Major security flaw found in MANY security DVR's

[JonW]

Seems that the low end DVR systems have a major flaw that was just uncovered.  This affects Swann, Lorex, URMET, KGuard, Defender, DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000.  Attackers are able to dump your passwords and take control of your device.  Because they can get root access to the system, they can run code of their choosing which means they can then get access to your internal LAN.
 
http://www.forbes.com/sites/andygreenberg/2013/01/28/more-than-a-dozen-brands-of-security-camera-systems-vulnerable-to-hacker-hijacking/
 
 
For myself, I use the local LAN IP address in my iPhone app and when I want to view cameras, I turn on the phone VPN and then fire up the camera app to connect via a local IP address so the required ports are not opened on my router.
 

 

[signal15]

I year or so ago, I found a bunch of flaws in OpenEye cameras (I didn't publish).  The software on my OpenEye cams is the same software on some Axis cameras, so those are likely vulnerable also.  And one of my coworkers just found a bunch of flaws in D-link cams (published). 
 
Bottom line is, the companies making equipment like this either don't care about security, or are hiring people that know nothing about secure coding (which means they still don't care).  Just look at the web interfaces on these cameras, they all look like my 4 year old did them.  What do you think the security is gonna be like?  It's not just camera/DVR manufacturers; printers, prox card controllers, and just about any embedded device manufacturer doesn't consider security a priority.
 
I have a separate security zones for cameras, security system related stuff, HA, audio, phones, wireless, and workstations/laptops.  And my firewall rules only permit the traffic that is required to make things work.  I'm not worried about most of these devices.  However, the one that DOES worry me is my Vera.  It connects out to a cloud service with an SSH tunnel.  If MiCasaVerde's environment were compromised, an attacker would not only have access to your Vera, but could also use it as a jump point into your network.

 

[electron]

Thanks for posting this.  I have been arguing for years how exposing all your equipment like this is just a disaster waiting to happen.   Just several days ago I made this point again, specifically talking about Linux based cameras and DVRs.
 
Let's hope this is a wake-up call for the Linux based appliance industry (your TV, DVR, cameras, even your car navigation system might be running Linux right now!), since this is just going to get worse.  Not that this is a design flaw with Linux, it's a manufacturing issue as mentioned above.
 
Really would love to see an attitude change towards security in this industry.  Doesn't help that many CCTV/DVR manufacturers rely on a reference design (basically the same hardware/software, just a different case/label).

 

[video321]

However, the one that DOES worry me is my Vera.  It connects out to a cloud service with an SSH tunnel.  If MiCasaVerde's environment were compromised, an attacker would not only have access to your Vera, but could also use it as a jump point into your network.

 
I have a Vera as well and I disabled that tunnel. You should really consider VPN (as JonW pointed out) or SSH (which I use.) Further, I have a separate wireless VLAN for guests since the Vera doesn't even have any local security.

 

[electron]

I wouldn't use the Vera as your router/gateway/access-point, doesn't make sense that they even offer this solution.  Just use it as a home automation appliance, and rely on SSH/VPN connectivity for remote access (as mentioned above).

 

[ChrisCicc]

This isn't a "security flaw", to be a flaw it requires that they try to implement security in the first place 
 
"And worse, he was able to use that unprotected connection to retrieve the login credentials for the DVR’s web-based control panel. “Anyone who can connect to port 9000 on the device can send this request and retrieve that information,” said someLuser, who declined to reveal his real name when I reached him by instant message."

 

[sic0048]

While this type of information needs to come to light, I don't think it is as bad as people are making it out to be.  The serial plug that needs to be accessed is inside of the DVR.  This means a would be hacker would have to have access to the physical equipment and make modifications to it (by opening up the case and plugging into the serial header).  Once this is done, then the hacker could attack the system from offsite, but not until then. 
 
At least that is the way I understand the situation.  If you have control of the hardware, you don't have anything to worry about.  

 

[JonW]

While this type of information needs to come to light, I don't think it is as bad as people are making it out to be.  The serial plug that needs to be accessed is inside of the DVR.  This means a would be hacker would have to have access to the physical equipment and make modifications to it (by opening up the case and plugging into the serial header).  Once this is done, then the hacker could attack the system from offsite, but not until then. 
 
At least that is the way I understand the situation.  If you have control of the hardware, you don't have anything to worry about.  

Not true. You do not need physical access at all.  While the original hacker started with the internal serial port, he quickly figured out that port 9000 access to the unit had NO security on it and could easily be used for remote exploits.
 
Many homes and small businesses using these are keeping port 9000 open so that they can use the remote viewing apps.  With that port open, you have no protection.

 

[Frunple]

Another, of many, reasons to never use uPnP.

 

[ChrisCicc]

Another, of many, reasons to never use uPnP.

 
This isn't just a uPnP issue, they are not only storing passwords in plain text, they spit out those passwords to anonymous users. So, so, so much wrong with that...

 

[apostolakisl]

The article speaks of getting to the dvr via port 9000.  Would that not mean that port 9000 needs to be pointed to the dvr.  I am not using port 9000.  
 
I am not using upnp.  I am manually configuring my devices and am not using port 9000.
 
Does this mean that access from outside my LAN is not possible?

 

[JonW]

Really hard to say Lou.  Depends on what hardware you have and what ports are open. Upnp is not a requirement at all.  It's just that many consumer routers and this type of hardware use upnp for opening the ports so the consumer doesn't really need to know how to do forwarding.  Port 9000 is the default port that these systems use, but if you manually forwarded a port to your DVR and your DVR employs the same/similar firmware, then you are likely susceptible to this attack also.  If you are susceptible to it, but you're on an alternate port, you may have a less likely chance that someone could access your system.  However, a full port scan would reveal the DVR, so I wouldn't take that chance.

 

[apostolakisl]

Really hard to say Lou.  Depends on what hardware you have and what ports are open. Upnp is not a requirement at all.  It's just that many consumer routers and this type of hardware use upnp for opening the ports so the consumer doesn't really need to know how to do forwarding.  Port 9000 is the default port that these systems use, but if you manually forwarded a port to your DVR and your DVR employs the same/similar firmware, then you are likely susceptible to this attack also.  If you are susceptible to it, but you're on an alternate port, you may have a less likely chance that someone could access your system.  However, a full port scan would reveal the DVR, so I wouldn't take that chance.

OK.  I wasn't sure if port 9000 was the default port for the regular access or if it was a "back door" port that accesses some other functions on the dvr.  I pretty much always run my stuff on alternate ports just in the hope that it would stop the IP scanner who just checks the one port that has the default device they know how to hack rather than run through every port at every ip looking for that chance that the user re-ported it.

 

[pete_c]

Approximately two weeks ago I was asked to look at a CCTV system which had two DVRs for 16 cameras at three locations in the midwest.  The issue was that one was a new office and remote access didn't work.  That said the owner asked if I could look at the system and get the remote access to work on the third setup.
 
Note that this system was professionally installed.  I reviewed the configuration on site at the location that didn't work.  It was an issue of the firewall / router that had not been configured properly.
 
That said I asked for the passwords to access the routers and DVRs.  The owner did not know.  I then tried the default access and passwords and all of them worked (routers, firewall and DVRs).
 
I then look at the other two locations via the WAN links and did notice that they were open to the internet and had been left with the default passwords.
 
That said the owner's concerns were not of security but rather just relating to the ability to see the video remotely with the PDA phones utilized by the owners of the company.
 
These DVRs though had security configurations but had been left at the default.  The owner was totally unaware of this and was content with the ability of remote access.  This is though one of many times that I have seen this sort of stuff with commercial installations.
 
That said though with the aforementioned security flaws then it really appears that it doesn't matter if the manual and the security on the devices is configured.
 
Residential installs / many DIY's many folks start to configure this and that; get frustrated some then just make it work seeing the end results and not really knowing if something is left open to the internet.  I have also seen one unmentioned ISP vendor tell my sister in law to remove the firewall such that she would be able to access everything and not have any problems and that in fact was provided as a solution to her issues.
 
Lou; difficult as it may sound an application can be written such that a click of a link will set up an ssh tunnel unsuspectingly right to the the inside of your LAN.    You can also utilize pieces of an SSL tunnel for an SSH tunnel and vice versa. The difficult piece here is once the encrypted tunnel is established you can't really look at the data too easily that is passing inside of the tunnel. 
 
Personally though its just being knowledgeable / educated of this and that and knowing of it but not something you should lose sleep over.  I try to do what I can with my software based firewall.

 

[sic0048]

Not true. You do not need physical access at all.  While the original hacker started with the internal serial port, he quickly figured out that port 9000 access to the unit had NO security on it and could easily be used for remote exploits.
 
Many homes and small businesses using these are keeping port 9000 open so that they can use the remote viewing apps.  With that port open, you have no protection.

 
Gotcha.  Thanks for the clarification.  That is scarier!