Jump to content
Security Installer Community

Cheap Dvr Leaves Your Network Vulnerable To Attack

cybergibbons

By cybergibbons
in Members Lounge (Public)

 Share

Recommended Posts

ElecTech Newbie

ElecTech

Posted
Posted

I really don't understand how anyone could think this isn't sensitive information? Regardless where else you can get it from, we all work within the industry and have a duty of care to stop these hacks/floors become broadcasted to the public.

 

Like I said, no problem discussing it with fellow professionals as there's clearly an issue, but not just anyone who can use google. And if its the case other sites have the same info then so be it, but at least someone's DVR didn't get hacked from TSI (a professional security installation forum)...

 

I might have it wrong so please tell me if I do and why...

Link to comment
Share on other sites
datadiffusion Newbie

datadiffusion

Posted
Posted (edited)

and have a duty of care to stop these hacks/floors become broadcasted to the public.

 

It may very well be sensitive information, but we don't have any such duty of care at this time, and if we did, it is or was already front page news on regular mainstream, non security specific sites.

 

Again this is my own personal opinion and other members may disagree too.

Edited by datadiffusion

So, I've decided to take my work back underground.... to stop it falling into the wrong hands

 

Link to comment
Share on other sites
ElecTech Newbie

ElecTech

Posted
Posted (edited)

It may very well be sensitive information, but we don't have any such duty of care, and if we did, it is already front page news on regular mainstream, non security specific sites.

 

wow...... and the trade RESTRICTED forum is for what exactly? Private boys club?

 

I know it's your view and I respect them but your views matter..... You have 8k+ posts.... Your obviously b*lls deep in the site so your view will carry weight!

Edited by ElecTech
Link to comment
Share on other sites
ElecTech Newbie

ElecTech

Posted
Posted (edited)

This surely runs in line with the industry, faults, problems, and business ideas... And has massive reason to not be in public domain...

 

If engineer codes are so readily available elsewhere like you said, why do we protect such info? Yet keep a topic like this on public, same vulnerabilities, same damage could be caused getting into the wrong hands.

 

Do people see engineer codes as a cash cow if kept secret? And before anyone says, I know money isnt made directly from this site by engineer resets, but industry wise it is... Serious question...

Edited by ElecTech
Link to comment
Share on other sites
cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

This should be in trade only in my opinion. Yeah it might be splattered all over the web but site rules don't allow default engineer codes let alone back doors to DVRs....? I agree the issue should be raised but not in public view.

And anyway, from an installation point of view, what's the solution?

 

It's been viewed by tens of thousands already, so the cat is out of the bag.

 

The solution has a few aspects:

1. Don't trust very cheap gear, especially if it has no firmware updates.

2. Make sure you change passwords from defaults.

3. Don't port forward to the device from the open internet

4. If remote access is required, use a VPN.

5. Segregate it from the rest of your network on a VLAN or subnet.

6. Block outbound traffic so it can't create a reverse shell.

7. If it has HTTPS, enable it.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites
ElecTech Newbie

ElecTech

Posted
Posted (edited)

It's been viewed by tens of thousands already, so the cat is out of the bag.

 

That's it then, just leave it for the next 10,000 to read...

 

My point is, this site in particular is full of security professional's who when it suits act all hush hush about engineering codes etc, yet leave this in public view....

 

Daft...

 

But anyway enough of that...

 

Seems an IT networking guru will need to be on hand to be truly safe?

Edited by ElecTech
Link to comment
Share on other sites
al-yeti Experienced

al-yeti

Posted
Posted (edited)

That's it then, just leave it for the next 10,000 to read...

My point is, this site in particular is full of security professional's who when it suits act all hush hush about engineering codes etc, yet leave this in public view....

Daft...

But anyway enough of that...

Seems an IT networking guru will need to be on hand to be truly safe?

"No offence seriously"

But your talking rubbish , generally some stuff is on the web not all codes and many wouldn't know what to do with them anyway, they are simply protecting the ones they install for because nature of people is to mess with there system by not giving out info and of course the teefs who will have ago at something

IT guru can makr mistakes to

Edited by al-yeti
Link to comment
Share on other sites
cybergibbons Newbie

cybergibbons

Posted
  • Author
Posted

It's a lot easier to find this out now than engineer codes.

 

The thing with engineer codes is that they are a built-in part of the system, known and accepted by many.

The problems in the DVR aren't exactly in the manual.

I have a blog, some of which is about alarm security and reverse engineering:
http://cybergibbons.com/

 

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept