Tenable Research Discovers “Peekaboo” Zero-Day Vulnerability in Global Video Surveillance Software
September 17 2018 - 12:00PM
Tenable®, Inc., the Cyber Exposure company, today announced that
its research team has discovered a zero-day vulnerability which
would allow cybercriminals to view and tamper with video
surveillance recordings via a remote code execution vulnerability
in NUUO software — one of the leading global video surveillance
solution providers. The vulnerability, dubbed Peekaboo by Tenable
Research, would allow cybercriminals to remotely view video
surveillance feeds and tamper with recordings using administrator
privileges. For example, they could replace the live feed with a
static image of the surveilled area, allowing criminals to enter
the premises undetected by the cameras.
The impact of Peekaboo is significant as NUUO integrates with
hundreds of leading brands. Their ecosystem of supported devices
means that over 100 brands and 2,500 different models of cameras
could be made vulnerable by the access Peekaboo grants to usernames
and passwords. Preliminary estimates show that up to hundreds of
thousands of cameras could be manipulated and taken offline
worldwide.
NUUO software and devices are commonly used for web-based video
monitoring and surveillance in industries such as retail,
transportation, education, government and banking. The vulnerable
device, NVRMini2, is a network-attached storage device and network
video recorder. Once exploited, Peekaboo would give cybercriminals
access to the control management system (CMS), exposing the
credentials for all connected video surveillance cameras. Using
root access on the NVRMini2 device, cybercriminals could disconnect
the live feeds and tamper with security footage. Just last year,
the NUUO NVR devices were specifically targeted by the Reaper IoT
Botnet.
“Our world runs on technology. It helps us monitor, control and
engage with each other and our environments. And it’s one of the
many reasons we’ve seen a massive surge in connected devices
recently,” said Renaud Deraison, co-founder and chief technology
officer, Tenable. “The Peekaboo flaw is extremely concerning
because it exploits the very technology we rely on to keep us safe.
As more IoT devices are brought online, the attack surface expands
and introduces new risks to both consumers and organizations.
Tenable Research is committed to reducing this Cyber Exposure gap
by identifying new, potential attack vectors and arming customers
with the insight they need to reduce their exposure.”
Tenable Research disclosed the vulnerability, which affects
firmware versions older than 3.9.0, to NUUO following standard
procedures outlined in our vulnerability disclosure policy. As of
September 17 at 11 AM ET, a patch has not been issued. NUUO has
informed Tenable that a patch is being developed and affected
customers should contact NUUO for further information. In the
meantime, users are urged to control and restrict access to their
NUUO NVRMini2 deployments and limit this to legitimate users from
trusted networks only. Owners of devices connected directly to the
internet are especially at risk, as potential attackers can target
them directly over the internet. Affected end users must disconnect
these devices from the internet until a patch is released.
Unfortunately, many users will be unaware that their devices are
vulnerable because NUUO software is also integrated into products
from other vendors. In these cases, users should contact their
video surveillance vendors to confirm whether they are exposed and
when a patch will be released.
Tenable has released a plugin to assess whether organizations
are vulnerable to Peekaboo. Click here for more details.
For more information on Peekaboo, read the Tenable Research
Advisory blog post.
About TenableTenable®, Inc. is the Cyber
Exposure company. Over 24,000 organizations around the globe rely
on Tenable to understand and reduce cyber risk. As the creator of
Nessus®, Tenable extended its expertise in vulnerabilities to
deliver Tenable.io®, the world’s first platform to see and secure
any digital asset on any computing platform. Tenable customers
include more than 50 percent of the Fortune 500, more than 25
percent of the Global 2000 and large government agencies. Learn
more at tenable.com.
Contact Information:Cayla Baker
Tenabletenablepr@tenable.com443-545-2102, x 1544
Tenable (NASDAQ:TENB)
Historical Stock Chart
From Mar 2024 to Apr 2024
Tenable (NASDAQ:TENB)
Historical Stock Chart
From Apr 2023 to Apr 2024