Peekaboo: Don’t Be Surprised by These Not So Candid Cameras

Tenable Research

Tenable Research discovered a major software flaw, dubbed Peekaboo, which gives cyber criminals control of certain video surveillance cameras, allowing them to secretly monitor, tamper with and even disable feeds. Here’s a quick look at what we know today.

What’s Peekaboo?

Peekaboo is a security vulnerability in software made by NUUO, a global video surveillance vendor. The software is used in devices like closed-circuit television (CCTV) cameras and networked video recorders and storage devices. When cyberattackers exploit the flaw, they can manipulate the cameras and take them offline – all without ever being detected.

Who does Peekaboo affect?

Organizations all over the world use NUUO software in their video surveillance systems to protect shopping centers, banks, hospitals, schools and other crowded locations. NUUO also OEMs and white labels its software to more than 100 brands and 2,500 models of cameras. In fact, preliminary estimates show that Peekaboo could affect up to hundreds of thousands of web-based cameras and devices worldwide.

How does Peekaboo work?

Peekaboo can give cyber criminals control of video surveillance cameras using NUUO software, allowing them to secretly monitor, tamper with and even disable the feed. Even worse, once they’ve hacked the camera, they can access the camera feeds of any other device it’s connected to.

By exploiting the Peekaboo vulnerability, cyberattackers can steal specifics about all the networked cameras, including key data like login credentials as well as the make and model, IP address and port. All this can happen in the span of a few seconds, without the admins’ knowledge.

Here’s what the hack looks like….

What’s the potential impact of Peekaboo?

Devices with NUUO software are used in diverse environments like banks, retail locations and transportation centers. By exploiting this weakness, attackers could monitor CCTV feeds to surreptitiously gather information, disable cameras or tamper with security footage. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

What should I do about Peekaboo?

There is no patch available at this time. We advise affected users to restrict and control network access to the vulnerable devices to authorized and legitimate users only.

How was Peekaboo discovered?

Jacob Baines, senior research engineer at Tenable, discovered the Peekaboo vulnerability in NUUO NVRMini2. He then began the disclosure process with NUUO.

This isn’t the first time NUUO NVR devices have been in the news. Just last year, the NUUO NVR devices were specifically targeted by the Reaper IoT botnet.

Want more information?

Read more >

Published on Sep 17, 2018

People also viewed

API Delivery Engineer

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Professional Services Professional Services
Your Role:Assist in the deployment and configuration of Tenable solutions within client organisations. The consultant will provide technical support, preparation and documentation to clients as part of a small delivery team. The consultant will in...

Principal Research Engineer

Paris Paris France Paris, France Sensors Research & Development
Your Opportunity:As the Cyber Exposure market leader Tenable is looking for a passionate and talented Principal Researcher for its Tenable Research team. Tenable Research is significant and growing global security research team consisting of rever...

Security Consultant - API

North Sydney Australia Pacific Highway, North Sydney, Australia, NSW 2060 Professional Services Professional Services
Your Role:Tenable’s Global Professional Services organization performs Tenable product installation, configuration, customizations, and security audits for our clients, and is looking to hire a security consultant with expertise developing scripts...

Field Product Manager

Seattle Washington United States 5th Ave, Seattle, Washington, United States, 98101 Product Management Research & Development
Your Role:The Field Product Manager  supports and works with Product Management, Engineering, Product Marketing, Sales, and other internal teams to guide on how Tenable products and services could be used to best suit customer needs. This supporti...

Technical Product Manager - Cloud Services

New York New York United States Broadway, New York, United States, 10012 Product Management Research & Development
Your Role:Tenable is looking for a Technical Product Manager - Cloud Services, responsible for driving the product strategy and management of our cloud services, platform infrastructure, and public APIs. This full-stack PMrole is expected to be sk...

Sr. UI Engineer

Los Angeles California United States West Jefferson Boulevard, Playa Vista, Los Angeles, California, United States, 90066 Cloud Platforms Research & Development
Your Role:Tenable is looking for an extraordinary Senior UI Engineer to join the Tenable.io Engineering team. This is an opportunity to make a high impact while helping the team deliver on a next-generation enterprise web application. The ideal ca...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.