Peekaboo vulnerability exposes hundreds of thousands of security cameras to hacking

A new vulnerability discovered in firmware from NUUO Inc. allows malicious actors to view and tamper with video surveillance recordings, according to researchers from security firm Tenable Inc. Dubbed “Peekaboo,” the “zero day” or heretofore undiscovered vulnerability affects firmware versions older than 3.9.0. It could allow cybercriminals to view video surveillance feeds remotely and tamper with recordings using administrator privileges.

In an example straight out of a Hollywood heist movie, the researchers noted that a hacker could replace a live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

Although it’s not a household name, NUUO is an original equipment manufacturer, or OEM, meaning that while producing its own products, it also makes them for other companies.
“The zero-day could affect up to hundreds of thousands of global video surveillance network recorders or CCTVs,” a spokesperson from Tenable told SiliconANGLE. “The vulnerability was originally found in NUUO NVRmini2 security network recorder, but because the technology is used by OEM partners in a host of supported rebranded recorders, the impact of this vulnerability goes far beyond NUUO.”

The researchers estimated that more than 100 brands and 2,500 different models of cameras could be made vulnerable by the access the Peekaboo firmware grants to usernames and passwords. Preliminary estimates show that up to hundreds of thousands of cameras could be manipulated and taken offline worldwide in industries including retail, transportation, education, government and banking.

“Our world runs on technology,” Renaud Deraison, Tenable’s co-founder and chief technology officer, said in a statement. “It helps us monitor, control and engage with each other and our environments. And it’s one of the many reasons we’ve seen a massive surge in connected devices recently. The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe.” The response from NUUO isn’t any better than the vulnerability itself. The company said only that “a patch is being developed and affected customers should contact NUUO for further information,” despite the company getting a heads-up well in advance of the vulnerability disclosure.

Users of NUUO or other devices using the firmware are being advised to restrict access to their deployments and limit it to legitimate users only from trusted networks. “Owners of devices connected directly to the internet are especially at risk, as potential attackers can target them directly over the internet,” the researchers noted. “Affected end users must disconnect these devices from the internet until a patch is released.”