Hundreds of thousands of security cameras could be vulnerable to a cyber attack that not only allows criminals to access footage but alter it too.
Security researchers Tenable found a flaw in NUUO’s Network Video Recorder software – which the company uses in its 100,000 cameras installed across the world. What’s more, a great many third-party manufacturers also use NUUO software, meaning the total number of vulnerable cameras could stand at nearer 800,000.
Dubbed ‘Peekaboo’, the flaw enables hackers to not only watch footage recorded by the camera but to alter it as well. For example, hackers could loop footage or change it to a still image, so anything that goes on in view of the camera thereafter would be entirely undetected and unrecorded.
That’s not all, as Peekaboo is also thought to impact the entire network to which a device is connected, and not just the camera itself. Theoretically, cyber criminals could use this flaw to steal credentials for all connected security cameras, as well as IP addresses and any other associated data.
The good news for anyone with one or more NUUO-powered camera is that Tenable is remaining tight-lipped on exactly how to exploit this flaw. It has made NUUO aware of the issue but is not releasing the information widely until a patch has been rolled out to fix it. In fact, Tenable told NUUO in secret initially, but only went public with the information in a bid to provoke a reaction after 105 days passed with no patch released.
Since the announcement, NUUO has promised it is working on a fix – although it’s likely that each impacted camera would need to be updated manually, which some analysts have said means that a vast majority of the cameras won’t get patched at all.
Anyone with a NUUO-powered camera on their network is advised to take precautionary measures immediately. These include auditing who has network access and putting restrictions in place where necessary.