Peekaboo Zero-Day Exploit Targets Security Camera

Researchers at Tenable are detailing a new zero-day exploit dubbed Peekaboo, which targets the software that runs security cameras and other surveillance equipment.

A new zero-day exploit, dubbed Peekaboo, can allow cybercriminals and other attackers to tamper with security cameras and other surveillance equipment by taking advantage of a vulnerability in the software platform that runs these devices.
Security firm Tenable
detailed the Peekaboo exploit
on Sept. 17. Its been given an assignment number of
CVE-2018-1149
.
Specifically, the stack buffer overflow vulnerability is within software developed by
Nuuo
, which is a popular platform that is used as the base software within at least 100 different brands and some 2,500 different security camera models. This could translate into hundreds of thousands of cameras, and other surveillance equipment left vulnerable, according to Tenable.
(Source:
Pixabay
)

These types of security cameras and other devices are used in a number of industries, including retail, transportation, education, government and banking. By allowing cybercriminals to manipulate images and video, its easy to see why this particular vulnerability is such a concern, as well as the dangers associated with connecting Internet of Things devices. (See
HNS IoT Botnet Evolves, Goes Cross-Platform
.)
Because of NUUOs vast OEM partner ecosystem, its possible that this vulnerability is present in devices from other vendors who re-brand NUUOs code, Jacob Baines, a senior research engineer at Tenable, wrote in an email to Security Now. Our initial estimates show that up to hundreds of thousands of cameras could be manipulated and taken offline worldwide.
The Peekaboo exploit allows for remote code execution, which an attacker could use to access a camera and view video feeds or tamper with recordings. With administrative privileges, cybercriminals can replace a live feed with a static image.
At its core, the Peekaboo bug targets the NVRMini 2 network-attached storage (NAS) device and the network video recorder. From there, an attacker can access the control management system, exposing the credentials of the equipment. By using this root access, a criminal can then change the footage or view what the camera is recording.
The particular vulnerability appears to affect Nuuo software firmware that is older than the 3.9.0 version.
This is not the only time Nuuo software has been vulnerable to this type of attack. Specifically, the group behind the Reaper botnet, a variant on the Mirai botnet software that appeared in 2017, targeted a similar vulnerability in the platform. (See
IoT Malware-on-the-Fly Expected to Rise
.)
We havent seen this exploited in the wild yet, Baines wrote about this weeks disclosure. The Tenable Research team started to focus in on NUUO software last fall after the Reaper IoT botnet news broke, as they were one of the vendors impacted. From there, it was a matter of bug hunting.
Tenable first disclosed the vulnerability to Nuuo in June. The company did promise to push out a patch, but, so far, none has been released, according to the company.
Related posts:
Why CISOs Need a Seat at the IoT Projects Table
Get Ready for Realistic Attacks on the Internet of Things
Data Leaks Via Smart Light Bulbs? Believe It
Five IoT Endpoint Security Recommendations for the Enterprise
— Scott Ferguson is the managing editor of Light Reading and the editor of
Security Now
. Follow him on Twitter
@sferguson_LR
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Peekaboo Zero-Day Exploit Targets Security Camera