Hackers Hijack Surveillance Camera Footage With 'Peekaboo' Zero-Day Vulnerability (zdnet.com) 25
An anonymous reader quotes a report from ZDNet: A zero-day vulnerability present in security cameras and surveillance equipment using Nuuo software is thought to impact hundreds of thousands of devices worldwide. Researchers from cybersecurity firm Tenable disclosed the bug, which has been assigned as CVE-2018-1149. The vulnerability cannot get much more serious, as it allows attackers to remotely execute code in the software, the researchers said in a security advisory on Monday. Nuuo, describing itself as a provider of "trusted video management" software, offers a range of video solutions for surveillance systems in industries including transport, banking, government, and residential areas.
Dubbed "Peekaboo," the zero-day stack buffer overflow vulnerability, when exploited, allows threat actors to view and tamper with video surveillance recordings and feeds. It is also possible to use the bug to steal data including credentials, IP addresses, port usage, and the make & models of connected surveillance devices. In addition, the bug could be used to fully disable cameras and surveillance products. Peekaboo specifically impacts the NVRMini 2 NAS and network video recorder, which acts as a hub for connected surveillance products. When exploited, the product permitted access to the control management system (CMS) interface, which further exposes credentials of all connected video surveillance cameras connected to the storage system.
Dubbed "Peekaboo," the zero-day stack buffer overflow vulnerability, when exploited, allows threat actors to view and tamper with video surveillance recordings and feeds. It is also possible to use the bug to steal data including credentials, IP addresses, port usage, and the make & models of connected surveillance devices. In addition, the bug could be used to fully disable cameras and surveillance products. Peekaboo specifically impacts the NVRMini 2 NAS and network video recorder, which acts as a hub for connected surveillance products. When exploited, the product permitted access to the control management system (CMS) interface, which further exposes credentials of all connected video surveillance cameras connected to the storage system.
Bad URL (Score:2)
Link is broken for the CVE.
why? (Score:1)
Why is your camera exposed to the internet?
With these sorts of devices just assume they will never get updates and *WILL* be rooted.
Re: (Score:2)
The Internet (that's the place we are at right now and stuff) provides us with remote access to video footage.
Re: (Score:2)
But why?
No, seriously, the majority of cameras are not online.
It's like asking "why are your curtains open". It's a choice.
Re: (Score:2)
You can't think of a single reason to look at a remote camera on your phone?
Re: (Score:1)
I work in retail so I'll use a few examples from the industry.
1.) Long term archive - these systems have a limited capacity so they will overwrite the oldest footage as needed. Depending on the setup, this may be weeks or even days. With an internet connection it is possible to upload to a longer term, higher capacity storage system.
2.) Employee investigation - if an employee is suspected of theft, the last thing you want is for said employee to potentially see someone viewing footage. If done off site,
Re: (Score:1)
Re: (Score:2)
I recommend a separate private network and SSH and a VPN.
Who's going to pay you to implement that?
No one.
The burden of protection is not on the consumer side. None of us wants a goddam fucking hobby.
We want to plug-and-play and get on with our lives.
What we will do is avoid the porous packet pitiful product with our pocketbook.
Re: (Score:2)
If you RTFA, the whole story is that IoT is shipping without protection.
I don't manufacture the shit I buy.
I don't use VPN, I have never used VPN, and I don't plan to use VPN.
It's not up to you to plan my business case regarding cameras and the need to remotely monitor stuff.
Re: (Score:2)
I think the official answer is something along the lines of "Fuck you, Nerd! We didn't buy your shit to learn stuff!"
why? it's the monitoring software not the cameras (Score:2)
Re: why? (Score:1)
Yeah I'm not sure why there isn't better setups being used.
I have 4 security cameras monitoring my elderly parents house (they had some break ins to their garage and yard), managed by a small server running FreeBSD. It's very hardened and allows no connections to the server (camera system), it only allows outbound connections to port 22 and it uploads to my server via ssh (scp). So it's never allowed to be controlled remotely.
I can't see anything real-time but the camera system is designed to take photos an
Re: (Score:1)
https://www.express.co.uk/news/world/1018970/Syria-conflict-russia-aircraft-plane-shot-down-Latakia-province-russian [express.co.uk]
Kinda like lots of video games (Score:2)
I was really enjoying that game too
BeauHD - Where is the editing? (Score:2)
Why would we bother posting something about a webserver vulnerability? The submission lacks anything useful to take action on or inform; you know like what the actual threat vector is. For all I knew we could just walk through security with a barcode on our tshirts and shut down cameras.
What is that you say? The threat vector is in a completely abandoned but always online webserver? You don't say! Who would have known!
Whats that? You say total system takeover and privilege escalation? The ability to r
Re: (Score:2)
the on line ver the camera in speed (Score:2)
the on line ver the camera in speed