Bug Found in Surveillance Cameras Makes Feeds Vulnerable

Bug Found in Surveillance Cameras Makes Feeds Vulnerable

Researchers have uncovered a vulnerability which can be used to completely compromise surveillance cameras and feeds.

Researchers have discovered a vulnerability in Nuuo surveillance cameras which can be exploited to hijack these devices and sample with footage and live feeds. 

On Thursday, cybersecurity firm Digital Defense said that its Vulnerability Research Team (VRT) had uncovered a zero-day vulnerability in Nuuo NVRmini 2 Network Video Recorder firmware, software used by hundreds of thousands of surveillance cameras worldwide.

The software is used in a variety of the firm's surveillance camera products. Based on Linux, the solution supports NAS storage and is able to monitor up to 64 live video channels. The vulnerability is an unauthenticated remote buffer overflow security flaw which can be exploited by attackers when they execute arbitrary code on a system with root privileges.

Not only could threat actors harness the bug to access and modify camera feeds and recordings, but also change the configuration and settings of cameras.

"Overflowing of the stack variable, which is intended to hold the request data, results in the overwriting of stored return addresses, and with a properly crafted payload, can be leveraged to achieve arbitrary code execution," Digital Defense said.

NVRmini 2 firmware version 3.9.1 and prior is vulnerable to exploit. Nuuo responded quickly to the researcher's discovery and has released a patch which resolves the issue.

About the Author

Sydny Shepard is the Executive Editor of Campus Security & Life Safety.

Featured

New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.