The newly named Peekaboo vulnerability is a zero-day flaw in China-based Nuuo’s video recorder technology.The flaw in NVRMini2, a network-attached storage device, has remained unfixed in the three months since the vendor was alerted. This vulnerability put internet-connected CCTV cameras at risk, a grave concern for organizations using the service to view and manage their connected CCTV cameras. NUUO both uses the technology in its own products and licenses it to third-party surveillance system makers and systems integration partners.
Exposure from Peekaboo Vulnerability
Tenable Research, which discovered the Peekaboo flaw, said it could potentially impact more than 100 CCTV brands and approximately 2,500 different camera models. Organizations in wide range of industries, including retail, transportation, banking, and government, install these cameras to improve security. NUUO was informed of the vulnerability on June 5, 2018. Patches are now available on their website.
This is not the first time an IoT vulnerability has brought unexpected risk to organizations. The Mirai botnet attacks showed how hackers can use CCTVs, webcams, and other Internet-connected devices to launch massive distributed denial of service (DDoS) attacks to cause mass disruption. Many of us saw the impact of Mirai in October 2016, when they used the botnets to take down Dyn. Apparently the latest IoT-related risk comes from the Peekaboo vulnerability, opening organizations to risk from an unexpected vector.
Multiple Vulnerabilities Add Risk
The Tenable team found two vulnerabilities; the first was an unauthenticated stack buffer overflow. A buffer overflow attack is when a hacker sends more data than a computer is designed to receive, leading the computer to inadvertently store the leftover data as commands the computer will later run. Buffer overflow is a common code level issue that has been prevalent for years, which can be identified through static analysis. The second vulnerability was a backdoor in leftover debug code, so together the flaws allow hackers to explore the surveillance data and access login credentials, port usage, IP addresses, and other information on the camera equipment itself. These types of issue map directly to coding errors and the remediation exposure disciplines of software exposure.
Let’s take a look, however, at what a patient hacker can do with this particular security camera hack.
Here is a hypothetical example of how a hacker might use the Peekaboo vulnerability:
- Turn off cameras or delete recordings by executing the buffer overflow
- Allow individuals to access to the building
- Install additional software within the building for later use
- Execute that software well after initial camera hack, resulting in significant exploits against the compromised system
- Confuse experts trying to determine the cause of exploit due to the multi-step attack
Think Like a Hacker
As usual, the original hack itself is not the end game. Deleting data or controlling security cameras allows attackers to circumvent security systems to rob residences or businesses. However, my major concern is the potential for infrastructure terrorism on electrical grids, nuclear plants, or water supplies.
Hackers play the long game, and we in the security field need to as well. The software industry must react quickly to vulnerabilities such as Peekaboo, either to provide a patch in our own software, or to apply it as soon as it’s available. Software runs most of the objects we know and use every day. It’s our responsibility to make it as safe and secure as possible.