Jump to content
Security Installer Community

Pivot Attacks Using Dvr's

sixwheeledbeast

By sixwheeledbeast
in Members Lounge (Public)

 Share

Recommended Posts

sixwheeledbeast Mentor

sixwheeledbeast

Posted
Posted

The last one is the one that really interests me. I've used DVRs to pivot into networks on pen-tests several times now. They are generally not secure and once I am on them, I can use them to attack the rest of the network. No one suspects these little devices of being malicious. Installers don't know networks so can't firewall or partition them. IT won't touch them because they are installer by a third party.

This also interests me from an installer POV too.

I wanted to split this out to keep the other thread on topic.

Do you find a large number of DVR's provide an attack route on to the network?

Basic or Enterprise kit? Any models you can use as an example?

Do you feel it's up to the manufactures to design them better or the installers to have them VLAN'd? etc...

Link to comment
Share on other sites
Alpat Systems Newbie

Alpat Systems

Posted
Posted

We advise the client of the potential risks and offer a solution. This is either re-configuring there existing routers/switches/firewalls or installing new CIsco kit or if on a budget we'll use smoothwall http://www.smoothwall.org/

 

For me, keep the network security separate. Its too complicated for a CCTV installer to undertake

Don't forget a single DVR can provide a route onto a network.

 

Below is an example of a system we've recently installed. Its using a Cisco 3925 service router, with layer 2/3 switch, server blade and application acceleration.

Installed on the blade server is Milestone software for the CCTV (But this could have been a separate DVR plugged into the switch). Data/Voice/CCTV is all separated by VLANs and QOS is used.

post-10574-0-38036800-1448983905_thumb.j

 

 

Link to comment
Share on other sites
PeterJames Experienced

PeterJames

Posted
Posted

The last one is the one that really interests me. I've used DVRs to pivot into networks on pen-tests several times now. They are generally not secure and once I am on them, I can use them to attack the rest of the network. No one suspects these little devices of being malicious. Installers don't know networks so can't firewall or partition them. IT won't touch them because they are installer by a third party.

 

 

This interests me, we used windows based DVRs with software and a after-market firewall/anti virus software. But this is a very expensive DVR in comparison top the cheaper DVR's we also install as budget systems. Most of which use a cloud based remote viewing software, I do worry the fact that there is so many of these recorders out there and it would not be hard for China to upload or write something into there recorders.

Link to comment
Share on other sites
al-yeti Experienced

al-yeti

Posted
Posted

Getting in on all levels..

https://www.vtech.com/en/press_release/2015/statement/

al, don't you fit this range of kit?

Well not quite , I used to stick to Honeywell like ADT

Moved with the times to HKC as ADT have no choice but to move to diy visonic kits slapped to the wall in a plug, I did consider visonic but realised its "tat" I think you call it?

House bashing is the way forward eh?........

Link to comment
Share on other sites
norman Proficient

norman

Posted
Posted

When I used to sub to Modern Alarms if we did a house it was (nearly) always a substantial house. Now (sadly imo) they have shifted their place in the market. It's now a numbers game imo.

Nothing is foolproof to a sufficiently talented fool.


Link to comment
Share on other sites
cybergibbons Newbie

cybergibbons

Posted
Posted

This also interests me from an installer POV too.

I wanted to split this out to keep the other thread on topic.

Do you find a large number of DVR's provide an attack route on to the network?

Basic or Enterprise kit? Any models you can use as an example?

Do you feel it's up to the manufactures to design them better or the installers to have them VLAN'd? etc...

 

I've done a number of pen-tests of small to medium sized businesses where the DVR has been my entry point. I've just written a whitepaper for a client who should be releasing it in the new year that explains in detail why they are so bad.

 

The primary problem is port-forwarding. If you open up the network so you can connect to the DVR, your entire network is reliant on the security of the DVR.

 

Then the DVRs themselves have terrible security. Many of them have backdoor accounts, many run custom protocols with no authentication, many of them have other vulnerabilities. You can get root on them very quickly.

 

Even if they aren't port forwarded to the Internet, a lot of them are vulnerable to attacks from desktop browsers - a carefully crafted link sent to someone in the shop can gain us control of the DVR if it isn't partition.

 

Many of the Swann DVRs suffer from this issue:

http://console-cowboys.blogspot.co.uk/2013/01/swann-song-dvr-insecurity.html

 

Despite it being found years ago, new DVRs suffer from the same issue. I've found similar problems in Dahua (who make about 50% of the cheap Chinese DVRs), Evigilo, Dedicated Micros, Pelco. I've tried reporting some of these, and the vendors are totally unresponsive. Unlike the signalling issues though, these place networks are real and immediate risk, so I'm not releasing them.

 

To fix it, it needs a bit of both. The manufacturers need to get better, but security is about layers. If you VLAN the DVR from the rest of the network, then you make most of these attacks much harder.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites
sixwheeledbeast Mentor

sixwheeledbeast

Posted
  • Author
Posted

Unlike the signalling issues though, these place networks are real and immediate risk, so I'm not releasing them.

That's fair comment.

To fix it, it needs a bit of both. The manufacturers need to get better, but security is about layers. If you VLAN the DVR from the rest of the network, then you make most of these attacks much harder.

From and installer POV we expect the DVR to be secure.

I can understand why many are not, look at shellshock for example, These CVE's will never be updated in older DVR units.

I wouldn't be surprised if most DVR's sold today are running outdated linux kernels or suffer from known exploits.

The issue is as you say, the run of the mill engineer is bearly capable of punching some holes in the firewall and installing the client. This is where the manufacturers should step up IMO.

After all you say about layers, you can put the DVR on a VLAN to protect the site but what about the private images stored on the DVR?

Ultimately the installer would be responsible if anything did happen.

Link to comment
Share on other sites
james.wilson Mentor

james.wilson

Posted
Posted

question?

Those that do port forward to an insecure device.

If that device is used to gain access or rip a client off, who is liable?

The client for allowing access to their router, the manufacturer for weak security or the installer for bypassing the security of the so called 'firewall'?

securitywarehouse Security Supplies from Security Warehouse

Trade Members please contact us for your TSI vetted trade discount.

Link to comment
Share on other sites
cybergibbons Newbie

cybergibbons

Posted
Posted

That's fair comment.

From and installer POV we expect the DVR to be secure.

I can understand why many are not, look at shellshock for example, These CVE's will never be updated in older DVR units.

I wouldn't be surprised if most DVR's sold today are running outdated linux kernels or suffer from known exploits.

The issue is as you say, the run of the mill engineer is bearly capable of punching some holes in the firewall and installing the client. This is where the manufacturers should step up IMO.

After all you say about layers, you can put the DVR on a VLAN to protect the site but what about the private images stored on the DVR?

Ultimately the installer would be responsible if anything did happen.

 

I think manufacturers should be obliged to produce secure devices and provide firmware updates for 3-5 years.

 

Let's not be unreasonable - I'm not expecting a DVR to be totally resistant to attack. But the mistakes that are being made are basic and easily avoidable. Above all, you know that they are not driven by security - once the DVR is out of the door, they have made their money.

What evil **** can I do with ftp & a dm?

being a simple alarm monkey I guess I can do better than just changing files until it bricks ?

 

DM?

question?

Those that do port forward to an insecure device.

If that device is used to gain access or rip a client off, who is liable?

The client for allowing access to their router, the manufacturer for weak security or the installer for bypassing the security of the so called 'firewall'?

 

Personally, if I were you, I would have a disclaimer listing the risks for port-forwarding to a device inside the network. There are alternatives, but they are less convenient and they cost more.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites
cybergibbons Newbie

cybergibbons

Posted
Posted

And just to give you an idea of costs and time - it would probably take about 5 days of work for me to say "This DVR with this given firmware in this configuration is secure enough to be on your network" with any level of confidence.

 

That's clearly not feasible - an installer can't pay be 5 days of consultancy each time he wants a DVR checked out.

 

It has to fall to the vendor.


Currently, I would recommend:

1. VLAN to isolate all security devices from the rest of the network.

2. VPN into the network to access the DVR (this is the convenience bit) rather than rely on port-forwarding.

3. Careful outbound firewalling of the network to attempt to limit damage should someone get in.

 

The problem that still remains is oversight - if the DVR does get owned, how does anyone tell?

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites
PeterJames Experienced

PeterJames

Posted
Posted

And just to give you an idea of costs and time - it would probably take about 5 days of work for me to say "This DVR with this given firmware in this configuration is secure enough to be on your network" with any level of confidence.

 

That's clearly not feasible - an installer can't pay be 5 days of consultancy each time he wants a DVR checked out.

 

It has to fall to the vendor.

Currently, I would recommend:

1. VLAN to isolate all security devices from the rest of the network.

2. VPN into the network to access the DVR (this is the convenience bit) rather than rely on port-forwarding.

3. Careful outbound firewalling of the network to attempt to limit damage should someone get in.

 

The problem that still remains is oversight - if the DVR does get owned, how does anyone tell?

So points1 and 2 may be hard to do in some circumstances, point 3 I already do, point 4 (and I know you havent numbered it) is there a way of setting up intruder detection and email warning if a windows PC is owned ?

Link to comment
Share on other sites
datadiffusion Newbie

datadiffusion

Posted
Posted

I've not looked at Axis DVRs.

IP cameras are not the worst but no better than Hikvision.

 

Sorry, I meant the cams

 

Surprised at that as they seem to offer a lot of seemingly esoteric security / IPsec options.

 

Not that that makes them more secure by default, I know.

 

And I've never used Hik IP so can't compare.

So, I've decided to take my work back underground.... to stop it falling into the wrong hands

 

Link to comment
Share on other sites
sixwheeledbeast Mentor

sixwheeledbeast

Posted
  • Author
Posted

And just to give you an idea of costs and time - it would probably take about 5 days of work for me to say "This DVR with this given firmware in this configuration is secure enough to be on your network" with any level of confidence.

 

If there all fitted to the same standard and specification, surely this would only need doing once for each model/firmware?

Again I would expect the manufacturer to have had this done externally.

 

I also agree with PJ about 1 and 2 being hard to implement on some networks.

Point 3 should be done as standard for anyone with knowledge of setting up firewalls, however, someone with a network background would understand this in more depth than an alarm monkey.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept