Sep 17, 2018

Unpatched security problem affects surveillance video recorders

Photo: Omar Marques/SOPA Images/LightRocket via getty

Researchers at Tenable announced Monday a security flaw in the firmware of network video recorders made by NUUO that could allow hackers to delete or modify surveillance videos or turn off surveillance entirely. It is not yet patched, although Tenable claims a patch might be available tomorrow.

Why it matters: NUUO makes hardware that records and manages security camera footage. The company's product integrates with more than 100 different camera brands.

The technical details: The vulnerability, which Tenable has dubbed "Peekaboo," is a firmware-level problem allowing for remote code execution.

  • The bug is what's known as a buffer overflow, where an attacker sends more data than a computer is designed to receive, leading the computer to inadvertantly store the leftover data as commands the computer will later run.
  • The company posted a blog with more information and a tool to determine whether systems are vulnerable.

Why announce before a patch is available? There is always a concern when researchers announce vulnerabilities before a patch is available that hackers might use that information to take advantage of unpatched systems.

  • Researchers often give a deadline for a company to show progress in developing a patch before announcing a vulnerability to the public to incentivize manufacturers taking vulnerability reports seriously.
  • In this case, Tenable alerted the media after giving NUUO 105 days to announce a release date for a patch (Tenable gives a deadline of 90 days). NUUO only announced the patch early Monday, after the media had already been notified.
  • "We believe that, thanks to our disclosure the vendor released the patch," Renaud Deraison, co-founder and chief technology officer at Tenable, told Axios.

Go deeper

The race to catch Nike's Vaporfly shoe before the 2020 Olympics

Illustration: Aïda Amer/Axios

Four months ago, on the very same weekend, Eliud Kipchoge became the first human to run a marathon in under two hours, and fellow Kenyan Brigid Kosgei shattered the women's marathon record.

Why it matters: Kipchoge and Kosgei were both wearing Nike's controversial Vaporfly sneakers, which many believed would be banned because of the performance boost provided by a carbon-fiber plate in the midsole that acted as a spring and saved the runner energy.

Go deeperArrow24 mins ago - Sports

Reassessing the global impact of the coronavirus

Illustration: Aïda Amer/Axios

Economists are rethinking projections about the broader economic consequences of the coronavirus outbreak after a surge of diagnoses and deaths outside Asia and an announcement from a top CDC official that Americans should be prepared for the virus to spread here.

What's happening: The coronavirus quickly went from an also-ran concern to the most talked-about issue at the National Association for Business Economics policy conference in Washington, D.C.

Tech can't remember what to do in a down market

Illustration: Rebecca Zisser/Axios

Wall Street's two-day-old coronavirus crash is a wakeup alarm for Silicon Valley.

The big picture: Tech has been booming for so long the industry barely remembers what a down market feels like — and most companies are ill-prepared for one.