Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Wednesday, 1 February, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Tenable Research Discovers “Peekaboo” Zero-Day Vulnerability In Global Video Surveillance Software.

by The Gurus
September 17, 2018
in Opinions & Analysis
Tenable Logo
Share on FacebookShare on Twitter

Tenable®, Inc., the Cyber Exposure company, today announced that its research team has discovered a zero-day vulnerability which would allow cybercriminals to view and tamper with video surveillance recordings via a remote code execution vulnerability in NUUO software — one of the leading global video surveillance solution providers. The vulnerability, dubbed Peekaboo by Tenable Research, would allow cybercriminals to remotely view video surveillance feeds and tamper with recordings using administrator privileges. For example, they could replace the live feed with a static image of the surveilled area, allowing criminals to enter the premises undetected by the cameras.

The impact of Peekaboo is significant as NUUO integrates with hundreds of leading brands. Their ecosystem of supported devices means that over 100 brands and 2,500 different models of cameras could be made vulnerable by the access Peekaboo grants to usernames and passwords. Preliminary estimates show that up to hundreds of thousands of cameras could be manipulated and taken offline worldwide.

NUUO software and devices are commonly used for web-based video monitoring and surveillance in industries such as retail, transportation, education, government and banking. The vulnerable device, NVRMini2, is a network-attached storage device and network video recorder. Once exploited, Peekaboo would give cybercriminals access to the control management system (CMS), exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage. Just last year, the NUUO NVR devices were specifically targeted by the Reaper IoT Botnet.

“Our world runs on technology. It helps us monitor, control and engage with each other and our environments. And it’s one of the many reasons we’ve seen a massive surge in connected devices recently,” said Renaud Deraison, co-founder and chief technology officer, Tenable. “The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe. As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organisations. Tenable Research is committed to reducing this Cyber Exposure gap by identifying new, potential attack vectors and arming customers with the insight they need to reduce their exposure.”

Tenable Research disclosed the vulnerability, which affects firmware versions older than 3.9.0, to NUUO following standard procedures outlined in our vulnerability disclosure policy. As of September 17 at 11 AM ET, a patch has not been issued. NUUO has informed Tenable that a patch is being developed and affected customers should contact NUUO for further information. In the meantime, users are urged to control and restrict access to their NUUO NVRMini2 deployments and limit this to legitimate users from trusted networks only. Owners of devices connected directly to the internet are especially at risk, as potential attackers can target them directly over the internet. Affected end users must disconnect these devices from the internet until a patch is released. Unfortunately, many users will be unaware that their devices are vulnerable because NUUO software is also integrated into products from other vendors. In these cases, users should contact their video surveillance vendors to confirm whether they are exposed and when a patch will be released.

Tenable has released a plugin to assess whether organisations are vulnerable to Peekaboo. Click here for more details.

For more information on Peekaboo, read the Tenable Research Advisory blog post.

About Tenable
Tenable®, Inc. is the Cyber Exposure company. Over 24,000 organisations around the globe rely on Tenable to understand and reduce cyber risk. As the creator of Nessus®, Tenable extended its expertise in vulnerabilities to deliver Tenable.io®, the world’s first platform to see and secure any digital asset on any computing platform. Tenable customers include more than 50 percent of the Fortune 500, more than 25 percent of the Global 2000 and large government agencies. Learn more at tenable.com.

[tpr-boilerplate company=’null’]

FacebookTweetLinkedIn
ShareTweetShare
Previous Post

The 3 Most Powerful Types of Threat Information Sharing – and How to Stay Compliant

Next Post

Weaving the security thread into the business conversation

Recent News

JD Sports admits data breach

JD Sports admits data breach

January 31, 2023
Acronis seals cyber protection partnership with Fulham FC

Acronis seals cyber protection partnership with Fulham FC

January 30, 2023
Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information