Hackers hijack surveillance camera footage with 'Peekaboo' zero-day vulnerability

The previously unknown security flaw in Nuuo software is thought to impact hundreds of thousands of devices worldwide.
Written by Charlie Osborne, Contributing Writer

A zero-day vulnerability present in security cameras and surveillance equipment using Nuuo software is thought to impact hundreds of thousands of devices worldwide.

Researchers from cybersecurity firm Tenable disclosed the bug, which has been assigned as CVE-2018-1149.

The vulnerability cannot get much more serious, as it allows attackers to remotely execute code in the software, the researchers said in a security advisory on Monday.

Nuuo, describing itself as a provider of "trusted video management" software, offers a range of video solutions for surveillance systems in industries including transport, banking, government, and residential areas.

Dubbed "Peekaboo," the zero-day stack buffer overflow vulnerability, when exploited, allows threat actors to view and tamper with video surveillance recordings and feeds. It is also possible to use the bug to steal data including credentials, IP addresses, port usage, and the make & models of connected surveillance devices.

Such a security vulnerability has wide-reaching, real-world consequences -- as criminals could compromise a surveillance camera feed, replace the footage with a static image, and raid a premises, for example.

In addition, the bug could be used to fully disable cameras and surveillance products.

Peekaboo specifically impacts the NVRMini 2 NAS and network video recorder, which acts as a hub for connected surveillance products. When exploited, the product permitted access to the control management system (CMS) interface, which further exposes credentials of all connected video surveillance cameras connected to the storage system.

Speaking to ZDNet, Gavin Millard, VP of threat intelligence at Tenable, said that organizations all over the world use Nuuo software, including in shopping centers, hospitals, banks, and public areas.

However, therein lies the problem -- as the software is also white labeled to over 100 brands and 2,500 camera product lines.

TechRepublic: 4 tips for designing and installing a surveillance system in your business

As a result, Millard says that "preliminary estimates show that Peekaboo could affect up to hundreds of thousands of web-based cameras and devices worldwide."

See also: Dawn of the smart surveillance cameras

Further technical details have not been released as the zero-day remains unpatched. However, Nuuo firmware versions 3.9.0 and earlier are vulnerable.

"Our world runs on technology. It helps us monitor, control and engage with each other and our environments. And it's one of the many reasons we've seen a massive surge in connected devices recently," said Renaud Deraison, co-founder and chief technology officer of Tenable. "[...] As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organizations."

CNET: Best Home Security Cameras for 2018

Tenable disclosed the zero-day vulnerability to Nuuo. A patch has not been released, but Nuuo is currently developing a fix for deployment.

A plugin has also been released by Tenable for organizations to assess whether or not they are vulnerable to Peekaboo.

ZDNet has reached out to Nuuo and will update if we hear back.

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Editorial standards