Digital video recorders have revolutionized home and business security, making it possible to easily store and play back hundreds of hours of surveillance camera footage. But a few design flaws in their software, it seems, can quickly turn the watchers into the watched.
Eighteen brands of security camera digital video recorders (DVRs) are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company’s firewall, according to tests by two security researchers. And one of the researchers, security firm Rapid7′s chief security officer H.D. Moore, has discovered that 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet.
“The DVR gives you access to all their video, current and archived,” says Moore. “You could look at videos, pause and play, or just turn off the cameras and rob the store.”
Early last week a security researcher who goes by the name some Luser published a blog post detailing his dissection of a DVR built by the security firm Swann, disassembling the device and running tests on it via its serial port. He found that commands sent to the device via a certain connection, port 9000, were accepted without any authentication. And worse, he was able to use that unprotected connection to retrieve the login credentials for the DVR’s web-based control panel. “Anyone who can connect to port 9000 on the device can send this request and retrieve that information,” said someLuser, who declined to reveal his real name when I reached him by instant message.
To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices’ location to any local router that has UPnP enabled–a common default setting. That feature, designed to allow users to remotely access their video files via remote PC or phone, effectively cuts a hole in any firewall that would expose the device to attackers, too.
Rapid7′s Moore confirmed someLuser’s findings and traced the problem in the Swann machine to the device’s firmware sold by Ray Sharp. He then used the scanning tool NMAP to dig up thousands of vulnerable machines visible on the Internet. “It’s just a boneheaded decision on the part of [Ray Sharp],” says Moore. “Fifty-eight thousand homes and businesses are exposed because of the way these things cut holes in the firewall.”
By checking the web interfaces of the vulnerable devices and analyzing the Ray Sharp firmware he downloaded from Swann’s website, Moore was able to identify 18 companies that seem to use the faulty code: Swann, Lorex, URMET, KGuard, Defender, DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000.
Update: A spokesperson for Zmodo writes in a statement that the company has developed its own firmware in models that it’s sold since 2011, and claims that its in-house firmware “features a substantially higher level of security and has never been susceptible to the same intrusions as firmware developed by Ray Sharp.”
Update 2: Both Swann and CW, the company that sells the Defender and SVAT brand of DVRs, now say they are investigating the issue.
In addition to gaining access to the DVR through its web interface, someLuser also found that an attacker could gain complete control of the device’s Linux operating system and run arbitrary commands, making it a potential point of attack for compromising other PCs and servers on the victim’s network.
Moore warns that he hasn’t actually tested the exploit on every brands of device that he listed to me. But his scans indicate that all of them would be subject to the same port 9000 trick based on their use of the hackable Ray Sharp firmware. I reached out to Ray Sharp and each of those companies that had a public website, but haven’t yet heard back from any except Lorex, whose spokesperson said the company would look into the issue but declined to comment for now.
No simple fix exists for the DVR vulnerability until Ray Sharp or the vendors that use its firmware issue an update, say the researchers. But someLuser suggests owners of the affected DVRs temporarily disable UPnP on their Internet routers to prevent the device from making itself accessible from external connections.