Hackers Hijack Surveillance Camera Footage With 'Peekaboo' Zero-Day Vulnerability

An anonymous reader quotes a report from ZDNet: A zero-day vulnerability present in security cameras and surveillance equipment using Nuuo software is thought to impact hundreds of thousands of devices worldwide. Researchers from cybersecurity firm Tenable disclosed the bug, which has been assigned as CVE-2018-1149. The vulnerability cannot get much more serious, as it allows attackers to remotely execute code in the software, the researchers said in a security advisory on Monday. Nuuo, describing itself as a provider of "trusted video management" software, offers a range of video solutions for surveillance systems in industries including transport, banking, government, and residential areas.

Dubbed "Peekaboo," the zero-day stack buffer overflow vulnerability, when exploited, allows threat actors to view and tamper with video surveillance recordings and feeds. It is also possible to use the bug to steal data including credentials, IP addresses, port usage, and the make & models of connected surveillance devices. In addition, the bug could be used to fully disable cameras and surveillance products. Peekaboo specifically impacts the NVRMini 2 NAS and network video recorder, which acts as a hub for connected surveillance products. When exploited, the product permitted access to the control management system (CMS) interface, which further exposes credentials of all connected video surveillance cameras connected to the storage system.

Bad URL

[ArchieBunker]

Link is broken for the CVE.

why?

Why is your camera exposed to the internet?

With these sorts of devices just assume they will never get updates and *WILL* be rooted.

Re:why?

[CaptainDork]

The Internet (that's the place we are at right now and stuff) provides us with remote access to video footage.

Re:why?

[Narcocide]

I think the official answer is something along the lines of "Fuck you, Nerd! We didn't buy your shit to learn stuff!"

Re:why?

[WillAffleckUW]

But why?

No, seriously, the majority of cameras are not online.

It's like asking "why are your curtains open". It's a choice.

Re:why?

[CaptainDork]

You can't think of a single reason to look at a remote camera on your phone?

Re:why?

[CaptainDork]

I recommend a separate private network and SSH and a VPN.

Who's going to pay you to implement that?

No one.

The burden of protection is not on the consumer side. None of us wants a goddam fucking hobby.

We want to plug-and-play and get on with our lives.

What we will do is avoid the porous packet pitiful product with our pocketbook.

Re:why?

I work in retail so I'll use a few examples from the industry.

1.) Long term archive - these systems have a limited capacity so they will overwrite the oldest footage as needed. Depending on the setup, this may be weeks or even days. With an internet connection it is possible to upload to a longer term, higher capacity storage system.
2.) Employee investigation - if an employee is suspected of theft, the last thing you want is for said employee to potentially see someone viewing footage. If done off site, the employee isn't aware they are under investigation.
3.) Sometime there are separations between normal employees and security/asset protection staff and for good reason. If normal employees know the security/asset protection staff, they have a target if they get in trouble. If security/asset protection staff know the normal employees, there is a potential conflict of interest during investigations. Viewing footage offsite removes the problem.
4.) Property destruction - If say, a fire, burns down a building taking the security system and all the footage with it, there may be a harder time finding the cause. If the footage is stored offsite, the other location is likely safe. Footage is data just like any other form of data. If possible you store it in multiple physical locations. In some industries or government agencies, this off site storage could be a requirement.

Re: why?

Yeah I'm not sure why there isn't better setups being used.

I have 4 security cameras monitoring my elderly parents house (they had some break ins to their garage and yard), managed by a small server running FreeBSD. It's very hardened and allows no connections to the server (camera system), it only allows outbound connections to port 22 and it uploads to my server via ssh (scp). So it's never allowed to be controlled remotely.

I can't see anything real-time but the camera system is designed to take photos and record in a separate file if motion is detected and those are what it sends to me. So I can technically see things with maybe a 5-10 second delay.

What's pretty cool is my parents neighbor had someone from the power company accidentally smash his screen door but they wouldn't do anything to fix the matter unless he had proof. When I heard it I pulled up the files and managed to find the entire video of the incident. He got like $1200 from the power company after that although I don't think anyone actually asked to see the video.

Re:why?

[pgmrdlm]

Parents checking up on children while they are at work. Keeping track of contractors working on your property. Motion detector that starts recording notifies you that there is someone on your property while you are at work. You go live to verify.

Re:why?

[CaptainDork]

If you RTFA, the whole story is that IoT is shipping without protection.

I don't manufacture the shit I buy.

I don't use VPN, I have never used VPN, and I don't plan to use VPN.

It's not up to you to plan my business case regarding cameras and the need to remotely monitor stuff.

Kinda like lots of video games

[Snotnose]

where "your" "hacker" reconfigured the video cameras. I remember one, Deux Ex something something. I spent hours being stealthy. Then hit my first boss, who was flat out combat. I did not have any combat skillz, I did not have combat weapons. Gave it maybe an hour over 3-4 days, never got close to defeating that boss.

I was really enjoying that game too :(

BeauHD - Where is the editing?

[skogs]

Why would we bother posting something about a webserver vulnerability? The submission lacks anything useful to take action on or inform; you know like what the actual threat vector is. For all I knew we could just walk through security with a barcode on our tshirts and shut down cameras.

What is that you say? The threat vector is in a completely abandoned but always online webserver? You don't say! Who would have known!

Whats that? You say total system takeover and privilege escalation? The ability to run commands? Oh MY!

Next time how about we:
1) identify the actual threat, not some 20 year old journalist's stupid sensationalist bullshit
2) Perhaps identify if this pre-boxed crapware product is using something like an unpatched BSD or Linux inside
3) Note that reputable vendors have had patches out for years because they're not bad
4) Leave out the part about all the amazing things one can do with commandline access and programming skills; slashdot croud should already know how computers work.

Re:BeauHD - Where is the editing?

[110010001000]

Millennials don't understand all that stuff. They just want to download an app.

why? it's the monitoring software not the cameras

[FeelGood314]

This attack is on the remote monitoring system for the cameras. And yes, you do put your camera's on the internet. Most of us are not as rich as some an AC and can't run our own dedicated cable to monitor the cameras.

the on line ver the camera in speed

[Joe_Dragon]

the on line ver the camera in speed