whether they are exposed and when a patch will be released.

Tenable has released a plugin to assess whether organizations are vulnerable to Peekaboo. Click here for more details.

For more information on Peekaboo, read the Tenable Research Advisory blog post.