Back in 2014, RSA published a report documenting a new tactic by criminal gangs: they were hacking into the digital video recorders that stored the feeds from security cameras to gather intelligence on their targets prior to committing their robberies.
Two years later, security researcher Rotem Kerner, who wrote the RSA report, decided to take another look at the vulnerabilities that the crooks had used to go after these PVRs. After some smart analysis, he determined that the vulnerability stemmed from a "white-label" PVR that a single Chinese manufacturer provided to over 70 different companies around the world, who rebranded them and sold them under their own names.
Kerner has published a proof-of-concept attack for these devices that lets him take them over and monitor the feeds from any cameras connected to them. In other words, it's likely that criminals could easily break into your security system and see everything your cameras are seeing, making copies of the stored video from those cameras.
Kerner has repeatedly contacted TVT, the Chinese manufacturer that originated the defective PVRs, but has received no response. He's going public because he believes criminals are already attacking the PVRs.
Since there are many vendors who redistribute this hardware-software it is hard to rely on vendors patch to arrive at your doorstep. I believe there are few more vulnerabilities being exploited in the wild against these machines and therefore your best shot would probably be to deny any connection from an unknown IP address to the DVR services. And so I will leave you here with a list of vendors who are selling some of TVT's re-branded gear.
Last note about the responsible disclosure process. I've been trying to contact TVT for quite some time with no luck. They have been ignoring me for too long, so they left me with no choice but to disclosure.
Remote Code Execution in CCTV-DVR affecting over 70 different vendors
[Rotem Kerner]
(via /.)
