Cheap Dvr Leaves Your Network Vulnerable To Attack

[Rob Kirk]

Surely unless you are a skilled hacker a password protected dvr with random port is enough to stop the amateur? That is safe enough not to have to scare the customer into saying you are compromising there routers security.

 

Also i thought that again unless highly skilled the only access an open port gives is to the connected dvr or whatever is connected to that port again with the password it wouldn't even give access to the dvr.

 

Also the hacker has to know the type of dvr and the port it is using along with the password etc. Type into google hacking port cctv and you see people getting into office systems and supermarkets because they know the type of systems and are skilled/determined for something to do but i can't see them wanting to go through a list of ip's randomly testing for open ports? unless they have software to scan for such weaknesses I'm no expert so this could be the case one day.

[GalaxyGuy]

Rob, your understanding is incorrect. All of these hacks are automated and it doesn't take an expert to implement them. Once you have root access to a device, then you have access to the sub network it sits on.

Basically, don't set up port forwarding for customers - alway use a VPN for internal device access. If installers cannot set up a VPN, or don't really understand IP networking, then they need to get some training or subcontract that part.

[PeterJames]

Should this not be in trade?

See post 31, I would have agreed with you on this Rich, its not about hiding it from the public, its about giving spotty nerdy kids ideas.

 

Surely unless you are a skilled hacker a password protected dvr with random port is enough to stop the amateur? That is safe enough not to have to scare the customer into saying you are compromising there routers security.

 

Also i thought that again unless highly skilled the only access an open port gives is to the connected dvr or whatever is connected to that port again with the password it wouldn't even give access to the dvr.

 

Also the hacker has to know the type of dvr and the port it is using along with the password etc. Type into google hacking port cctv and you see people getting into office systems and supermarkets because they know the type of systems and are skilled/determined for something to do but i can't see them wanting to go through a list of ip's randomly testing for open ports? unless they have software to scan for such weaknesses I'm no expert so this could be the case one day.

The point is there are plenty of highly skilled people out there extracting money from peoples bank accounts right now by simply sending them an email with an attachment. But not everyone is daft enough to open an email attachment from someone they have never heard of.  Its only a matter of time before the highly skilled suss that you can get on a network via a DVR. I am not that particularly skilled but I bet I could do it (Not that I ever would )

[Rob Kirk]

See post 31, I would have agreed with you on this Rich, its not about hiding it from the public, its about giving spotty nerdy kids ideas.

 

The point is there are plenty of highly skilled people out there extracting money from peoples bank accounts right now by simply sending them an email with an attachment. But not everyone is daft enough to open an email attachment from someone they have never heard of.  Its only a matter of time before the highly skilled suss that you can get on a network via a DVR. I am not that particularly skilled but I bet I could do it (Not that I ever would )

I agree, and yes i was wrong in my understanding but the last time i port forwarded was for my dads cctv system in around 07 I've not installed many dvrs in houses. since then he's upgraded to a plug and play system that doesn't need port forwarding and i have to, I'm not that clued up on cctv to be honest but these new plug and play systems that dont need port forwarding would they be on a vpn? if not are they safe?

[PeterJames]

I agree, and yes i was wrong in my understanding but the last time i port forwarded was for my dads cctv system in around 07 I've not installed many dvrs in houses. since then he's upgraded to a plug and play system that doesn't need port forwarding and i have to, I'm not that clued up on cctv to be honest but these new plug and play systems that dont need port forwarding would they be on a vpn? if not are they safe?

Plug and play are likely to be more vulnerable than port forwarded machines.

[datadiffusion]

And more of a known and attractive target

[cybergibbons]

Part of the issue here is you don't need to port forward for the device to be at risk. Another part is that it isn't just this DVR, so many of them have issues.

 

This site explains how similar attacks have been happening against routers:

http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html

 

It's quite advanced, but it is actually happening. And it's not teenagers you are going to need to worry about, it's organised crime from other parts of the world.

 

As an aside, which DVR brands do you all trust? I've got budget to buy higher end gear and want to have a crack at something good.

[al-yeti]

Hik vision and Samsung

Maybe not high end but commonly used by installers from what I seen

[cybergibbons]

Samsung DVRs have known issues:
https://www.andreafabrizi.it/?exploits:samsung:dvr

https://www.kb.cert.org/vuls/id/882286

http://blog.emaze.net/2016/01/multiple-vulnerabilities-samsung-srn.html

 

I'm about to publish a vulnerability across many of their IP cameras as well.

 

Hikvision haven't been too bad when reporting vulnerabilities. Their cameras are so-so, still making a lot of mistakes but nothing awful. Not looked at a DVR of theirs.

[MrHappy]

As an aside, which DVR brands do you all trust?

none,