IoT
9/18/2018
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Internet-Connected CCTV Cameras Vulnerable to 'Peekaboo' Hack

Zero-day flaw in China-based NUUO's video recorder technology still unfixed three months after vendor was alerted.

A security flaw in a widely used network video recorder technology has put potentially hundreds of thousands of CCTV cameras worldwide at risk of crippling attacks including remote hijacking.

The so-called Peekaboo flaw exists in NUUO Inc.'s NVRMini2, a network-attached storage device that allows organizations to view and manage up to 16 connected CCTV cameras at once. NUUO uses the technology in its own products and also licenses it out to a large number of third-party surveillance system makers and systems integration partners.

Security vendor Tenable, which recently discovered the Peekaboo flaw, said it could potentially impact more than 100 CCTV brands and some 2,500 different camera models installed in industries such as retail, transportation, banking, and government. NUUO was informed of the issue on June 5, 2018, but the China-based surveillance technology vendor had still not addressed the issue as of the morning of Sept. 18, Tenable said.

Peekaboo is another troubling reminder of the risks that organizations face from IoT devices. The Mirai malware attacks of October 2016 were the first to demonstrate how adversaries can take advantage of weakly protected CCTVs, webcams, and other Internet-connected devices to create botnets for launching massive DDoS attacks and distributing malware. Since Mirai, several other IoT-targeted malware tools have become available, including most recently, the GafGyt malware family.

"As more IoT devices like video surveillance cameras are connected to corporate networks, the enterprise attack surface will continue to expand," says Jacob Baines, senior research engineer at Tenable. "What's important to remember is that these modern assets introduce new risks that must be dealt with," Baines says.

To quell risk to these devices, organizations first need to understand their attack surface so it can be protected. While Peekaboo is serious, it certainly is not the first or last vulnerability of its kind, he says.

Peekaboo, which Tenable revealed in an an advisory on Monday, is an unauthenticated stack buffer overflow that could be exploited to carry out activities like tampering with recordings or remotely viewing a camera feed without authorization.

The flaw enables full system access, so attackers can intercept the recordings and feeds of all cameras that might be attached to a vulnerable NVRMini2 video recorder instance. That would allow an attacker to replace live feeds with static images of an area that might be under surveillance, or to tamper with stored footage in order to hide malicious activity.

"For Internet-connected devices, the attack is fairly simple, as the vulnerable code path is accessible to the cybercriminal," Baines says. But it is considerably harder to exploit the flaw in devices that are properly firewalled on an internal network. That would require an attacker to break into the network in order to access vulnerable devices.

Baines says exploiting the flaw is beyond the capabilities of a novice hacker. At the same time, you don't need to be a "grizzled vet" to write it, either. "Understanding ARM assembly, Linux memory layout, ROP, and buffer overflows takes time and isn't trivial. But, the necessary skills are fairly easy to come by in the hacker community," Baines says.

For now, organizations with the devices must wait for NUUO to fix Peekaboo. OEM vendors and integrators also will most likely need to wait on NUUO to address the vulnerability, he says.

Interestingly, NUUO's NVRMini2 video recorder also has mystery backdoor built into it. The bug has been rated as medium severity, though, because among other things it's only enabled when a file with a specific name exists on the system. To create such a file, an attacker would need some form of access to the device either physically or through some other exploit.

If enabled, the backdoor would allow an attacker to list all user accounts on the system, change account passwords, view recordings, or remove a camera from a system entirely, Tenable said. It's unclear if the code is something that was left behind during development - or whether it was maliciously inserted. "We can't speculate on how the backdoor ended up in NUUO's software," Baines says.

News of the vulnerabilities in NUUO's technology comes just weeks after President Trump signed into law the Defense Authorization Act of 2019 which among other things prohibits US government agencies, federal prisons, and military branches from buying technologies from some Chinese suppliers. Among the banned items are video surveillance cameras from Dahua Technology Company and Hangzhou Hikvision Digital Technology Company.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
9/21/2018 | 8:10:41 AM
Some interesting views here
In NY State when I was a sole managed services provider, one of my clients was a simple garden and lawn shop in New Jersey and I loved this account.  They convinced me that for ease of usage and cost, Brother printers were FAR better than HP laserjets.  But the proliferation of interesting and innovative software at this business was endless - and yes they had IP based motion detection cameras outside so that even a Dog could not cross the driveway without being spotted.  So this article highlights vulnerabilities that I never considered for a small, single purpose shop.  Probable a gazillion more threats like these too.  
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.