Tenable Research, a cybersecurity company and creators of the “world’s first Cyber Exposure platform,” have discovered two critical vulnerabilities that leave up 800,000 surveillance cameras open to attack. The vulnerabilities, dubbed ‘Peekaboo,’ were found in NUUO’s network video recorder (NVR) software.
The first is a critical unauthenticated stack buffer overflow, and the second is a backdoor in leftover debug code, according to the company. Tenable assessed and tested the vulnerabilities in the NUUO NVRMini2, a network-attached storage device and network video recorder.
“Once exploited, Peekaboo gives cyber criminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras. Using root access on the NVRMini2 device, cyber criminals could disconnect the live feeds and tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras,” Tenable researchers say.
NUUO is a Taiwan-based provider of video surveillance hardware and software. NUUO also OEMs to over 100 partners, including companies like Axis, Bosch, Dahua, Toshiba and many more. However, it is not known how many partners may use the vulnerable firmware.
NUUO is expected to release a patch for the vulnerability, according to Threatpost. In the meantime, Tenable advises affected end users to restrict and control network access to the vulnerable devices to authorized and legitimate users only. Customers with further questions should should contact NUUO directly