Back in 2014, RSA published a report documenting a new tactic by criminal gangs: they were hacking into the digital video recorders that stored the feeds from security cameras to gather intelligence on their targets prior to committing their robberies.
Two years later, security researcher Rotem Kerner, who wrote the RSA report, decided to take another look at the vulnerabilities that the crooks had used to go after these PVRs. After some smart analysis, he determined that the vulnerability stemmed from a "white-label" PVR that a single Chinese manufacturer provided to over 70 different companies around the world, who rebranded them and sold them under their own names.
Kerner has published a proof-of-concept attack for these devices that lets him take them over and monitor the feeds from any cameras connected to them. In other words, it's likely that criminals could easily break into your security system and see everything your cameras are seeing, making copies of the stored video from those cameras.
Kerner has repeatedly contacted TVT, the Chinese manufacturer that originated the defective PVRs, but has received no response. He's going public because he believes criminals are already attacking the PVRs.
Since there are many vendors who redistribute this hardware-software it is hard to rely on vendors patch to arrive at your doorstep. I believe there are few more vulnerabilities being exploited in the wild against these machines and therefore your best shot would probably be to deny any connection from an unknown IP address to the DVR services. And so I will leave you here with a list of vendors who are selling some of TVT's re-branded gear.
Last note about the responsible disclosure process. I've been trying to contact TVT for quite some time with no luck. They have been ignoring me for too long, so they left me with no choice but to disclosure.
Remote Code Execution in CCTV-DVR affecting over 70 different vendors
In 2014, Quentin Tarantino sued Gawker for publishing a link to a leaked pre-release screener of his movie "The Hateful Eight." The ensuing court-case revealed that the screeners Tarantino's company had released had some forensic "traitor tracing" features to enable them to track down the identities of people who leaked copies.
Ransomware has been around since the late 1980s, but it got a massive shot in the arm when leaked NSA cyberweapons were merged with existing strains of ransomware, with new payment mechanisms that used cryptocurrencies, leading to multiple ransomware epidemics that locked up businesses, hospitals, schools, and more (and then there are the state-level cyberattacks […]
This week, we learned that the notorious Israeli cyber-arms-dealer NSO Group had figured out how hijack your Iphone or Android phone by placing a simple Whatsapp call, an attack that would work even if you don't answer the call.
Heads up: The clock is winding down on a free-entry contest to win not only one of the best smartphones on the market but a handy pair of earbuds. A simple sign-up is all you need to be eligible to win a 256 GB iPhone XS Max, along with AirPods. And while “free” is tough […]
Kudos to those of us who have chosen a less wasteful third option to “paper or plastic” at the supermarket or club stores. Tote bags are reusable, but they can be a pain to tote around. Here’s an upgrade to that planet-saving measure. The Club Cart Lotus Trolley Bag is that rare tote you’ll want […]
Looking for a career in IT, gaming or software development? In the ever-changing world of the internet, versatility is your biggest asset. In other words, mastering Java might not cut it in an interview if you don’t know C#. However, there’s a bundle that covers the essentials in most any language. The Legendary Learn to […]