Hungarian bug-hunters spot 130,000 vulnerable Avtech vid systems on Shodan

SOHOpeless CCTVs and video recorders

Wed 12 Oct 2016 // 01:02 UTC

It shouldn't surprise anyone that closed circuit television (CCTV) rigs are becoming the world's favourite botnet hosts: pretty much any time a security researcher looks at a camera, it turns out to be a buggy mess.

According to this advisory, Avtech's IP cameras and video recorders offer the world the usual list of possible exploits: credentials in plain text, information disclosure, request forgery vulns, and more.

The advisory claims all Avtech CCTVs, digital video recorders and network video recorders – and all firmware revisions – contains vulnerabilities.

The researchers who turned up the vulnerabilities, from the Budapest University of Technology and Economics, say around 130,000 vulnerable devices are searchable on Shodan.

Since the bugs haven't yet been fixed, users are advised to change their admin passwords and take the devices off the Internet.

Of the 14 vulnerabilities disclosed by the researchers, some are pretty special:

All cgi scripts are remotely accessible without authentication;
All device settings can be accessed and modified via a cross-site request forgery attack;
All passwords are accessible in plain text;
DVRs have a search.cgi that doesn't need authentication. Not only does that let an attacker into the target device, the script also searches for cameras on the local network. Search.cgi also has a command injection vulnerability that lets an attacker get root on the target;
If you need to bypass authentication – remember, there's no credential protection anyway – there are two vectors, either via video plugins stored in the Web root; or via /cgi-bin/nobody;
Someone figured login needed a captcha; to stop the captcha irritating developers, there's a login=quick parameter that nobody thought to remove. Oh, and the captcha can be bypassed if an attacker manually sets the appropriate cookie in their request.

The researchers say they pressed the “publish” button after trying to contact Avtech in October 2015, and twice in May 2016. ®

More about

COMMENTS

TIP US OFF

Send us news

Topics

Special Features

Vendor Voice

Resources

Security

Hungarian bug-hunters spot 130,000 vulnerable Avtech vid systems on Shodan

SOHOpeless CCTVs and video recorders

More about

TIP US OFF

Other stories you might like

UK unions publish AI bill to protect workers from 'risks and harms' of tech

Huawei's latest flagship smartphone contains no world-shaking silicon surprises

Oracle scores big win with Fujitsu Japan for its Alloy partner cloud

Protecting distributed branch office environments from ransomware

Meta lets Llama 3 LLM out to graze, claims it can give Google and Anthropic a kicking

US Air Force says AI-controlled F-16 fighter jet has been dogfighting with humans

Ransomware feared as IT 'issues' force Octapharma Plasma to close 150+ centers

Crooks exploit OpenMetadata holes to mine crypto – and leave a sob story for victims

Stability AI decimates staff just weeks after CEO's exit

IBM accused of cheating its own executive assistants out of overtime pay

Google fires 28 staff after sit-in protest against Israeli cloud deal ends in arrests

Feds hit coding boot camp with big fine for allegedly conning students

About Us

Our Websites

Your Privacy