View unanswered posts | View active topics


Reply to topic  [ 10 posts ] 
Author Message
  
 Post subject: SEVERE Vulnerability in some DVR Firmware
PostPosted: Wed Jan 30, 2013 2:17 pm 
Registered User

Joined: Apr 2012
Posts: 6

Offline
My apologizes if this is a re-post but has everyone heard about the vulnerabilities in Ray Sharp DVRs as well as rebranded DVR products by Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000?

http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html
https://community.rapid7.com/community/metasploit/blog/2013/01/28/ray-sharp-cctv-dvr-password-retrieval-remote-root

Basically, if you use one of these devices, you probably ought not port-forward TCP 9000 from the internet unless you are restricting access by source. Changing this port might add a bit of security through obscurity but you'd still be totally vulnerable. Possible attacks include accessing clear-text admin passwords, creepy unauthorized access with said account, as well as using the DVR as a pivot point for attacking other internal network resources, e.g. your laptop, iPhone, PC, and whatever else. There's already a Metasploit aux/scanner module to discover vulnerable systems and dump the admin password.

As far as I know neither Ray Sharp nor the rebranders have responded to this. I wouldn't be surprised if they never do. I've always wondered how many inadvertent (vulnerabilities) and purposeful (backdoors) security issues there are in these ubiquitous, cheap, poorly-developed DVRs. I've had avtech and dahua DVRs myself. Although it's hard to beat the value of these cheap devices, it's just a matter of time before more and more of these severe remote vulnerabilities are found as they become more prevalent. Let's just hope that the good guys (researchers) find them before those who would use them for their own nefarious purposes.

Jake


Top
 Profile  
Reply with quote  

  
 Post subject: Re: SEVERE Vulnerability in Ray Sharp DVR Firmware
PostPosted: Thu Jan 31, 2013 9:28 am 
User avatar
Registered User

Joined: Jul 2012
Posts: 1162

Offline
It also exposes your email address complete with password if you have entered it into the box for notifications. Fun fun, especially with an easy way to identify tens of thousands of the devices on the net.


Top
 Profile  
Reply with quote  

  
 Post subject: Re: SEVERE Vulnerability in Ray Sharp DVR Firmware
PostPosted: Thu Jan 31, 2013 11:36 am 
Registered User

Joined: Jun 2012
Posts: 336

Offline
This is a good wakeup call for all of us. I'm sure there are plenty of other exploits for the other branded DVRs that aren't well known yet....


Top
 Profile  
Reply with quote  

  
 Post subject: Re: SEVERE Vulnerability in some DVR Firmware
PostPosted: Mon Feb 25, 2013 10:00 pm 
Registered User

Joined: May 2011
Posts: 629
Location: Ontario Canada

Offline
I am thinking a firewall rule would solve this, only allow remote connections from certain IP addresses outside the network, would add some more security. Next time I am in the office I am going to shake down one of my DVR's with my Nessus Vulnerability scanner, see what it returns.

_________________
Sector Security Solutions

http://www.secsecur.ca
@secsecur
T: 866-208-1845

Axis Certified Partner
Mobotix Partner


Top
 Profile  
Reply with quote  

  
 Post subject: Re: SEVERE Vulnerability in some DVR Firmware
PostPosted: Fri May 31, 2013 3:12 am 
Registered User

Joined: Apr 2013
Posts: 445

Offline
Does this issue apply if we don't expose the web admin port to the outside internet and only expose the client/mobile two ports?


Top
 Profile  
Reply with quote  

  
 Post subject: Re: SEVERE Vulnerability in some DVR Firmware
PostPosted: Mon Jun 17, 2013 7:26 pm 
Registered User

Joined: May 2011
Posts: 629
Location: Ontario Canada

Offline
I would assume so, without actually testing it on a DVR as the mobile ports still need to authenticate and that is what is being attacked is the authentication method, not the web port.

_________________
Sector Security Solutions

http://www.secsecur.ca
@secsecur
T: 866-208-1845

Axis Certified Partner
Mobotix Partner


Top
 Profile  
Reply with quote  

  
 Post subject: Re: SEVERE Vulnerability in some DVR Firmware
PostPosted: Mon Jul 08, 2013 8:00 am 
Registered User

Joined: Jul 2013
Posts: 5

Offline
I am very interested in your post and have some questions. Since the security camera I am considering will be 700 ft away from the router, I understand I will need a amplified access point such as a AP600EX which uses a bidirectional antenna, and a range Extender wuch as a AP600EX which greatly increases the vulnerability for a scanner to pick up the signal.
I know most of the devices in my home must have the WPA2 code to access the router and one can restrict the MAC addresses to known devices and password the router it's self, Does this mean that the camera system rely on computer access in order to be operational or are there camera systems that work on SD cards have the ability to contain their own logon and the fact that that log on is broadcast over a great distance produce the vulnerability for scanners to interept the logon and duplicate it for access?

Are there work arounds for this such as prohibiting remote logon to the computer still leave a vulnerability as once the router is compromised, a hacker could add a foreign MAC address and intercept access from any computer or cell phone connecting to the network?

A little knowledge would help so that when I hire someone to do the job, I can make sure he is a true professional and does not leave the back door unlocked.
Thanks


Top
 Profile  
Reply with quote  

  
 Post subject: Re: SEVERE Vulnerability in some DVR Firmware
PostPosted: Wed Jul 10, 2013 2:19 pm 
Registered User

Joined: Nov 2012
Posts: 17

Offline
JoeyJoey wrote:
Does this issue apply if we don't expose the web admin port to the outside internet and only expose the client/mobile two ports?


Just took a quick look at the page. I don't think so.
Apparently you can view and set password thru viewer port according to the post. The point is, what most users want is, only the authorized person can view the video. But the device is not doing any check on username/password, anyone can view the video thru the net.

I've seen several DVRs and network cameras with a dummy login screen so this is no surprise. (some allow you to login by just hitting ESC)


Top
 Profile  
Reply with quote  

  
 Post subject: Re: SEVERE Vulnerability in some DVR Firmware
PostPosted: Tue Mar 01, 2016 4:31 pm 
Registered User

Joined: Mar 2016
Posts: 3

Offline
I like these devices as they are extremely reliable - sad thing is, after testing 18 of them including those from ADT & Yale, they all have the daily hard coded admin password issue - You can login as admin and if you have the daily password list, you type in the password that is relevant to what day of the year it is. Straight into setup, no other questions asked. Can be done via the main control port with the right knowledge - locking off port 80 and others may not help.

The only way to secure these devices is to use a firewall that can let in dyndns enabled phones - You need to run the dyndns client first on your phone, then the firewall will only let in devices that have that dyndns name. VPN's also work well but are much more problematic. pfsense is router software that uses older PC's and works well with this method.

If anyone knows of any DVR that they think is secure, I would love to know.

They all seem built with the same 'engine' which has the password issues.


Top
 Profile  
Reply with quote  

  
 Post subject: Re: SEVERE Vulnerability in some DVR Firmware
PostPosted: Sat Jun 30, 2018 5:26 pm 
Registered User

Joined: Mar 2011
Posts: 80

Offline
I'm so glad to see people getting around to this kind of thing.
Any Internet device made outside the US and especially made in China is subject to backdoors and security risks. But we all know that.
I doubt they even need a password. There are probably backdoors they can use to go around any password.
What's worse, your DVR is likely programmed to "phone home" as soon as you get it connected.

Putting the DVR on a hard to guess port might be a first good move. But a port scanner can get around that quickly.
In order to reach the DVR, they have to have the port that it listens on.

If you have a hardware firewall appliance like a Cisco or Watchguard, you can limit access to that port to specific IP addresses.
Then if you set that appliance to detect and auto block port scans that will help.
We see a large number of port scans on our network and it's probably the number one reason IP's get blocked.

The 2nd protection you have is your IP address.
Problem is, it's not easy to get a unique IP address on your phone and you may end up allowing tens of thousands of IP addresses to ensure yours is allowed through.
Your cellular IP probably changes often. Check it at WhatsMyIP.org and make not of how often it changes.

Basically think of password security like an open window. They're not supposed to come in through it but they will.


Top
 Profile  
Reply with quote  

Display posts from previous:  Sort by  
Reply to topic  [ 10 posts ] 


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  

It is currently Wed Jul 18, 2018 3:53 am

The contents of this webpage are copyright © 2003-2016 CCTVForum.com. All Rights Reserved.