Security researchers can access and modify security footage from Nuuo surveillance systems



Nuuo is a leading vendor of "trusted video management" tools used in conjunction with CCTVs deployed in sensitive applications like surveillance of "transport, banking, government, and residential areas."

By using a new zero-day bug dubbed "Peekaboo" by its discoverers at the security research firm Tenable, attackers can access Nuuo systems, and view, alter, and delete stored video — they can also steal logins, passwords and other sensitive data from the systems. "Hundreds of thousands" of video cameras are connected to vulnerable systems worldwide.

The vulnerability has not yet been patched. A tool from Tenable will let Nuuo system owners determine whether they are vulnerable. Nuuo tools are sold under more than 100 brands, often bundled with cameras under "white label" arrangements.


Peekaboo specifically impacts the NVRMini 2 NAS and network video recorder, which acts as a hub for connected surveillance products. When exploited, the product permitted access to the control management system (CMS) interface, which further exposes credentials of all connected video surveillance cameras connected to the storage system.

Speaking to ZDNet, Gavin Millard, VP of threat intelligence at Tenable, said that organizations all over the world use Nuuo software, including in shopping centers, hospitals, banks, and public areas.

However, therein lies the problem — as the software is also white labeled to over 100 brands and 2,500 camera product lines.

CVE-2018-1149 [Tenable/NIST]


Hackers hijack surveillance camera footage with 'Peekaboo' zero-day vulnerability [Charlie Osborne/Zdnet]


(via /.)