(Photo by Flickr user Rusty Clark, used under a Creative Commons license)
— Tenable (@TenableSecurity) September 17, 2018
The “Peekaboo” vulnerability could leave open the potential for attackers to take control of and potentially manipulate footage from software created by NUUO, which is used around the world. Called NVRMini2, the device is a storage device and mini recorder, Tenable states in a blog post. Here’s what they found, according to Techcrunch:
The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door for remote code execution. That loophole means that an attacker could remotely access and take over accounts with no authorization, even taking over networked cameras connected to the target device.
Jacob Baines, a senior research engineer at Tenable, developed an exploit demonstrating what could happen.
“An attacker can gain full system access, giving them control over and access to attached camera feeds and recordings. In addition, access credentials for connected cameras can be read in cleartext,” Tenable writes.
In the blog post, Tenable said NUUO’s software is used by third-party vendors through white-labeling and licensing, so the full list of those affected are unknown.
A patch was not immediately available Monday, but Tenable said NUUO was developing one.
“In the meantime, we advise affected end users to restrict and control network access to the vulnerable devices to authorized and legitimate users only,” the company stated.
The vulnerabilities in surveillance systems are among the concerns of cybersecurity pros working on securing devices. Last year, Fulton-based ReFirm Labs found vulnerabilities in specific models of security cameras.
Maryland to receive $5.7M in settlement over massive Equifax data breach
Two tech tenants sign on for space at Columbia’s Merriweather District
Gov. Hogan creates CISO position for State of Maryland
How law firm Nemphos Braue is guiding startups along the new business learning curve
Protecting passwords: Relatively simple solutions for a big cybersecurity risk
6 takeaways on the future of data privacy
NYT: Tool used in cyber attack on City of Baltimore was developed at Maryland-based NSA
Building a data acquisition system? Don’t make this mistake
Sign-up for daily news updates from Technical.ly Baltimore