A report by security firm Tenable recently revealed a zero-day vulnerability in security cameras and surveillance equipment using NUUO software. It is estimated up to 800 000 cameras are vulnerable to the exploit, allowing hackers to manipulate the video stream, control and even turn off the cameras completely. Patches were to be carried out last week but due to licensing issues several are expected to be left unpatched.

“Peekabo” vulnerability exposes IP cameras to hackers

Last week researchers at security firm Tenable disclosed a zero-day vulnerability within IP-based CCTV cameras and surveillance equipment. The vulnerability affects control management system (CMS) software created by NUUO, a global self-described surveillance solution provider.

Dubbed ‘Peekabo’—or CVE-2018-1149—the vulnerability consists of a zero-day stack buffer overflow essentially flooding part of the device’s memory and allowing an attacker to execute arbitrary code on the system. Not only does this effectively create an easy way in for attackers, the vulnerability also exposes any cameras connected to the control management system.

“The remote code execution vulnerability especially is of particular concern. Once exploited, Peekaboo gives cyber criminals access to the control management system (CMS), exposing the credentials for all connected CCTV cameras”, Tenable stated in their report.

A proof of concept exploit has been posted by Tenable on their Github. Tested against one of NUUO’s NVRMini2 devices it grabs important credentials and/or opens a backdoor, demonstrating just how easy it is to exploit the vulnerability. A video demonstration of the exploit can be seen below.

Protect & patch

Tenable first disclosed the vulnerability to NUUO on June 1 with a patch date set for September 18. Tenable also offer a plugin to quickly test whether you’re vulnerable or not.

However, an issue delaying the fixes even further is the fact that NUUO licenses its software to at least 100 other brands and thousands of camera models – Making pushing out patches quickly an issue. Tenable estimates that indirectly exposed devices are in the hundreds of thousands, several who may be completely unaware they are infected.