Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
9/18/2018
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Internet-Connected CCTV Cameras Vulnerable to 'Peekaboo' Hack

Zero-day flaw in China-based NUUO's video recorder technology still unfixed three months after vendor was alerted.

A security flaw in a widely used network video recorder technology has put potentially hundreds of thousands of CCTV cameras worldwide at risk of crippling attacks including remote hijacking.

The so-called Peekaboo flaw exists in NUUO Inc.'s NVRMini2, a network-attached storage device that allows organizations to view and manage up to 16 connected CCTV cameras at once. NUUO uses the technology in its own products and also licenses it out to a large number of third-party surveillance system makers and systems integration partners.

Security vendor Tenable, which recently discovered the Peekaboo flaw, said it could potentially impact more than 100 CCTV brands and some 2,500 different camera models installed in industries such as retail, transportation, banking, and government. NUUO was informed of the issue on June 5, 2018, but the China-based surveillance technology vendor had still not addressed the issue as of the morning of Sept. 18, Tenable said.

Peekaboo is another troubling reminder of the risks that organizations face from IoT devices. The Mirai malware attacks of October 2016 were the first to demonstrate how adversaries can take advantage of weakly protected CCTVs, webcams, and other Internet-connected devices to create botnets for launching massive DDoS attacks and distributing malware. Since Mirai, several other IoT-targeted malware tools have become available, including most recently, the GafGyt malware family.

"As more IoT devices like video surveillance cameras are connected to corporate networks, the enterprise attack surface will continue to expand," says Jacob Baines, senior research engineer at Tenable. "What's important to remember is that these modern assets introduce new risks that must be dealt with," Baines says.

To quell risk to these devices, organizations first need to understand their attack surface so it can be protected. While Peekaboo is serious, it certainly is not the first or last vulnerability of its kind, he says.

Peekaboo, which Tenable revealed in an an advisory on Monday, is an unauthenticated stack buffer overflow that could be exploited to carry out activities like tampering with recordings or remotely viewing a camera feed without authorization.

The flaw enables full system access, so attackers can intercept the recordings and feeds of all cameras that might be attached to a vulnerable NVRMini2 video recorder instance. That would allow an attacker to replace live feeds with static images of an area that might be under surveillance, or to tamper with stored footage in order to hide malicious activity.

"For Internet-connected devices, the attack is fairly simple, as the vulnerable code path is accessible to the cybercriminal," Baines says. But it is considerably harder to exploit the flaw in devices that are properly firewalled on an internal network. That would require an attacker to break into the network in order to access vulnerable devices.

Baines says exploiting the flaw is beyond the capabilities of a novice hacker. At the same time, you don't need to be a "grizzled vet" to write it, either. "Understanding ARM assembly, Linux memory layout, ROP, and buffer overflows takes time and isn't trivial. But, the necessary skills are fairly easy to come by in the hacker community," Baines says.

For now, organizations with the devices must wait for NUUO to fix Peekaboo. OEM vendors and integrators also will most likely need to wait on NUUO to address the vulnerability, he says.

Interestingly, NUUO's NVRMini2 video recorder also has mystery backdoor built into it. The bug has been rated as medium severity, though, because among other things it's only enabled when a file with a specific name exists on the system. To create such a file, an attacker would need some form of access to the device either physically or through some other exploit.

If enabled, the backdoor would allow an attacker to list all user accounts on the system, change account passwords, view recordings, or remove a camera from a system entirely, Tenable said. It's unclear if the code is something that was left behind during development - or whether it was maliciously inserted. "We can't speculate on how the backdoor ended up in NUUO's software," Baines says.

News of the vulnerabilities in NUUO's technology comes just weeks after President Trump signed into law the Defense Authorization Act of 2019 which among other things prohibits US government agencies, federal prisons, and military branches from buying technologies from some Chinese suppliers. Among the banned items are video surveillance cameras from Dahua Technology Company and Hangzhou Hikvision Digital Technology Company.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/21/2018 | 8:10:41 AM
Some interesting views here
In NY State when I was a sole managed services provider, one of my clients was a simple garden and lawn shop in New Jersey and I loved this account.  They convinced me that for ease of usage and cost, Brother printers were FAR better than HP laserjets.  But the proliferation of interesting and innovative software at this business was endless - and yes they had IP based motion detection cameras outside so that even a Dog could not cross the driveway without being spotted.  So this article highlights vulnerabilities that I never considered for a small, single purpose shop.  Probable a gazillion more threats like these too.  
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-9405
PUBLISHED: 2019-09-20
The wp-piwik plugin before 1.0.5 for WordPress has XSS.
CVE-2015-9407
PUBLISHED: 2019-09-20
The xpinner-lite plugin through 2.2 for WordPress has xpinner-lite.php XSS.
CVE-2015-9408
PUBLISHED: 2019-09-20
The xpinner-lite plugin through 2.2 for WordPress has wp-admin/options-general.php CSRF with resultant XSS.
CVE-2019-16533
PUBLISHED: 2019-09-20
On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access Control exists in loginset.htm, and can be used to trigger XSS. NOTE: this is an end-of-life product.
CVE-2019-16534
PUBLISHED: 2019-09-20
On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists via a crafted WAN name on the General Setup screen. NOTE: this is an end-of-life product.