Surveillance systems around the world could be at risk Lucas Gallone modified by IDG Comm.

Surveillance systems around the world could be at risk

Researchers at Tenable discovered a zero-day vulnerability dubbed "Peekaboo" which makes video surveillance recordings vulnerable.

The vulnerability is in the NVRMini2 device, a network-attached storage device and network video recorder.

The vulnerability could affect "hundreds of thousands" of cameras worldwide and allows cyber criminals to view and change video surveillance recordings through a remote code execution vulnerability in Nuuo software.

"For example, they [cyber criminals] could replace the live feed with a static image of the area [under surveillance], allowing criminals to enter the premises undetected by the cameras," said Tenable in a statement.

Nuuo software and devices are installed in over 100,000 surveillance systems across the world, there are more than 100 brands and 2,500 different models of cameras could be made vulnerable.

"Once exploited, Peekaboo would give cyber criminals access to the control management system (CMS), exposing the credentials for all connected video surveillance cameras. Using root access on the NVRMini2 device, cybercriminals could disconnect the live feeds and tamper with security footage," Tenable explained.

“The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe," said Renaud Deraison, co-founder and chief technology officer at Tenable.

"As more IoT devices are brought online, the attack surface expands and introduces new risks to both consumers and organisations.”

The vulnerability affects firmware versions older than 3.9.0. Nuuo informed Tenable that a patch is being developed and affected customers should contact Nuuo for further information.

Read more: Veeam apologises for data leak, blames human error

In the meantime, users are urged to control and restrict access to their Nuuo NVRMini2 deployments and limit this to legitimate users from trusted networks only.

Owners of devices connected directly to the internet are especially at risk, Tenable warned, as potential attackers can target them directly over the internet. Affected end users must disconnect these devices from the internet.

IDG Insider


« LG TV support for Google Assistant and Alexa rolls out globally


Vizio Home Theater Sound System with Dolby Atmos review: This speaker covers all the bases »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail

Recommended for You

Tech Cynic: VR, the never-popular technology

Tech Cynic – IT without the rose-tinted spectacles

Five months on, GDPR doubts remain for this lawyer

Martin Veitch's inside track on today’s tech trends

How can smart solutions help address Southeast Asia's urban challenges?

Keri Allan looks at the latest trends and technologies


Is your organization fully GDPR compliant?