NUUO’s global video surveillance software featured zero-day vulnerability
Threats / NUUO’s global video surveillance software featured zero-day vulnerability
20 September 2018
NUUO, a popular Global Video Surveillance Software firm, recently announced a comprehensive security upgrade for NUUO NVRsolo, NVRsolo Plus and NVRmini 2 series surveillance systems after a security firm exposed a critical zero-day vulnerability in such systems.
On Monday, security firm Tenable revealed that NUUO software, which is used widely by retail, transportation, education, government and banking organisations across the globe for web-based video monitoring and surveillance, featured a remote code execution vulnerability that allowed hackers to view and tamper with video surveillance recordings.
Hackers could tamper with surveillance feed
Dubbed “Peekaboo” by the researchers, the remote code execution vulnerability allowed hackers to gain administrative privileges over the surveillance software and replace live feed with static images of a surveilled area, thereby resulting in critical security risks for organisations such as banks and government institutions.
“The vulnerable device, NVRMini2, is a network-attached storage device and network video recorder. Once exploited, Peekaboo would give cybercriminals access to the control management system (CMS), exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage,” the researchers explained.
Since the Peekaboo vulnerability acclows hackers to access usernames and passwords, any exploitation of the vulnerability could directly affect over 100 brands, 2,500 different models of cameras, and hundreds of thousands of such cameras across the world.
“Our world runs on technology. It helps us monitor, control and engage with each other and our environments. And it’s one of the many reasons we’ve seen a massive surge in connected devices recently. The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe. As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organizations,” said Renaud Deraison, co-founder and chief technology officer at Tenable.
Acting on Tenable’s revelation, NUUO today released a comprehensive security upgrade for NUUO NVRsolo, NVRsolo Plus and NVRmini 2 series surveillance systems and said it will release another patch for such devices in November, even though it stated that NUUO product lines are NOT affected by the reported vulnerabilities.
“It is confirmed that other NUUO product lines are NOT affected by the reported vulnerabilities. The product development team has issued the security update for the NUUO NVRsolo, NVRsolo Plus and NVRmini 2 series. We highly recommend that our customers upgrade to the appropriate firmware version via the above links as soon as possible for preventing software risks,” it said.
Software patches issued by NUUO earlier today are for firmware versions older than 3.9.0 and fix several vulnerabilities including unrestricted upload of file with dangerous type, unauthenticated remote stack buffer overflow, and backdoor access. If your organisation uses any of these devices, NUUO is recommending that since information about the vulnerability is now in public domain, you should update your software with the latest patches at the earliest.
Surveillance cameras not immune from cyber threats
Even though connected surveillance cameras are critical equipment for the organisations that use them, they are not entirely immune from cyber threats as many of them feature hidden vulnerabilities that could be exploited by hackers. Earlier this year, Tony Porter, the surveillance camera commissioner, said that the UK’s surveillance camera network, which costs the government £2.2 billion a year, were not immune from cyber threats.
While presenting his Annual Report for 2016-17 to the Home Secretary, Porter not only called for greater transparency in Automatic Number Plate Recognition (ANPR) and other surveillance technologies, but also announced that his department was ‘developing standards for manufacturers, developing buyers guide for surveillance camera systems, training and horizon scanning’.
‘Much frustration still exists amongst the public and purchasing community that equipment fails too easily or quickly degrades thereby rendering the equipment obsolete and also more vulnerable to cyber attack,’ he said.
Aside from alerting operators about the risk from hackers and state actors, Porter also called for more responsibility from operators to ensure that such systems are not used in a way that they compromise the privacy of citizens.
‘Bad surveillance is conducted when these standards are absent, where the public lacks confidence in its presence and operation, and are confused about where accountability for its use and regulatory accountability lies,’ he warned.