A security flaw in a widely used network video recorder technology has put potentially hundreds of thousands of CCTV cameras worldwide at risk of crippling attacks including remote hijacking.
The so-called Peekaboo flaw exists in NUUO Inc.'s NVRMini2, a network-attached storage device that allows organizations to view and manage up to 16 connected CCTV cameras at once. NUUO uses the technology in its own products and also licenses it out to a large number of third-party surveillance system makers and systems integration partners.
Security vendor Tenable, which recently discovered the Peekaboo flaw, said it could potentially impact more than 100 CCTV brands and some 2,500 different camera models installed in industries such as retail, transportation, banking, and government. NUUO was informed of the issue on June 5, 2018, but the China-based surveillance technology vendor had still not addressed the issue as of the morning of Sept. 18, Tenable said.
Peekaboo is another troubling reminder of the risks that organizations face from IoT devices. The Mirai malware attacks of October 2016 were the first to demonstrate how adversaries can take advantage of weakly protected CCTVs, webcams, and other Internet-connected devices to create botnets for launching massive DDoS attacks and distributing malware. Since Mirai, several other IoT-targeted malware tools have become available, including most recently, the GafGyt malware family.
"As more IoT devices like video surveillance cameras are connected to corporate networks, the enterprise attack surface will continue to expand," says Jacob Baines, senior research engineer at Tenable. "What's important to remember is that these modern assets introduce new risks that must be dealt with," Baines says.
To quell risk to these devices, organizations first need to understand their attack surface so it can be protected. While Peekaboo is serious, it certainly is not the first or last vulnerability of its kind, he says.
Peekaboo, which Tenable revealed in an an advisory on Monday, is an unauthenticated stack buffer overflow that could be exploited to carry out activities like tampering with recordings or remotely viewing a camera feed without authorization.
The flaw enables full system access, so attackers can intercept the recordings and feeds of all cameras that might be attached to a vulnerable NVRMini2 video recorder instance. That would allow an attacker to replace live feeds with static images of an area that might be under surveillance, or to tamper with stored footage in order to hide malicious activity.
"For Internet-connected devices, the attack is fairly simple, as the vulnerable code path is accessible to the cybercriminal," Baines says. But it is considerably harder to exploit the flaw in devices that are properly firewalled on an internal network. That would require an attacker to break into the network in order to access vulnerable devices.
Baines says exploiting the flaw is beyond the capabilities of a novice hacker. At the same time, you don't need to be a "grizzled vet" to write it, either. "Understanding ARM assembly, Linux memory layout, ROP, and buffer overflows takes time and isn't trivial. But, the necessary skills are fairly easy to come by in the hacker community," Baines says.
For now, organizations with the devices must wait for NUUO to fix Peekaboo. OEM vendors and integrators also will most likely need to wait on NUUO to address the vulnerability, he says.
Interestingly, NUUO's NVRMini2 video recorder also has mystery backdoor built into it. The bug has been rated as medium severity, though, because among other things it's only enabled when a file with a specific name exists on the system. To create such a file, an attacker would need some form of access to the device either physically or through some other exploit.
If enabled, the backdoor would allow an attacker to list all user accounts on the system, change account passwords, view recordings, or remove a camera from a system entirely, Tenable said. It's unclear if the code is something that was left behind during development - or whether it was maliciously inserted. "We can't speculate on how the backdoor ended up in NUUO's software," Baines says.
News of the vulnerabilities in NUUO's technology comes just weeks after President Trump signed into law the Defense Authorization Act of 2019 which among other things prohibits US government agencies, federal prisons, and military branches from buying technologies from some Chinese suppliers. Among the banned items are video surveillance cameras from Dahua Technology Company and Hangzhou Hikvision Digital Technology Company.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio