A NUUO zero-day vulnerability gives hackers your camera feed.
New vulnerabilities found in NUUO surveillance software can put cybercriminals in the director’s chair. When exploited through a stack buffer overflow, the Peekaboo vulnerability grants hackers full control over the surveillance video. Assuming control remotely, a hacker can tamper with the recording, tamper with the feed itself, and generally execute any code he or she wants in the software. This major security flaw is reportedly present in hundreds of thousands of devices around the world, such as the NUUO NVRMini2, a network-attached storage (NAS) device.
Another vulnerability is a backdoor that can be created out of leftover debug code in the software. So, along with access to the surveillance feed, the flaws allow hackers to burrow into the surveillance data, accessing login credentials, port usage, IP addresses, and info on the camera equipment. NUUO provides surveillance video management for residential complexes as well as industries such as banking, transport, and government.
Avast Security Evangelist Luis Corrons comments, “We always say that IoT devices have to be protected, updated, with non-default credentials, etc., which is right. However, this vulnerability could compromise video cameras even if all those precautions have been taken, as the attackers can get the credentials from the NVRMini2. In other words, it can be used to create new armies of IoT bots.”
As for anyone currently using an NVRMini2, Luis has some advice: “Right now, make sure it is isolated from the internet and that only authorized employees can access it through the local network until a patch is available. And those that use a solution from another vendor have to make sure that the vulnerable software is not being used, as NUUO offers it to several providers as OEM and whitelabel.”
NUUO reports that a patch is being developed, though there is no indication yet when it will become available. In the meantime, Avast recommends that if you use NUUO technology, you stay aware of these new zero-day vulnerabilities and keep vigilant for any odd behavior from the software.