'Peekaboo' Zero-Day Exploit Targets Security Camera

A new zero-day exploit, dubbed "Peekaboo," can allow cybercriminals and other attackers to tamper with security cameras and other surveillance equipment by taking advantage of a vulnerability in the software platform that runs these devices.

Security firm Tenable detailed the Peekaboo exploit on Sept. 17. It's been given an assignment number of CVE-2018-1149.

Specifically, the stack buffer overflow vulnerability is within software developed by Nuuo, which is a popular platform that is used as the base software within at least 100 different brands and some 2,500 different security camera models. This could translate into hundreds of thousands of cameras, and other surveillance equipment left vulnerable, according to Tenable.

(Source: Pixabay)\r\n

These types of security cameras and other devices are used in a number of industries, including retail, transportation, education, government and banking. By allowing cybercriminals to manipulate images and video, it's easy to see why this particular vulnerability is such a concern, as well as the dangers associated with connecting Internet of Things devices. (See HNS IoT Botnet Evolves, Goes Cross-Platform.)

"Because of NUUO's vast OEM partner ecosystem, it's possible that this vulnerability is present in devices from other vendors who re-brand NUUO's code," Jacob Baines, a senior research engineer at Tenable, wrote in an email to Security Now. "Our initial estimates show that up to hundreds of thousands of cameras could be manipulated and taken offline worldwide."

The Peekaboo exploit allows for remote code execution, which an attacker could use to access a camera and view video feeds or tamper with recordings. With administrative privileges, cybercriminals can replace a live feed with a static image.

At its core, the Peekaboo bug targets the NVRMini 2 network-attached storage (NAS) device and the network video recorder. From there, an attacker can access the control management system, exposing the credentials of the equipment. By using this root access, a criminal can then change the footage or view what the camera is recording.

The particular vulnerability appears to affect Nuuo software firmware that is older than the 3.9.0 version.

This is not the only time Nuuo software has been vulnerable to this type of attack. Specifically, the group behind the Reaper botnet, a variant on the Mirai botnet software that appeared in 2017, targeted a similar vulnerability in the platform. (See IoT Malware-on-the-Fly Expected to Rise .)

"We haven't seen this exploited in the wild yet," Baines wrote about this week's disclosure. "The Tenable Research team started to focus in on NUUO software last fall after the Reaper IoT botnet news broke, as they were one of the vendors impacted. From there, it was a matter of bug hunting."

Tenable first disclosed the vulnerability to Nuuo in June. The company did promise to push out a patch, but, so far, none has been released, according to the company.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.