A zero-day flaw in China-based on NUUO’s video recorder technology has put potentially hundreds of thousands of CCTV cameras worldwide at risk of remote hijacking.
The Peekaboo flaw exists in NUUO Inc.’s NVRMini2 – a network-attached storage device that allows companies or individuals to view and manage up to 16 connected CCTV cameras at once.
The recently discovered Peekaboo flaw could potentially affect more than 100 CCTV brands and some 2,500 different camera models installed in industries such as retail, transportation, banking, and government.
Peekaboo is nothing more than another genuine reminder of the risks that companies face from IoT devices. Since the Mirai malware attacks of October 2016 the weakly protected CCTVs, webcams, and other Internet-connected devices are easily transformed into slabs botnets that are used for launching massive DDoS attacks and distributing malware.
After analyzing it researchers say that Peekaboo represents an unauthenticated stack buffer overflow that could be exploited to carry out activities like tampering with recordings or remotely viewing a camera feed without authorization.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
The flaw gives hackers full system access, meaning that they can intercept the recordings and feeds of all cameras that might be attached to a vulnerable NVRMini2 video recorder instance.
The cyber attack is a very simple one because the vulnerable code path is accessible to hackers relatively easily even when a firewall is present.
For now, companies or individuals that use the affected devices must wait for NUUO to fix Peekaboo.
But there is an even worst twist here: the fix may never come; interestingly is the fact that NUUO’s NVRMini2 video recorder also has mystery backdoor built into it from the assembling line. The bug, a medium severity one, only becomes enabled when a file with a specific name exists on the system. To create such a file, a hacker needs some form of access to the device either physically or through some other exploit.
If enabled, the backdoor will give to the hacker the list of all user accounts on the system, change account passwords, view recordings, or remove a camera from a system entirely
Thanks to all these flaws present in the Chinese electronics president Trump signed the Defense Authorization Act law of 2019 which among other things prohibits US government agencies, federal prisons, and military branches from buying technologies from some Chinese suppliers.
Among the banned items are video surveillance cameras from Dahua Technology Company and Hangzhou Hikvision Digital Technology Company.
We would continue to monitor this cyber security problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.