Unpatched security problem affects surveillance video recorders

Researchers at Tenable announced Monday a security flaw in the firmware of network video recorders made by NUUO that could allow hackers to delete or modify surveillance videos or turn off surveillance entirely. It is not yet patched, although Tenable claims a patch might be available tomorrow.

Why it matters: NUUO makes hardware that records and manages security camera footage. The company's product integrates with more than 100 different camera brands.

The technical details: The vulnerability, which Tenable has dubbed "Peekaboo," is a firmware-level problem allowing for remote code execution.

• The bug is what's known as a buffer overflow, where an attacker sends more data than a computer is designed to receive, leading the computer to inadvertantly store the leftover data as commands the computer will later run.
• The company posted a blog with more information and a tool to determine whether systems are vulnerable.

Why announce before a patch is available? There is always a concern when researchers announce vulnerabilities before a patch is available that hackers might use that information to take advantage of unpatched systems.

• Researchers often give a deadline for a company to show progress in developing a patch before announcing a vulnerability to the public to incentivize manufacturers taking vulnerability reports seriously.
• In this case, Tenable alerted the media after giving NUUO 105 days to announce a release date for a patch (Tenable gives a deadline of 90 days). NUUO only announced the patch early Monday, after the media had already been notified.
• "We believe that, thanks to our disclosure the vendor released the patch," Renaud Deraison, co-founder and chief technology officer at Tenable, told Axios.