Cheap Dvr Leaves Your Network Vulnerable To Attack

[james.wilson]

I reakon those that buy or sell bottom end gear really don't care. I did think you other highlights would bother more more people.

[al-yeti]

Problem is mass market will raise eyebrows and say oh well I bought it now and the £300 brigade installed it so who cares

So then moving onto higher end products is where we want to see this secure

[cybergibbons]

it not quite a real world issue (yet)

 

I'd be very surprised if this wasn't being used already. It took less than a few hours to find the issue, and we've certainly seen attacks of this type carried out against home and business routers.

[ElecTech]

Yeah I agree with a few of the posts, low end of the market wont care less, and chances are will never know about all this unless it hits main stream media, which I cant see happening.

 

Saying all that, you say cheaper DVR's... what's a buyer to look for to avoid this in the "expensive" DVR's....? Is there something in the spec we should be looking for that makes it less vulnerable?

[al-yeti]

CG your point is the DVR makes an open way to get to the rest of the network which for some can be disastrous , what about any DVRs being used in data sensitive companies , looks asthough any using hikvision here , what are they like in terms of security

[james.wilson]

I suppose any device that has port forwarding could be used in this way. It's a bit over my head but are you saying even if not port forwarded the device can be used?

[cybergibbons]

I suppose any device that has port forwarding could be used in this way. It's a bit over my head but are you saying even if not port forwarded the device can be used?

 

So, if you port-forward, it's obvious - Shodan will find the unit, and because it has a distinctive HTTP header, can be found. We can see 44k of them by this means.

 

But if I add the following HTML to a web page:

 

<IMG SRC="http://192.168.1.201/shell?[commandfor reverse shell]">, and you visit that site, the DVR will connect back to me, so I can control it.

 

That's just for one IP. so I'd use JavaScript and essentially check all likely internal IPs.

 

This is because it is lacking cross-site request forgery protection.

Yeah I agree with a few of the posts, low end of the market wont care less, and chances are will never know about all this unless it hits main stream media, which I cant see happening.

 

Saying all that, you say cheaper DVR's... what's a buyer to look for to avoid this in the "expensive" DVR's....? Is there something in the spec we should be looking for that makes it less vulnerable?

 

It's not a lack of functionality or spec really, unless they write "No backdoors! No hardcoded passwords!".

Even some fairly expensive DVRs have some issues:

http://www.theregister.co.uk/2016/02/18/blank_519070_the_pin_to_enter_to_pwn_80k_online_security_cams/

CG your point is the DVR makes an open way to get to the rest of the network which for some can be disastrous , what about any DVRs being used in data sensitive companies , looks asthough any using hikvision here , what are they like in terms of security

 

Hikvision have had problems in the past:

https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities

 

They were responsive when I spoke to them about issues with IP cameras though.

[ElecTech]

This should be in trade only in my opinion. Yeah it might be splattered all over the web but site rules don't allow default engineer codes let alone back doors to DVRs....? I agree the issue should be raised but not in public view.

And anyway, from an installation point of view, what's the solution?

[datadiffusion]

We don't allow engineer defaulting info as a matter of principle, anyone with half a brain could find them elsewhere in seconds more's the pity, but there you go.

 

So I don't think we need to be over protective on this subject, that's my personal opinion anyway.

[PeterJames]

I get 100s of emails every week from scammers trying to get me to open attachments so that they can sneak onto my network, it wont be long until they sus there is an easier way to get peoples networks. Mind you they cant log into my bank without a pin sentry my card and pin number, they cant log into my inland revenue account without giving a stool and blood sample (they are welcome to pay my tax return anyway) they cant get any sensitive information from my computer because I just do nerdy stuff with it. They could download my movies from my home server, I think they would get board looking round my world though