Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

NUUO, do not want! CCTV webcams can be hacked to spy on you

Owners told to lock down network access to panned surveillance kit

Researchers have uncovered two flaws that leave more than 100,000 NUUO-powered internet-connected surveillance cameras open to remote takeover.

Tenable Research on Monday laid claim to discovering two bugs in NUUO's Network Video Recorder firmware that can be exploited to covertly access a camera's video feed or simply take over the device with malware.

The bugs, named "Peekaboo" for marketing purposes, were both spotted in the NVRMini2, a network-attached device that both stores video recordings and acts as a control gateway for admins and remote viewers. The gizmo uses NUUO's firmware, which harbors the exploitable flaws.

The first of the two flaws (CVE-2018-1149) is a remote code execution vulnerability that can be exploited by overflowing a buffer. An attacker exploits the bug by connecting to a network- or internet-facing device, and submitting a malformed cookie to its web-based control panel that triggers the flaw in the cgi_system binary.

Once the bug has been exploited, the attacker would be able to inject and execute commands with root privileges. From there, the attacker would be able to do anything from seize control of the camera and access all of its video footage to loading up the device with botnet clients to use for other attacks.

The second flaw, meanwhile, would allow an attacker to covertly access a network- or internet-connected camera's controls without needing to trigger a buffer overflow or other programming cockup. Rather, CVE-2018-1150 is a leftover bit of debug code that allows the attacker to pull up all user accounts and change passwords. The attacker would also be able to control the camera and view recordings.

cctv

Sigh... 'Hundreds of thousands' of... sigh, web CCTV cams still at risk of... sigh, hijacking

READ MORE

The source of that debug code, and the reason it was not taken out of the firmware before going to production, is unknown.

"This is a very odd artifact. We weren’t able to determine if it’s leftover development code or if it was maliciously added," Team Tenable said.

"To be able to activate and utilize the backdoor, an attacker would need to be able to create the file /tmp/moses, so the attack would require some form of access or need to be combined with another exploit. Its existence and lack of obfuscation in the code is the real mystery."

Because that particular flaw requires a user to already have the ability to create files on the camera, it is not considered a severe risk on its own. Unfortunately, the aforementioned CVE-2018-1149 bug would allow the attacker to do just that – create the required file.

Tenable said it informed the Taiwan-based NUUO of the bug but, at the time of publication, there was no word on a fix. In the meantime, Tenable is recommending that admins take steps to cut off NUUO-powered cameras' access to the internet and other public networks, and make sure only authorized users have a line to the devices. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like