Vulnerability in Nuuo Software Jeopardizes hundreds of thousands of surveillance cameras

Attackers can view and modify records from video cameras, steal data, and turn off video surveillance systems.

Tenable experts revealed some details about the dangerous vulnerability in the software solution for video surveillance systems manufactured by the Taiwanese company Nuuo. With this vulnerability, called Peekaboo, attackers can view and modify records from video cameras, steal information, including logins / passwords, information about IP addresses, used ports, models of connected devices, and completely turn off cameras and video surveillance systems.

Researchers have identified two vulnerabilities – the first is a buffer overflow on the stack and can be exploited remotely by an unauthorized attacker, and the second is a backdoor in the debugging code.

Mainly, the problem concerns an autonomous NVRMini 2 network video recorder for IP cameras, serving as a hub for connected surveillance systems. With a successful attack, attackers can access the content management system interface and, accordingly, the credentials of all devices connected to the storage.

Nuuo software solutions are used by organizations around the world, including banks, hospitals, shopping centers, etc. Since Nuuo software also extends through the White Label model, more than 100 brands and 2.5 thousand lines of IP cameras can be affected. According to preliminary estimates of specialists, we can talk about hundreds of thousands of web cameras and devices around the world.

The experts decided not to disclose technical details about Peekaboo until the release of the corresponding patch. It is known that Nuuo 3.9.0 and earlier versions of the firmware are vulnerable. Researchers also released a plug-in for testing the software for the presence of Peekaboo.

White Label (“white label”) – a model of cooperation that involves the production of products or services by one company and the implementation of another company under its own brand.

Leave a Reply