Zero-day in popular video surveillance technology goes public, unpatched

Sharp-eyed researchers have spotted a critical vulnerability in numerous surveillance devices from the video management company NUUO.

We’ve seen this before: In 2016, multiple critical vulnerabilities in NUUO devices were publicized in an excruciatingly public way. The latest — a buffer overflow issue — was spotted by researchers at the U.S. cybersecurity firm Tenable, which has named the bug Peekaboo.

The bug allows remote code execution on video surveillance systems. That means a hacker could watch or tamper with surveillance feeds.

Tenable publicly detailed the bug on its blog after having privately notified NUUO more than 90 days ago. The Maryland-based cybersecurity company’s vulnerability disclosure policy states that after 90 days, researchers will go public.

NUUO, which is based in Taiwan and has offices worldwide, says a patch is in development.

NUUO’s products can be found in government buildings as well as in industries including banking, retail and transportation. The company’s software works with cameras from over 100 different brands, 2,500 product lines and over 100,000 global installations.

“The Peekaboo flaw is extremely concerning because it exploits the very technology we rely on to keep us safe,” Tenable chief technology officer Renaud Deraison said in a statement.

Last year, NUUO cameras were among those targeted by the Reaper IoT botnet.

NUUO did not respond to a request for comment.