Surveillance systems around the world could be at risk
- 18 September, 2018 10:41
Researchers at Tenable discovered a zero-day vulnerability dubbed "Peekaboo" which makes video surveillance recordings vulnerable.
The vulnerability is in the NVRMini2 device, a network-attached storage device and network video recorder.
The vulnerability could affect "hundreds of thousands" of cameras worldwide and allows cyber criminals to view and change video surveillance recordings through a remote code execution vulnerability in Nuuo software.
"For example, they [cyber criminals] could replace the live feed with a static image of the area [under surveillance], allowing criminals to enter the premises undetected by the cameras," said Tenable in a statement.
Nuuo software and devices are installed in over 100,000 surveillance systems across the world, there are more than 100 brands and 2,500 different models of cameras could be made vulnerable.
"Once exploited, Peekaboo would give cyber criminals access to the control management system (CMS), exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage," Tenable explained.
“The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe," said Renaud Deraison, co-founder and chief technology officer at Tenable.
"As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organisations.”
The vulnerability affects firmware versions older than 3.9.0. Nuuo informed Tenable that a patch is being developed and affected customers should contact Nuuo for further information.
In the meantime, users are urged to control and restrict access to their Nuuo NVRMini2 deployments and limit this to legitimate users from trusted networks only.
Owners of devices connected directly to the internet are especially at risk, Tenable warned, as potential attackers can target them directly over the internet. Affected end users must disconnect these devices from the internet.