Slashdot Mirror

← Back to Stories (view on slashdot.org)

58,000 Security Camera Systems Critically Vulnerable To Attackers

Posted by Unknown on from the your-curtains-are-ugly dept.

Sparrowvsrevolution writes with news of some particularly insecure security cameras. From the article: "Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."

12 of 157 comments (clear)

  1. No Surprise by hduff · · Score: 4, Funny

    "As Seen On TV"

    --
    "I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
  2. Re:Made in China. by Anonymous Coward · · Score: 5, Funny

    Damn! and i was just looking for a system for my house and my mom's house.

    Is your mom hot?

    Well, I guess we'll find out soon enough...

  3. Re:well ... by green1 · · Score: 4, Informative

    Of course the point was that with most standard firewalls in their default setting, this automatically punches it's own holes through the firewall, it's a feature....

    So it's more like "it's not like you shoud have this unprotected by a firewall that you have carefully setup yourself without any autoconfiguration options"

  4. Re:well ... by fluffy99 · · Score: 4, Informative

    That these system will punch holes in a upnp capable router is part of the problem. Many people may not realize their DVR is even accessible from outside. Step number one on any home routers I setup is to disable upnp because malicious software also likes to punch holes.

  5. Closed up a hole on our DVR by baobrien · · Score: 4, Interesting

    We bought a 24 channel q-see brand DVR. When it went to boot up, during disk initialization, it specifically mentioned '/dev/sda' and such, so I knew it ran some embedded Linux. I decided to check it out via nmap to see if there was anything interesting running. Port 23 was open. I telnet-ed into the damn thing and was able to log into root with no password. Needless to say, that was fixed.

  6. Port knocking by Okian+Warrior · · Score: 5, Informative

    Port knocking is where the inbound system won't connect until a series of unsuccessful attempts is tried on a known sequence of ports - the system will open the door only when the visitor gives the "secret knock".

    For example, a system won't normally accept connection requests. If the visitor attempts (unsuccessfully) ports 1010, 1050, 3042, and 4725 in that order, the system then accepts a connection at port 9000. (Use different numbers and length as needed for security.)

    It is nigh impossible for a security audit to detect this type of camouflage. This technique has been well-known for years.

    If China were putting back-doors in hardware systems, they could make them virtually impossible to find.

    That's circumstantial evidence that this isn't a case of espionage on the part of the manufacturer. It's more likely a flaw in the software or a debugging port that wasn't compiled out in the released version.

    1. Re:Port knocking by GNUALMAFUERTE · · Score: 5, Interesting

      Port knocking is insane. It's the worst nightmare the security-through-obscurity mindset brought us, and it's so fucking annoying.

      My company develops a CCTV DVR/NVR. It's GNU/Linux based, we keep it up to date by offering free updates for life. Upgrades are not a huge firmware blob you need to download and then install (something customers won't do), It's a simple package (we use our own pkg management, and it's slackware-like), usually a few mb of download, but to the customer it's transparent. They just get a warning when they log-in, and the system lets them know via e-mail there are available updates, they can install them with a single click. The whole system is web-based, HTML5, and works out of the box on anything Gecko or Webkit based plus Opera (IE not supported). We don't require additional ports, everything works through a single HTTP port. Everything is session-based. We force the customer to use secure passwords, and to change them frequently. We use uPNP to open that single port, but that's when the customer runs the setup wizard, and we explain what we are going to do, and request customer authorization.

      It's easy to do the right thing, and if the manufacturer does the right thing, you don't need any additional security (for example, you don't really need to firewall the damn DVR). Sadly, most manufacturers don't do the right thing. They don't even bother providing upgrades. And the customers don't usually care, even when you offer a better solution, most will go with the generic chinese crap just because it's a few dollars cheaper. That's why more secure and functional solutions such as ours are usually only found in corporations (95% of our customer base).

      This issue is not restricted to DVRs, China doesn't give a fuck, and people in general only care about the price tag. That's a deadly combination for the technology used by 90% of the population.

      --
      WTF am I doing replying to an AC at 5 A.M on a Friday night?
  7. The Chinese or Uncle Sam ?? by Taco+Cowboy · · Score: 4, Insightful

    The Chinese are out to get us

    If I were you, I'll be more worried about Uncle Sam

    --
    Muchas Gracias, Señor Edward Snowden !
  8. Re:well ... by adolf · · Score: 4, Interesting

    Step number one on any home routers I setup is to disable upnp because malicious software also likes to punch holes.

    UPNP can trivially allow incoming ports on the firewall. And so what? You allow outbound connections, don't you?

    There is very little difference between malicious programs being able to create its own outbound connections and being able to accept inbound connections: In either case, the malicious software is able to communicate and can accomplish whatever nefarious task its creators envision.

    Why would I trust a program to create connections but not enough accept them?

    In practice, I leave UPNP turned on. If I were paranoid enough to disable it, I'd also be sufficiently paranoid to never, ever execute any code that I'd not written or reviewed myself, with a firewall that denies everything by default in both directions...and I just don't have time for that.

    UPNP makes things work better: From BT to software updates to gaming on a PS3, UPNP helps keep the clusterfuck of NAT from being absolutely horrible.

    So the score, so far, for UPNP seems to be this:

    Problems that UPNP solves for me: Several.
    Problems that UPNP creates for me: None.

    Meanwhile, TFA is more about the fact that some hardware devices that may never see a software upgrade have one or more security holes which can be exploited over the network...which is interesting and all, but really has nothing to do with UPNP: If such devices were secure and trustworthy to begin with, there would never be a reason to firewall them at all, let along worry about UPNP.

    --
    Kid-proof tablet..
  9. Re:Never attribute to malice... by fuzzyfuzzyfungus · · Score: 5, Insightful

    What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.

    I'm inclined to keep "Never attribute to malice something much stupider than malice would have implemented" in mind as a variant on the usual phrase.

    Given the hordes of profit-driven, variously political, and simply lulz-oriented attackers on the internet, relatively blatant backdooring(when you are in the privileged position of being the guys shipping the firmware, no less, hard to ask for more insider access than that) amounts to squandering an advantage. Had the units shipped with, say, a bugged sshd that is hardcoded to always allow access via keypair auth with a specific private key, it is both much more likely that nobody would ever have noticed, and that nobody but the intended attacker would ever have been able to make use of the vulnerability. A wholly unauthenticated hole, on the other hand, is an open invitation to every bot-herder and na'er-do-well on the planet to come and have a rummage through the systems, leading to much greater competition for the creator of the backdoor.

  10. Re:well ... by shitzu · · Score: 4, Informative

    The difference is simple (but huge). To allow a program or device to make an outgoing NAT connection, i have to assume that it is not malicious. To allow programs and devices map incoming ports via upnp i have to assume that it is not malicious AND it is not buggy enough to allow gazillion script kiddies access to my network. So thanks, but no thanks on the upnp front - i keep my open tcp ports to a minimum.

  11. Re:shunky by Anachragnome · · Score: 4, Funny

    I really don't care about cameras watching rock crushers...

    Can someone please post a short-list of the ones covering strip clubs? 58,000 is a lot to sort through. Thanks in advance.