Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Hijack Surveillance Camera Footage With 'Peekaboo' Zero-Day Vulnerability (zdnet.com)

Posted by BeauHD on from the hide-and-seek dept.

An anonymous reader quotes a report from ZDNet: A zero-day vulnerability present in security cameras and surveillance equipment using Nuuo software is thought to impact hundreds of thousands of devices worldwide. Researchers from cybersecurity firm Tenable disclosed the bug, which has been assigned as CVE-2018-1149. The vulnerability cannot get much more serious, as it allows attackers to remotely execute code in the software, the researchers said in a security advisory on Monday. Nuuo, describing itself as a provider of "trusted video management" software, offers a range of video solutions for surveillance systems in industries including transport, banking, government, and residential areas.

Dubbed "Peekaboo," the zero-day stack buffer overflow vulnerability, when exploited, allows threat actors to view and tamper with video surveillance recordings and feeds. It is also possible to use the bug to steal data including credentials, IP addresses, port usage, and the make & models of connected surveillance devices. In addition, the bug could be used to fully disable cameras and surveillance products. Peekaboo specifically impacts the NVRMini 2 NAS and network video recorder, which acts as a hub for connected surveillance products. When exploited, the product permitted access to the control management system (CMS) interface, which further exposes credentials of all connected video surveillance cameras connected to the storage system.

25 comments

  1. Bad URL by ArchieBunker · · Score: 1

    Link is broken for the CVE.

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  2. why? by Anonymous Coward · · Score: 1

    Why is your camera exposed to the internet?

    With these sorts of devices just assume they will never get updates and *WILL* be rooted.

    1. Re:why? by CaptainDork · · Score: 1

      The Internet (that's the place we are at right now and stuff) provides us with remote access to video footage.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:why? by Narcocide · · Score: 2

      I think the official answer is something along the lines of "Fuck you, Nerd! We didn't buy your shit to learn stuff!"

    3. Re:why? by WillAffleckUW · · Score: 1

      But why?

      No, seriously, the majority of cameras are not online.

      It's like asking "why are your curtains open". It's a choice.

      --
      -- Tigger warning: This post may contain tiggers! --
    4. Re:why? by Anonymous Coward · · Score: 0

      Yes. But why did you not protect it? Do you run your telnet ports wide open? No, you close them off and use something like ssh. Why? Because people will break into them. I worked in IoT software for a long time. You would not believe the security holes. Software that will *never* *ever* see a patch. Trust me on this. Put these devices behind a firewall. Lock them down in any way you can. I recommend a separate private network and SSH and a VPN. Sorry we as an industry have built a wildly insecure network. We were just glad it worked!

    5. Re:why? by CaptainDork · · Score: 1

      You can't think of a single reason to look at a remote camera on your phone?

      --
      It little behooves the best of us to comment on the rest of us.
    6. Re:why? by CaptainDork · · Score: 1

      I recommend a separate private network and SSH and a VPN.

      Who's going to pay you to implement that?

      No one.

      The burden of protection is not on the consumer side. None of us wants a goddam fucking hobby.

      We want to plug-and-play and get on with our lives.

      What we will do is avoid the porous packet pitiful product with our pocketbook.

      --
      It little behooves the best of us to comment on the rest of us.
    7. Re:why? by Anonymous Coward · · Score: 1

      I work in retail so I'll use a few examples from the industry.

      1.) Long term archive - these systems have a limited capacity so they will overwrite the oldest footage as needed. Depending on the setup, this may be weeks or even days. With an internet connection it is possible to upload to a longer term, higher capacity storage system.
      2.) Employee investigation - if an employee is suspected of theft, the last thing you want is for said employee to potentially see someone viewing footage. If done off site, the employee isn't aware they are under investigation.
      3.) Sometime there are separations between normal employees and security/asset protection staff and for good reason. If normal employees know the security/asset protection staff, they have a target if they get in trouble. If security/asset protection staff know the normal employees, there is a potential conflict of interest during investigations. Viewing footage offsite removes the problem.
      4.) Property destruction - If say, a fire, burns down a building taking the security system and all the footage with it, there may be a harder time finding the cause. If the footage is stored offsite, the other location is likely safe. Footage is data just like any other form of data. If possible you store it in multiple physical locations. In some industries or government agencies, this off site storage could be a requirement.

    8. Re: why? by Anonymous Coward · · Score: 1

      Yeah I'm not sure why there isn't better setups being used.

      I have 4 security cameras monitoring my elderly parents house (they had some break ins to their garage and yard), managed by a small server running FreeBSD. It's very hardened and allows no connections to the server (camera system), it only allows outbound connections to port 22 and it uploads to my server via ssh (scp). So it's never allowed to be controlled remotely.

      I can't see anything real-time but the camera system is designed to take photos and record in a separate file if motion is detected and those are what it sends to me. So I can technically see things with maybe a 5-10 second delay.

      What's pretty cool is my parents neighbor had someone from the power company accidentally smash his screen door but they wouldn't do anything to fix the matter unless he had proof. When I heard it I pulled up the files and managed to find the entire video of the incident. He got like $1200 from the power company after that although I don't think anyone actually asked to see the video.

    9. Re:why? by pgmrdlm · · Score: 1

      Parents checking up on children while they are at work. Keeping track of contractors working on your property. Motion detector that starts recording notifies you that there is someone on your property while you are at work. You go live to verify.

      --
      Anonymous comments are as pathetic as the anonymous "sources" that contaminate gutless journalism from the New York Time
    10. Re:why? by Anonymous Coward · · Score: 0

      The Internet (that's the place we are at right now and stuff) provides us with remote access to video footage.

      If you were too stupid to protect your remote access to critical systems behind a VPN, or truly question why you need remote access in the first place, then you deserve all the unwanted attention you can get.

    11. Re:why? by CaptainDork · · Score: 1

      If you RTFA, the whole story is that IoT is shipping without protection.

      I don't manufacture the shit I buy.

      I don't use VPN, I have never used VPN, and I don't plan to use VPN.

      It's not up to you to plan my business case regarding cameras and the need to remotely monitor stuff.

      --
      It little behooves the best of us to comment on the rest of us.
  3. Israel hijacks Russian reconnaissance plane by Anonymous Coward · · Score: -1

    by shooting it down with 14 people on-board!

    MOSCOW, September 18. /TASS/. Russia’s Il-20 military aircraft with 14 servicemen on board disappeared over the Mediterranean Sea, an official with Russia’s Defense Ministry told reporters on Tuesday.

    The plane went off the radar while F-16 fighters of the Israeli Air Force attacked targets in the Syrian province of Latakia, the fate of the Russian military is unknown, the official said.

    "On September 17, at about 11:00 Moscow time, the connection with the crew of the Russian Il-20 aircraft was lost over the Mediterranean Sea when the plane was returning to the airbase of Khmeimim, 35 kilometers from the coast of Syria," the official said.

    The ministry specified that "the mark of IL-20 went off the radars disappeared during the attack of four Israeli F-16 aircraft on Syrian targets in the province of Latakia."

    "At the same time, the Russian radars fixed missile launches from the French frigate Auvergne, which was in that area," the Defense Ministry said.

    The official also said that there were 14 servicemen on board and their fate is unknown. The command of Russia’s air base at Khmeimim launched a search and rescue operation.

    1. Re:Israel hijacks Russian reconnaissance plane by Swave+An+deBwoner · · Score: 0

      https://www.express.co.uk/news/world/1018970/Syria-conflict-russia-aircraft-plane-shot-down-Latakia-province-russian

      BREAKING: Russian military aircraft 'SHOT DOWN' over Mediterranean during assault in Syria

      However, a US official with knowledge of the attack, dismissed Russia’s claims and told CNN the maritime patrol aircraft was actually inadvertently shot down by the Syrian regime.

    2. Re:Israel hijacks Russian reconnaissance plane by Anonymous Coward · · Score: 0

      Some accuse (twitter noise) the French boat of shooting the plane down.
      The problem anyway is, why is NATO participating in a surprise attack! Syrian air defense downing the plane is a plausible account, but it comes from a bunch of crooks and liars who are untrustworthy.
      Russia has not attributed the shooting down to anyone yet.
      It's still been caused by missile attacks on towns that host the naval and air Russian military bases.

  4. mod uP by Anonymous Coward · · Score: -1

    CoMe on bAby...and

  5. Kinda like lots of video games by Snotnose · · Score: 1

    where "your" "hacker" reconfigured the video cameras. I remember one, Deux Ex something something. I spent hours being stealthy. Then hit my first boss, who was flat out combat. I did not have any combat skillz, I did not have combat weapons. Gave it maybe an hour over 3-4 days, never got close to defeating that boss.

    I was really enjoying that game too :(

    1. Re:Kinda like lots of video games by Anonymous Coward · · Score: 0

      You're a moron in case Deus Ex didn't explain that to you sufficiently.

  6. BeauHD - Where is the editing? by skogs · · Score: 1

    Why would we bother posting something about a webserver vulnerability? The submission lacks anything useful to take action on or inform; you know like what the actual threat vector is. For all I knew we could just walk through security with a barcode on our tshirts and shut down cameras.

    What is that you say? The threat vector is in a completely abandoned but always online webserver? You don't say! Who would have known!

    Whats that? You say total system takeover and privilege escalation? The ability to run commands? Oh MY!

    Next time how about we:
    1) identify the actual threat, not some 20 year old journalist's stupid sensationalist bullshit
    2) Perhaps identify if this pre-boxed crapware product is using something like an unpatched BSD or Linux inside
    3) Note that reputable vendors have had patches out for years because they're not bad
    4) Leave out the part about all the amazing things one can do with commandline access and programming skills; slashdot croud should already know how computers work.

    --
    Who is this that even the wind and the waves obey Him? Surely this computer must submit also!
    1. Re:BeauHD - Where is the editing? by 110010001000 · · Score: 1

      Millennials don't understand all that stuff. They just want to download an app.

    2. Re:BeauHD - Where is the editing? by Anonymous Coward · · Score: 0

      Millennials don't understand all that stuff. They just want to download an app.

      Quite true. Yes, they are 'good at computers' from the perspective of your standard hiring manager but that is because the standard hiring manager is bad with computers so the millennials are good relatively speaking but not in an absolute sense. Millennials that are 'good with computers', like most members of the general public, of all age groups, don't understand the following:

      1.) Being able to understand the concept of having two different accounts with the same username.
      2.) Knowing the difference between http:// and https:// and why it is important.
      3.) How to navigate a file share.
      4.) How to use a calendar to invite others to a meeting.
      5.) How to find a program in the start menu.
      6.) Just search for the program you say? They don't know the names of the programs they use. They will search for 'email' not 'Outlook' which results in them finding the email app in Windows 10 which is not what they should be using.
      7.) Abstracting the fact that copy/paste works the same way in just about all programs. You have to show them how to copy/paste in Word and then copy/paste again in Outlook and again in Excel.
      8.) A millennial designed and created our company website using WordPress. Now, if I load it in Chrome, I get a warning that unsafe scripts are disabled.
      9.) They don't care about privacy or security. Then again nobody really cares about privacy and security if it in an inconvenience yet they lock their doors when they leave their houses and close their blinds when they change their cloths even though it is an inconvenience to do so.

      This isn't true for all millennials mind you but the ratio of those who understand vs. those that don't is pretty much the same across all demographics. Millennials are no better with computers than any other group despite the assumption they are.

  7. why? it's the monitoring software not the cameras by FeelGood314 · · Score: 1

    This attack is on the remote monitoring system for the cameras. And yes, you do put your camera's on the internet. Most of us are not as rich as some an AC and can't run our own dedicated cable to monitor the cameras.

  8. the on line ver the camera in speed by Joe_Dragon · · Score: 1

    the on line ver the camera in speed

  9. haxxy haxxy haxx0rz! by Anonymous Coward · · Score: 0

    BeauHD still not K-RAD either. Man, you suck.