Sep 17, 2018

Unpatched security problem affects surveillance video recorders

Photo: Omar Marques/SOPA Images/LightRocket via getty

Researchers at Tenable announced Monday a security flaw in the firmware of network video recorders made by NUUO that could allow hackers to delete or modify surveillance videos or turn off surveillance entirely. It is not yet patched, although Tenable claims a patch might be available tomorrow.

Why it matters: NUUO makes hardware that records and manages security camera footage. The company's product integrates with more than 100 different camera brands.

The technical details: The vulnerability, which Tenable has dubbed "Peekaboo," is a firmware-level problem allowing for remote code execution.

  • The bug is what's known as a buffer overflow, where an attacker sends more data than a computer is designed to receive, leading the computer to inadvertantly store the leftover data as commands the computer will later run.
  • The company posted a blog with more information and a tool to determine whether systems are vulnerable.

Why announce before a patch is available? There is always a concern when researchers announce vulnerabilities before a patch is available that hackers might use that information to take advantage of unpatched systems.

  • Researchers often give a deadline for a company to show progress in developing a patch before announcing a vulnerability to the public to incentivize manufacturers taking vulnerability reports seriously.
  • In this case, Tenable alerted the media after giving NUUO 105 days to announce a release date for a patch (Tenable gives a deadline of 90 days). NUUO only announced the patch early Monday, after the media had already been notified.
  • "We believe that, thanks to our disclosure the vendor released the patch," Renaud Deraison, co-founder and chief technology officer at Tenable, told Axios.

Go deeper

Teenager killed after shots fired at protesters in Detroit

Detroit police during protests on Friday night. Photo: Matthew Hatcher/Getty Images

A 19-year-old man was killed on Friday night after shots were fired into a crowd of demonstrators in downtown Detroit who were protesting the death of George Floyd in Minneapolis police custody, per AP.

Details: The teenager was injured when shots were fired from an SUV about 11:30 p.m. and later died in hospital, reports MDN reports, which noted police were still looking for a suspect. Police said officers were not involved in the shooting, according to AP.

Go deeper: In photos: Protesters clash with police nationwide over George Floyd

Updated 5 hours ago - Politics & Policy

In photos: Protesters clash with police nationwide over George Floyd

Police officers grapple with protesters in Atlanta. Photo: Elijah Nouvelage/Getty Images

Police used tear gas, rubber bullets and pepper spray as the protests sparked by the killing of George Floyd spread nationwide on Friday evening.

The big picture: Police responded in force in cities ranging from Atlanta to Des Moines, Houston to Detroit, Milwaukee to D.C. and Denver to Louisville. In Los Angeles, police declared a stretch of downtown off limits, with Oakland issuing a similar warning.

Updated 5 hours ago - Politics & Policy

Supreme Court sides with California on coronavirus worship service rules

The Supreme Court has ruled 5-4, with Chief Justice John Roberts joining the court's liberal justices, to reject a challenge to California's pandemic restrictions on worship services.

Why it matters: This is a setback for those seeking to speed the reopening of houses of worship, including President Trump.