Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Peekaboo: Don’t Be Surprised by These Not So Candid Cameras

Tenable Research discovered a major software flaw, dubbed Peekaboo, which gives cyber criminals control of certain video surveillance cameras, allowing them to secretly monitor, tamper with and even disable feeds. Here’s a quick look at what we know today.

What’s Peekaboo?

Peekaboo is a security vulnerability in software made by NUUO, a global video surveillance vendor. The software is used in devices like closed-circuit television (CCTV) cameras and networked video recorders and storage devices. When cyberattackers exploit the flaw, they can manipulate the cameras and take them offline – all without ever being detected.

Who does Peekaboo affect?

Organizations all over the world use NUUO software in their video surveillance systems to protect shopping centers, banks, hospitals, schools and other crowded locations. NUUO also OEMs and white labels its software to more than 100 brands and 2,500 models of cameras. In fact, preliminary estimates show that Peekaboo could affect up to hundreds of thousands of web-based cameras and devices worldwide.

How does Peekaboo work?

Peekaboo can give cyber criminals control of video surveillance cameras using NUUO software, allowing them to secretly monitor, tamper with and even disable the feed. Even worse, once they’ve hacked the camera, they can access the camera feeds of any other device it’s connected to.

By exploiting the Peekaboo vulnerability, cyberattackers can steal specifics about all the networked cameras, including key data like login credentials as well as the make and model, IP address and port. All this can happen in the span of a few seconds, without the admins’ knowledge.

Here’s what the hack looks like….

What’s the potential impact of Peekaboo?

Devices with NUUO software are used in diverse environments like banks, retail locations and transportation centers. By exploiting this weakness, attackers could monitor CCTV feeds to surreptitiously gather information, disable cameras or tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

What should I do about Peekaboo?

There is no patch available at this time. We advise affected users to restrict and control network access to the vulnerable devices to authorized and legitimate users only.

How was Peekaboo discovered?

Jacob Baines, senior research engineer at Tenable, discovered the Peekaboo vulnerability in NUUO NVRMini2. He then began the disclosure process with NUUO.

This isn’t the first time NUUO NVR devices have been in the news. Just last year, the NUUO NVR devices were specifically targeted by the Reaper IoT botnet.

Want more information?

Related Posts

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security