Sign up for our daily briefing
Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.
Stay on top of the latest market trends
Subscribe to Axios Markets for the latest market trends and economic insights. Sign up for free.
Sports news worthy of your time
Binge on the stats and stories that drive the sports world with Axios Sports. Sign up for free.
Tech news worthy of your time
Get our smart take on technology from the Valley and D.C. with Axios Login. Sign up for free.
Get the inside stories
Get an insider's guide to the new White House with Axios Sneak Peek. Sign up for free.
Catch up on coronavirus stories and special reports, curated by Mike Allen everyday
Catch up on coronavirus stories and special reports, curated by Mike Allen everyday
Want a daily digest of the top Denver news?
Get a daily digest of the most important stories affecting your hometown with Axios Denver
Want a daily digest of the top Des Moines news?
Get a daily digest of the most important stories affecting your hometown with Axios Des Moines
Want a daily digest of the top Twin Cities news?
Get a daily digest of the most important stories affecting your hometown with Axios Twin Cities
Want a daily digest of the top Tampa Bay news?
Get a daily digest of the most important stories affecting your hometown with Axios Tampa Bay
Want a daily digest of the top Charlotte news?
Get a daily digest of the most important stories affecting your hometown with Axios Charlotte
Photo: Omar Marques/SOPA Images/LightRocket via getty
Researchers at Tenable announced Monday a security flaw in the firmware of network video recorders made by NUUO that could allow hackers to delete or modify surveillance videos or turn off surveillance entirely. It is not yet patched, although Tenable claims a patch might be available tomorrow.
Why it matters: NUUO makes hardware that records and manages security camera footage. The company's product integrates with more than 100 different camera brands.
The technical details: The vulnerability, which Tenable has dubbed "Peekaboo," is a firmware-level problem allowing for remote code execution.
- The bug is what's known as a buffer overflow, where an attacker sends more data than a computer is designed to receive, leading the computer to inadvertantly store the leftover data as commands the computer will later run.
- The company posted a blog with more information and a tool to determine whether systems are vulnerable.
Why announce before a patch is available? There is always a concern when researchers announce vulnerabilities before a patch is available that hackers might use that information to take advantage of unpatched systems.
- Researchers often give a deadline for a company to show progress in developing a patch before announcing a vulnerability to the public to incentivize manufacturers taking vulnerability reports seriously.
- In this case, Tenable alerted the media after giving NUUO 105 days to announce a release date for a patch (Tenable gives a deadline of 90 days). NUUO only announced the patch early Monday, after the media had already been notified.
- "We believe that, thanks to our disclosure the vendor released the patch," Renaud Deraison, co-founder and chief technology officer at Tenable, told Axios.