Jump to content
jake.reynolds

SEVERE Vulnerability in some DVR Firmware

Recommended Posts

My apologizes if this is a re-post but has everyone heard about the vulnerabilities in Ray Sharp DVRs as well as rebranded DVR products by Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000?

 

http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html

https://community.rapid7.com/community/metasploit/blog/2013/01/28/ray-sharp-cctv-dvr-password-retrieval-remote-root

 

Basically, if you use one of these devices, you probably ought not port-forward TCP 9000 from the internet unless you are restricting access by source. Changing this port might add a bit of security through obscurity but you'd still be totally vulnerable. Possible attacks include accessing clear-text admin passwords, creepy unauthorized access with said account, as well as using the DVR as a pivot point for attacking other internal network resources, e.g. your laptop, iPhone, PC, and whatever else. There's already a Metasploit aux/scanner module to discover vulnerable systems and dump the admin password.

 

As far as I know neither Ray Sharp nor the rebranders have responded to this. I wouldn't be surprised if they never do. I've always wondered how many inadvertent (vulnerabilities) and purposeful (backdoors) security issues there are in these ubiquitous, cheap, poorly-developed DVRs. I've had avtech and dahua DVRs myself. Although it's hard to beat the value of these cheap devices, it's just a matter of time before more and more of these severe remote vulnerabilities are found as they become more prevalent. Let's just hope that the good guys (researchers) find them before those who would use them for their own nefarious purposes.

 

Jake

Share this post


Link to post
Share on other sites

It also exposes your email address complete with password if you have entered it into the box for notifications. Fun fun, especially with an easy way to identify tens of thousands of the devices on the net.

Share this post


Link to post
Share on other sites

This is a good wakeup call for all of us. I'm sure there are plenty of other exploits for the other branded DVRs that aren't well known yet....

Share this post


Link to post
Share on other sites

I am thinking a firewall rule would solve this, only allow remote connections from certain IP addresses outside the network, would add some more security. Next time I am in the office I am going to shake down one of my DVR's with my Nessus Vulnerability scanner, see what it returns.

Share this post


Link to post
Share on other sites

Does this issue apply if we don't expose the web admin port to the outside internet and only expose the client/mobile two ports?

Share this post


Link to post
Share on other sites

I would assume so, without actually testing it on a DVR as the mobile ports still need to authenticate and that is what is being attacked is the authentication method, not the web port.

Share this post


Link to post
Share on other sites

I am very interested in your post and have some questions. Since the security camera I am considering will be 700 ft away from the router, I understand I will need a amplified access point such as a AP600EX which uses a bidirectional antenna, and a range Extender wuch as a AP600EX which greatly increases the vulnerability for a scanner to pick up the signal.

I know most of the devices in my home must have the WPA2 code to access the router and one can restrict the MAC addresses to known devices and password the router it's self, Does this mean that the camera system rely on computer access in order to be operational or are there camera systems that work on SD cards have the ability to contain their own logon and the fact that that log on is broadcast over a great distance produce the vulnerability for scanners to interept the logon and duplicate it for access?

 

Are there work arounds for this such as prohibiting remote logon to the computer still leave a vulnerability as once the router is compromised, a hacker could add a foreign MAC address and intercept access from any computer or cell phone connecting to the network?

 

A little knowledge would help so that when I hire someone to do the job, I can make sure he is a true professional and does not leave the back door unlocked.

Thanks

Share this post


Link to post
Share on other sites
Does this issue apply if we don't expose the web admin port to the outside internet and only expose the client/mobile two ports?

 

Just took a quick look at the page. I don't think so.

Apparently you can view and set password thru viewer port according to the post. The point is, what most users want is, only the authorized person can view the video. But the device is not doing any check on username/password, anyone can view the video thru the net.

 

I've seen several DVRs and network cameras with a dummy login screen so this is no surprise. (some allow you to login by just hitting ESC)

Share this post


Link to post
Share on other sites

I like these devices as they are extremely reliable - sad thing is, after testing 18 of them including those from ADT & Yale, they all have the daily hard coded admin password issue - You can login as admin and if you have the daily password list, you type in the password that is relevant to what day of the year it is. Straight into setup, no other questions asked. Can be done via the main control port with the right knowledge - locking off port 80 and others may not help.

 

The only way to secure these devices is to use a firewall that can let in dyndns enabled phones - You need to run the dyndns client first on your phone, then the firewall will only let in devices that have that dyndns name. VPN's also work well but are much more problematic. pfsense is router software that uses older PC's and works well with this method.

 

If anyone knows of any DVR that they think is secure, I would love to know.

 

They all seem built with the same 'engine' which has the password issues.

Share this post


Link to post
Share on other sites

I'm so glad to see people getting around to this kind of thing.

Any Internet device made outside the US and especially made in China is subject to backdoors and security risks. But we all know that.

I doubt they even need a password. There are probably backdoors they can use to go around any password.

What's worse, your DVR is likely programmed to "phone home" as soon as you get it connected.

 

Putting the DVR on a hard to guess port might be a first good move. But a port scanner can get around that quickly.

In order to reach the DVR, they have to have the port that it listens on.

 

If you have a hardware firewall appliance like a Cisco or Watchguard, you can limit access to that port to specific IP addresses.

Then if you set that appliance to detect and auto block port scans that will help.

We see a large number of port scans on our network and it's probably the number one reason IP's get blocked.

 

The 2nd protection you have is your IP address.

Problem is, it's not easy to get a unique IP address on your phone and you may end up allowing tens of thousands of IP addresses to ensure yours is allowed through.

Your cellular IP probably changes often. Check it at WhatsMyIP.org and make not of how often it changes.

 

Basically think of password security like an open window. They're not supposed to come in through it but they will.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×