IoT
9/18/2018
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Internet-Connected CCTV Cameras Vulnerable to 'Peekaboo' Hack

Zero-day flaw in China-based NUUO's video recorder technology still unfixed three months after vendor was alerted.

A security flaw in a widely used network video recorder technology has put potentially hundreds of thousands of CCTV cameras worldwide at risk of crippling attacks including remote hijacking.

The so-called Peekaboo flaw exists in NUUO Inc.'s NVRMini2, a network-attached storage device that allows organizations to view and manage up to 16 connected CCTV cameras at once. NUUO uses the technology in its own products and also licenses it out to a large number of third-party surveillance system makers and systems integration partners.

Security vendor Tenable, which recently discovered the Peekaboo flaw, said it could potentially impact more than 100 CCTV brands and some 2,500 different camera models installed in industries such as retail, transportation, banking, and government. NUUO was informed of the issue on June 5, 2018, but the China-based surveillance technology vendor had still not addressed the issue as of the morning of Sept. 18, Tenable said.

Peekaboo is another troubling reminder of the risks that organizations face from IoT devices. The Mirai malware attacks of October 2016 were the first to demonstrate how adversaries can take advantage of weakly protected CCTVs, webcams, and other Internet-connected devices to create botnets for launching massive DDoS attacks and distributing malware. Since Mirai, several other IoT-targeted malware tools have become available, including most recently, the GafGyt malware family.

"As more IoT devices like video surveillance cameras are connected to corporate networks, the enterprise attack surface will continue to expand," says Jacob Baines, senior research engineer at Tenable. "What's important to remember is that these modern assets introduce new risks that must be dealt with," Baines says.

To quell risk to these devices, organizations first need to understand their attack surface so it can be protected. While Peekaboo is serious, it certainly is not the first or last vulnerability of its kind, he says.

Peekaboo, which Tenable revealed in an an advisory on Monday, is an unauthenticated stack buffer overflow that could be exploited to carry out activities like tampering with recordings or remotely viewing a camera feed without authorization.

The flaw enables full system access, so attackers can intercept the recordings and feeds of all cameras that might be attached to a vulnerable NVRMini2 video recorder instance. That would allow an attacker to replace live feeds with static images of an area that might be under surveillance, or to tamper with stored footage in order to hide malicious activity.

"For Internet-connected devices, the attack is fairly simple, as the vulnerable code path is accessible to the cybercriminal," Baines says. But it is considerably harder to exploit the flaw in devices that are properly firewalled on an internal network. That would require an attacker to break into the network in order to access vulnerable devices.

Baines says exploiting the flaw is beyond the capabilities of a novice hacker. At the same time, you don't need to be a "grizzled vet" to write it, either. "Understanding ARM assembly, Linux memory layout, ROP, and buffer overflows takes time and isn't trivial. But, the necessary skills are fairly easy to come by in the hacker community," Baines says.

For now, organizations with the devices must wait for NUUO to fix Peekaboo. OEM vendors and integrators also will most likely need to wait on NUUO to address the vulnerability, he says.

Interestingly, NUUO's NVRMini2 video recorder also has mystery backdoor built into it. The bug has been rated as medium severity, though, because among other things it's only enabled when a file with a specific name exists on the system. To create such a file, an attacker would need some form of access to the device either physically or through some other exploit.

If enabled, the backdoor would allow an attacker to list all user accounts on the system, change account passwords, view recordings, or remove a camera from a system entirely, Tenable said. It's unclear if the code is something that was left behind during development - or whether it was maliciously inserted. "We can't speculate on how the backdoor ended up in NUUO's software," Baines says.

News of the vulnerabilities in NUUO's technology comes just weeks after President Trump signed into law the Defense Authorization Act of 2019 which among other things prohibits US government agencies, federal prisons, and military branches from buying technologies from some Chinese suppliers. Among the banned items are video surveillance cameras from Dahua Technology Company and Hangzhou Hikvision Digital Technology Company.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/21/2018 | 8:10:41 AM
Some interesting views here
In NY State when I was a sole managed services provider, one of my clients was a simple garden and lawn shop in New Jersey and I loved this account.  They convinced me that for ease of usage and cost, Brother printers were FAR better than HP laserjets.  But the proliferation of interesting and innovative software at this business was endless - and yes they had IP based motion detection cameras outside so that even a Dog could not cross the driveway without being spotted.  So this article highlights vulnerabilities that I never considered for a small, single purpose shop.  Probable a gazillion more threats like these too.  
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.