Tenable, a security firm has recently published a new study where it discloses how surveillance cameras can pose a danger of being attacked by cybercriminals. They can be able to who can manipulate the surveillance camera’s software and gain the ability to view or disable the video, even they can be able to entirely manipulate the video footage.
The vulnerability is aptly called Peekaboo by the security researchers. Peekaboo is able to compromise the software created by NUUO, a popular surveillance system software maker which caters to a number of clients which includes hospitals, banks, and schools all over the world.
The attackers able to break into the software via a stack buffer overflow, overwhelming the targeted software and clearing all routes to execute the remote code execution. The attackers are able to take advantage of this loophole by taking remote access and take control of the accounts without any authorization. Along with this, the attackers are also able to gain access to the network cameras connected to the target device.
Tenable write in its blog – “This is particularly devastating because not only is an attacker able to control the NVR (camera) but the credentials for all the cameras connected to the NVR are stored in plaintext on disk”
The following diagram can explain how Peekaboo works. Tenable has mentioned further details related to Peekaboo and its exploits tested with one of NUUO’s NVRMini2 devices on its Github page. They have provided an example of how the attackers grab the credentials to the cameras that are connected to the NVR. Once in control, they are able to create an admin user and disconnects any cameras that are currently connected to the NVR.
The vulnerability was discovered in June and NUUO was informed about the same. NUUO had committed to releasing patches for the same by 13th September to fix this issue, which was later shifted to 18th September, this is when everyone who is affected by the vulnerability will get to see the latest 184.108.40.206 version firmware.
Tenable is currently providing a plugin which will help all organizations to determine the risks due to Peekaboo vulnerability or directly contact the manufacturer.
According to Tenable, currently, NUUO has licensed its software to at least 100 other brands and 2500 surveillance camera models. This makes the matters even worse as they run the risk of putting thousands of networked cameras around the world and many groups that operate these devices might have no idea if the systems they rely on are at risk or not.
Also Read: Code Can Crash, Restart Any Apple iPhone