Researchers say up to 80,000 digital video recorders (DVRs) used to record footage from surveillance cameras employ hardcoded passwords - or don't use one at all - opening avenues for attackers to breach home and business networks and compromise privacy.
In one examination, at least 46,000 DVRs were found open to remote hijacking through a hardcoded firmware username and password.
The Zhuhai RaySharp DVRs are used by homes and businesses for remote video streaming, with some 60,000 claimed to be exported by the Chinese manufacturer every month.
The vendor has not patched the firmware vulnerability (CVE:2015-8286) leaving all units exposed. Seven other brands using the firmware are also thought vulnerable including Swann, KGuard Security, Defender, and Cop-USA.
"Based on searches using Shodan.io , there are about 36,000 to 46,000 affected internet-connected devices," Eiram says.
"About half of these are located in US with the remaining top five countries being UK, Canada, Mexico, and Argentina in that order.
"While analysing cgiServerbinary, we noticed that the authentication process specifically checked for the username 'root' and password '519070' [which is] the same code found in RscgiServerbinary."
If adding security check to protect against unauthorized access, don't also add attacker-accessible feature to bypass said check #ProTip— Carsten Eiram (@carsteneiram) February 9, 2016
Researchers initially probed whether the DVRs could be hosed by tapping port 9000 which in research conducted in 2013 and again last year was found to be a means to bypass authentication in DVRs.
The hardcoded login offered a much simpler attack vector.
Here's the researchers' analysis:
The main () function of the CGI script calls a function to authenticate the user. Within this function, another function is eventually called to handle the authentication and return the result. The function retrieves the user-supplied credentials and calls a function to check them. Within this function, part of the code specifically checks if the supplied username is “root” and the password is “519070”. If these credentials are supplied, full access is granted to the web interface.
The vulnerability was first reported to US-CERT 9 September but it took until 21 December for Zhuhair RaySharp to acknowledge the report. It did not respond further and the CERT and researchers dropped the details overnight.
Separate research by PenTestPartners researcher Andrew Tierney found some 44,000 Mvpower 8 DVRs exposed to Shodan that by default did not even require passwords, and could be hacked to offer hackers a remote root shell that cannot be removed.
"It couldn’t really be any worse," Tierney says.
"We have a remote, unauthenticated root shell, that is undocumented and not possible to disable, built-in to the device. This is as bad as it gets."
"Putting one of these on your network leaves you open to serious risk. If you port forward to the web interface, you are allowing attackers to take full control of the device [which] can then be used as a pivot and be used to attack the rest of your network from inside."
Tierney says most devices will be exposed since changing the password is a pain, requiring the DVRs to be connected to a local TV with a user-supplied keyboard.
Most bizarrely the code contains a command to email cam captured photos to an email address with the subject line 'who are you'. That highly suspicious and egregious privacy breach was flagged by one sharp-eyed customer.
The cameras are also open to cross-site request forgery, HTTP interception, and a lack of patching thanks to an absence of an update channel. ®