'Peekaboo' Zero-Day Exploit Targets Security Camera

Researchers at Tenable are detailing a new zero-day exploit dubbed 'Peekaboo,' which targets the software that runs security cameras and other surveillance equipment.\r\n\r\n

Scott Ferguson, Managing Editor, Light Reading

September 18, 2018

3 Min Read

A new zero-day exploit, dubbed "Peekaboo," can allow cybercriminals and other attackers to tamper with security cameras and other surveillance equipment by taking advantage of a vulnerability in the software platform that runs these devices.

Security firm Tenable detailed the Peekaboo exploit on Sept. 17. It's been given an assignment number of CVE-2018-1149.

Specifically, the stack buffer overflow vulnerability is within software developed by Nuuo, which is a popular platform that is used as the base software within at least 100 different brands and some 2,500 different security camera models. This could translate into hundreds of thousands of cameras, and other surveillance equipment left vulnerable, according to Tenable.

(Source: Pixabay)\r\n

(Source: Pixabay)\r\n

These types of security cameras and other devices are used in a number of industries, including retail, transportation, education, government and banking. By allowing cybercriminals to manipulate images and video, it's easy to see why this particular vulnerability is such a concern, as well as the dangers associated with connecting Internet of Things devices. (See HNS IoT Botnet Evolves, Goes Cross-Platform.)

"Because of NUUO's vast OEM partner ecosystem, it's possible that this vulnerability is present in devices from other vendors who re-brand NUUO's code," Jacob Baines, a senior research engineer at Tenable, wrote in an email to Security Now. "Our initial estimates show that up to hundreds of thousands of cameras could be manipulated and taken offline worldwide."

The Peekaboo exploit allows for remote code execution, which an attacker could use to access a camera and view video feeds or tamper with recordings. With administrative privileges, cybercriminals can replace a live feed with a static image.

At its core, the Peekaboo bug targets the NVRMini 2 network-attached storage (NAS) device and the network video recorder. From there, an attacker can access the control management system, exposing the credentials of the equipment. By using this root access, a criminal can then change the footage or view what the camera is recording.

The particular vulnerability appears to affect Nuuo software firmware that is older than the 3.9.0 version.

This is not the only time Nuuo software has been vulnerable to this type of attack. Specifically, the group behind the Reaper botnet, a variant on the Mirai botnet software that appeared in 2017, targeted a similar vulnerability in the platform. (See IoT Malware-on-the-Fly Expected to Rise .)

"We haven't seen this exploited in the wild yet," Baines wrote about this week's disclosure. "The Tenable Research team started to focus in on NUUO software last fall after the Reaper IoT botnet news broke, as they were one of the vendors impacted. From there, it was a matter of bug hunting."

Tenable first disclosed the vulnerability to Nuuo in June. The company did promise to push out a patch, but, so far, none has been released, according to the company.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Read more about:

Security Now

About the Author(s)

Scott Ferguson

Managing Editor, Light Reading

Prior to joining Enterprise Cloud News, he was director of audience development for InformationWeek, where he oversaw the publications' newsletters, editorial content, email and content marketing initiatives. Before that, he served as editor-in-chief of eWEEK, overseeing both the website and the print edition of the magazine. For more than a decade, Scott has covered the IT enterprise industry with a focus on cloud computing, datacenter technologies, virtualization, IoT and microprocessors, as well as PCs and mobile. Before covering tech, he was a staff writer at the Asbury Park Press and the Herald News, both located in New Jersey. Scott has degrees in journalism and history from William Paterson University, and is based in Greater New York.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights