Backdoor In MVPower DVR Firmware Sends CCTV Stills To an Email Address In China (softpedia.com)

← Back to Stories (view on slashdot.org)

Backdoor In MVPower DVR Firmware Sends CCTV Stills To an Email Address In China (softpedia.com)

Posted by timothy on Wednesday February 17, 2016 @01:00AM from the candid-camera dept.

An anonymous reader writes: An IoT security research company has discovered that a DVR model manufactured by MVPower includes a backdoor-like feature in its code that takes a screenshot of your CCTV feed and sends it to an email address hosted somewhere in China. The device's firmware is based on an open source project from GitHub that was pulled by its developer when someone confronted him about the backdoor.

60 comments

Min score:

Reason:

Sort:

DUH. by Lumpy · 2016-02-17 01:07 · Score: 4, Informative

All of the China crap you need to ASSUME it is riddled with backdoors and other security problems and even sending your info elsewhere. The China ONVIF security cameras are FILLED with this kind of crap.

--
Do not look at laser with remaining good eye.
1. Re:DUH. by Anonymous Coward · 2016-02-17 01:20 · Score: 0
  
  The problem is nearly everything, even that from big name American companies, is manufactured in China. When looking for baby monitors some of the no-name Chinese brands were cheaper or had features I would have liked but I avoided them because I was afraid of security/privacy issues. I went with a Motorola, but in the end even it is going to be made in China, so who's to say it doesn't have a hardware backdoor as well, and all the data breaches in the news show that even big American companies seem to not care about security either.
  You can't avoid it. I guess you just look for the ones that suck the least, like voting.... sigh.
2. Re:DUH. by Anonymous Coward · 2016-02-17 01:25 · Score: 0
  
  http://hardware.slashdot.org/story/16/02/04/1711253/push-to-hack-reverse-engineering-an-ip-camera
3. Re:DUH. by Anonymous Coward · 2016-02-17 01:37 · Score: 0
  
  All of the China crap you need to ASSUME it is riddled with backdoors and other security problems and even sending your info elsewhere. The China ONVIF security cameras are FILLED with this kind of crap.
  Is that you Donald?
4. Re:DUH. by Anonymous Coward · 2016-02-17 01:53 · Score: 1
  
  All of the China crap you need to ASSUME it is riddled with backdoors and other security problems and even sending your info elsewhere. The China ONVIF security cameras are FILLED with this kind of crap.
  Is that you Donald?
  Is that you Mao?
5. Re: DUH. by bill_mcgonigle · 2016-02-17 01:56 · Score: 1
  
  Yeah, I have one of those cameras - by default it makes your security camera into a public webcam.
  Now, I can do VLANs and put firewall rules in, but most people aren't even paranoid enough to think to look.
  Then again, they just want to buy cheap crap off eBay, not hire a pro who knows the ins and outs of the product field.
  For most cases of blaming cheap manufacturers, there's a cheap consumer who wants pro quality for rock-bottom pricing.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
6. Re: DUH. by Anonymous Coward · 2016-02-17 02:05 · Score: 0
  
  Yeah, I have one of those cameras - by default it makes your security camera into a public webcam.
  Now, I can do VLANs and put firewall rules in, but most people aren't even paranoid enough to think to look.
  Then again, they just want to buy cheap crap off eBay, not hire a pro who knows the ins and outs of the product field.
  For most cases of blaming cheap manufacturers, there's a cheap consumer who wants pro quality for rock-bottom pricing.
  Its one thing it is cheap hardware, you get what you pay for but its another when there are intentionally setting up a BACKDOOR in the firmware/software.
  Don't get all smart ass pretending you are too dumb to know the difference.
7. Re: DUH. by Anonymous Coward · 2016-02-17 02:10 · Score: 1
  
  Cough.... Is using search engines a dead lost skill?
  They could not find a reference to MVPOWER???
  How hard did they try?
  Did they not try looking up trademarks? There is that little (R) symbol ya know....
  Aukey E-Business Co. owns the trademark MVPower
  Anthea Lee is registered name
  Been active since 2013.
  Shosho II, Ernest is the lawyers name that registered
  Other company registered same people is Aglaia
  The parent companies name is Aukey E-Business Co., Ltd
  www.aukeys.com
  LongGang
  Huanan City
  Shenzhen, 518111
  China
8. Re:DUH. by AmiMoJo · 2016-02-17 02:18 · Score: 4, Insightful
  
  Why single out the Chinese? Most American crap has a backdoor and multiple security holes too. At least the Chinese haven't started giving you the "Error 53" middle finger when you try to repair their crap.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
9. Re:DUH. by k6mfw · 2016-02-17 02:37 · Score: 1
  
  American companies seem to not care about security either.
  Interesting contrast to the other story about American govts want backdoors to iPhones, all those who searched for ISIS on Google, etc.
  
  --
  mfwright@batnet.com
10. Re: DUH. by k6mfw · 2016-02-17 02:39 · Score: 1
  
  Then again, they just want to buy cheap crap off eBay,
  There are some cheap VHS machines on ebay, and none of those send emails to China.
  
  --
  mfwright@batnet.com
11. Re:DUH. by DNS-and-BIND · 2016-02-17 03:17 · Score: 1
  
  Because every time this happens, you look on the back of the device and it says, "MADE IN CHINA". Seriously, people have to tell you these things?
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
12. Re: DUH. by phishybongwaters · 2016-02-17 03:28 · Score: 0
  
  But is it a back door? A back door infers access to said device. What they actually found was some code in the firmware taking screenshots and emailing them off to the guy who made the device. I'm struggling to find any definition of a backdoor that this scenario would fall under. It's nefarious and all that, but it's not exactly a back door into your camera or network.
13. Re: DUH. by kilfarsnar · 2016-02-17 03:32 · Score: 2
  
  Yeah, I have one of those cameras - by default it makes your security camera into a public webcam.
  Now, I can do VLANs and put firewall rules in, but most people aren't even paranoid enough to think to look.
  Then again, they just want to buy cheap crap off eBay, not hire a pro who knows the ins and outs of the product field.
  For most cases of blaming cheap manufacturers, there's a cheap consumer who wants pro quality for rock-bottom pricing.
  “We’ve arranged a society on science and technology in which nobody understands anything about science and technology, and this combustible mixture of ignorance and power sooner or later is going to blow up in our faces. I mean, who is running the science and technology in a democracy if the people don’t know anything about it?” – Carl Sagan
  Modern technology might as well be magic to most people. They don't have the expertise, critical thinking skills, or self restraint to make informed decisions about the tech they buy and use. As you say, they just want it. And people are naive. I had to laugh years ago when it came out that Taco Bell's $.79 taco didn't contain 100% beef. People were pissed. But Taco Bell's response was basically, "You buy a 79 cent taco and think it's all beef?"
  But yeah, that's what people thought because they are naive. On another note, one of my old bosses got out of corporate IT a while ago. When I asked him why he said, "Everyone expects dial tone." What he meant was people want stuff to just work. They have no idea of what it takes to make things work and they don't care. Just make it work. So we get things like insecure or backdoored IoT devices.
  
  --
  "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
14. Re:DUH. by Anonymous Coward · 2016-02-17 03:41 · Score: 0
  
  Why single out the Chinese?
  I know, right? Why single out anyone for anything? Can't we all just get along?
  Join us to fight the injustice at www.CRAPM.com: Chinese Routers and Access Points MATTER, man!
15. Re:DUH. by drinkypoo · 2016-02-17 03:48 · Score: 1
  
  At least the Chinese haven't started giving you the "Error 53" middle finger when you try to repair their crap.
  Sure, they just don't give you an error, so you think it's your fault, just as they don't put brand names on their most shit products so that you can't track down who made them to complain. That's improvement?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
16. Re:DUH. by Anonymous Coward · 2016-02-17 03:54 · Score: 0
  
  Just like the American crap then, except that in this case it's just a single guy spying on you, whereas with the American crap it's every corporation doing it under the orders of the U.S government. Thanks, but I'll go with the Chinese product.
17. Re:DUH. by dave420 · 2016-02-17 04:11 · Score: 2
  
  So you don't understand how electronics work. Gotcha. Thanks for clearing that up for all of us.
18. Re:DUH. by AmiMoJo · 2016-02-17 04:36 · Score: 1
  
  Most products without branding are built for western companies to western specifications, so that they can have a western label slapped on them later. If you buy quality branded Chinese stuff it's pretty good. OnePlus, Xaomi, Yuin, Rigol, Siglent, Huwawei.... Just a few I can think of off the top of my head that have similar quality to western companies, but don't try to screw you so hard with DRM.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
19. Re: DUH. by Anonymous Coward · 2016-02-17 05:37 · Score: 0
  
  I searched for ISIS on Google. It came up in a CNN article with no explainer. Educating oneself is crime now I guess.
20. Re:DUH. by Lumpy · 2016-02-17 06:12 · Score: 1
  
  News flash. your iPhone is MADE IN CHINA.
  
  --
  Do not look at laser with remaining good eye.
Internet of Turds ... by Anonymous Coward · 2016-02-17 01:10 · Score: 1

The only good internet connected device is one which isn't connected to the internet.
You people can keep your stupid fucking IoT garbage.
There's no need for this shit other than idiots who want something shiny to use with their cellphone.
Have fun getting pwn3ed, suckers.
1. Re:Internet of Turds ... by Sax+Russell+5449D29A · 2016-02-17 01:26 · Score: 2
  
  It's OK for devices to be networked over WAN, but devices such as security cameras should *never* be accessible or able to access WAN directly. A few simple firewall rules and some site-to-site VPN piping would do the trick and wouldn't take long at all to set up. Just one of many possible ways of doing it right.
  By the way, I wouldn't count security cameras as IoT.
  
  --
  -SR
2. Re:Internet of Turds ... by Applehu+Akbar · 2016-02-17 01:27 · Score: 1
  
  There's a lot more potential to IoT than cellphone control of personal gadgets. I would really like to see bridge beams that provide continuous real-time reports of the stress they are under with daily traffic. Engineers would use the data not just to warn of imminent failure, but in the long run to design better infrastructure. So what if China might be watching the data stream to design better bridges of their own?
3. Re:Internet of Turds ... by Anonymous Coward · 2016-02-17 02:47 · Score: 0
  
  It takes a good company with a backdoored IoT device to stop a bad company with a backdoored IoT device.
4. Re:Internet of Turds ... by dj245 · 2016-02-17 03:42 · Score: 1
  
  There's a lot more potential to IoT than cellphone control of personal gadgets. I would really like to see bridge beams that provide continuous real-time reports of the stress they are under with daily traffic. Engineers would use the data not just to warn of imminent failure, but in the long run to design better infrastructure. So what if China might be watching the data stream to design better bridges of their own?
  That wouldn't be difficult to do. You would just need to epoxy strain gauges (very cheap devices) onto the locations of your choosing, collect that data with data aquisition devices, and store it for periodic pickup, or else transmit it over a network. Unfortunately, that wouldn't tell us much of interest. Most bridge failures are caused by a small part or parts of the bridge that have deteriorated or were built incorrectly from the beginning. Catastrophic and unexpected failures occur because nobody noticed the defect, or if a defect was noticed, it was judged to be less critical than it actually was.
  
  I am fairly sure that defects in critical areas, when they are noticed, do get periodic or real-time monitoring. The problem is that our bridges are just in a bad state of repair and inspection/maintenance budgets are often not adequate.
  
  --
  Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Firewalls for the Great Wall by The+Eight-Bit+Link · 2016-02-17 01:15 · Score: 5, Informative

Whenever I use something that connects to my network that I ordered direct from China, as a rule-of-thumb I don't let anything to or from it cross my router. I have a specific access point for anything wireless, and ports on my managed switch for anything wired.
This is why by Anonymous Coward · 2016-02-17 01:17 · Score: 1

All internet access for untrusted devices like this are blocked at my router firewall by their MAC address. Access denied, you assholes.
1. Re:This is why by gstoddart · 2016-02-17 01:24 · Score: 1
  
  All internet access for untrusted devices like this are blocked at my router firewall by their MAC address.
  LOL, brilliant ... that'll show your IoT devices what for. Take away the Internet part, and they're just things.
  Might I suggest not connecting them to the network either? That'll keep them secure.
  Or, you know, just don't buy them.
  
  --
  Lost at C:>. Found at C.
2. Re:This is why by Anonymous Coward · 2016-02-17 01:38 · Score: 2, Insightful
  
  My network UPNP radios play music from my server only. They don't need internet access.
  My IP cameras record video to my server as well. They don't need internet access so they are blocked too.
  My managed network switch doesn't need internet access, so it is blocked.
  My network printer doesn't need internet.
  The IPMI on my server doesn't get internet access.
  My Windows machines are next.
3. Re:This is why by Anonymous Coward · 2016-02-17 01:38 · Score: 1
  
  Don't be dull. It's perfectly rational to run a camera with a TCP/IP stack so it can send pictures to a server in your local network, but block it from sending anything anything elsewhere.
  The problem is and always has been "the Cloud", which is synonymous with free access for your government, your enemy's government, any enterprise large enough to have a cushy contract with either of the above, any private organisation with enough resources to break into the above, anyone with enough money to pay any of the above, and the occasional 17 year old who finds a vulnerability.
4. Re:This is why by kamaaina · 2016-02-17 01:47 · Score: 1
  
  Over time I start to trust some applications, I keep an eye out for vulnerabilities though, but one of those applications is openvpn. I block all my IOT devices from accessing the Internet, and when I want access I VPN in. In some cases, I can put a web server in front of the IOT device, with cameras, I like ZoneMinder and others have said they like Blue Iris.
  I am looking at outside services, like Adafruit.IO and AWS IoT to show me some pretty graphs. Still assessing, but would hope there is a way I can proxy the data through a Linux box and securely via SSL, send the data to them. At least in that case I can control what data goes to them, some stuff I might not care if the public knows, like the temp outside my house or if the deck lights turned on.
5. Re:This is why by dfn5 · 2016-02-17 02:11 · Score: 2
  
  LOL, brilliant ... that'll show your IoT devices what for. Take away the Internet part, and they're just things.
  No, it becomes an Intranet of things. Which conveniently still has the acronym IoT and is probably what the device was intended for in the first place.
  
  --
  -- Thou hast strayed far from the path of the Avatar.
6. Re:This is why by number6x · 2016-02-17 03:48 · Score: 1
  
  That's perfect, since your router has a back door it will be easy for hackers to get that list of mac addresses so they can target all of your devices more quickly!
7. Re:This is why by hoggoth · 2016-02-17 06:59 · Score: 1
  
  Note to team: Add ability to sniff the LAN for good MAC addresses and spoof them when sending photos back to the mother country
  Thanks.
  
  --
  - For the complete works of Shakespeare: cat /dev/random (may take some time)
8. Re:This is why by Sax+Russell+5449D29A · 2016-02-17 08:12 · Score: 1
  
  Might I suggest not connecting them to the network either? That'll keep them secure.
  Or, you know, just don't buy them.
  I agree. We should invest our money in trustworthy major companies such as Cisco and Juniper instead.
  
  --
  -SR
Seriously take a look at the network traffic by Anonymous Coward · 2016-02-17 01:22 · Score: 0

All of Chinese cameras send unencrypted feeds to their servers. Those 'remote access' CCTVs you buy from China send the data whether you subscribe to their remote portal or not and the data isn't encrypted. The idea is you can log into their server and see your camera feed. But people need to realize the consequences of having your feeds sent to some crappy Chinese company employing $ a day people.
Mind you, is it any better when your networked camera from USA does exactly the same thing?
Because all of these portal cameras are doing this.
Bats... by Anonymous Coward · 2016-02-17 01:32 · Score: 0

What's the problem with the celestial pussy crack? I wish we could execute criminals in Brazil like chinese do. Mainly public politics. Sincerely.
Open source? by Bert64 · 2016-02-17 01:35 · Score: 1

It looks like the source wasn't actually open, based on the guy requesting a copy of the sources...

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
1. Re:Open source? by Anonymous Coward · 2016-02-17 01:53 · Score: 1
  
  Found it:
  https://github.com/simonjiuan/ipc/blob/77d15510f24fdd8215756c36ddd8d0f3d525b53e/src/cgi_misc.c
2. Re:Open source? by Anonymous Coward · 2016-02-17 02:14 · Score: 0
  
  So it just loops forever building the email string?
3. Re:Open source? by Anonymous Coward · 2016-02-17 02:16 · Score: 0
  
  What does pulled by developer mean?
  I thought a GPL license was irrevocable.
4. Re:Open source? by softnewsit · 2016-02-17 02:58 · Score: 1
  
  He took it off GitHub
  
  --
  Go away!
Might explain a few things by Anonymous Coward · 2016-02-17 01:36 · Score: 0

A while ago I was bored and started scanning my local ISP subnets for open telnet ports. Well what do you know one was open. The prompt was unique and it was for some kind of DVR box. The default password was still in place and logged me into BusyBox. Oddly enough there were a few other logins from addresses in India and China. The box had four drives and each one was at 100% capacity. I did manage to TFTP a piece of a recorded file off the box and it was indeed someone's home DVR. They were outdoor cameras facing the street but I couldn't identify the location.
1. Re:Might explain a few things by phishybongwaters · 2016-02-17 03:37 · Score: 1
  
  You must have a pretty lax ISP, the second my script borked and started port scanning I was contacted and reminded of the acceptable use policy. The other major ISP here actually blocks a lot of stuff by default and you have to specifically request it be opened for you.
Try google better by Anonymous Coward · 2016-02-17 01:40 · Score: 4, Informative

They could not find a reference to MVPOWER???
How hard did they try?
Did they not try looking up trademarks? There is that little (R) symbol ya know....
Aukey E-Business Co. owns the trademark MVPower
Anthea Lee is registered name
Been active since 2013.
Shosho II, Ernest is the lawyers name that registered
Other company registered same people is Aglaia
The parent companies name is Aukey E-Business Co., Ltd
www.aukeys.com
LongGang
Huanan City
Shenzhen, 518111
China
If you have nothing to hide ... by Anonymous Coward · 2016-02-17 01:45 · Score: 0

... this should not be an issue.
Default Gateway by clonehappy · 2016-02-17 01:48 · Score: 2

For any cheap/no-name/questionable IoT device: 0.0.0.0
There is no reason any of this crap needs to be able to communicate directly out to the open internet. If you need to access it from off-site, use a VPN. If have reason to believe the device may compromise other devices that DO have the ability to communicate outbound to the internet, then that device should be destroyed with fire and the manufacturer publicly shamed.
When in doubt, don't give it a route.
1. Re:Default Gateway by Aqualung812 · 2016-02-17 03:19 · Score: 4, Informative
  
  When in doubt, don't give it a route.
  I recall some of those Kronos time card devices I used years ago would learn the default gateway address on their own without being provided a route. They didn't even have a place to put in the default gateway.
  I have to assume these devices can find their way out, so I VLAN all IP cameras and don't allow them to access anything.
  
  --
  Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
Re:GitHub, The Savior by k6mfw · 2016-02-17 02:48 · Score: 1

. Note I fully support the "we stand on the shoulders of giants." And that's the thing, it's stand on their shoulders, not "steal" everything they have with no understanding of it whatsoever.
Sounds like "on the shoulders of giants" meaning not re-invent a software language that already exists but still have to work and study to know how to use it, how to write and implement it, get a good feeling on what works/what doesn't work. It ain't easy learning this stuff (and I sometimes wonder how those "giants" ever figured out this stuff), as opposed to "oh, just copy/paste/download/run-this-stuff and it's real easy and cheap."

--
mfwright@batnet.com
It's not a back door, it is a feature! by Anonymous Coward · 2016-02-17 03:02 · Score: 0

If you would read the documentation, you would realize that one of the DVR's features is you can view your security pictures from your smart phone, or another computer on the internet... You know, so you can remotely check your house/business/etc..
How are you going to reliably do that on a home internet connection that has a dynamic IP address?
The way the manufacture worked out the problem was to host a server, in China, that has a record of your DVR's account/serial number. If you configure it to, your DVR will periodically send its current IP address to that host server where it is stored into a directory. When your smart phone application is asked to show your DVR video feed, it goes to the same server, in China, retrieves the current dynamic IP address of your DVR, and uses that address to log onto the website hosted on your DVR.
Looks evil, probably can be used for evil, but is about the only way to make your DVR work on your smart phone/remote internet device when you have a dynamic IP address.
-Chuck
1. Re:It's not a back door, it is a feature! by phishybongwaters · 2016-02-17 03:41 · Score: 1
  
  The article makes it sound like this feature was enabled in the code, by default, with no user interaction to actually activate it. It's still not a backdoor, but it IS sending screenshots off to an EMAIL address. Think about that. How does that enable you retrieving your feed? It doesn't. But it does give the developer a bunch of screenshots of whatever you were filming, direct to his inbox. Honestly this sounds like a debugging feature left in the code to me. But whatever.
2. Re:It's not a back door, it is a feature! by Anonymous Coward · 2016-02-17 05:34 · Score: 0
  
  https://en.wikipedia.org/wiki/Dynamic_DNS
3. Re:It's not a back door, it is a feature! by Anonymous Coward · 2016-02-17 08:12 · Score: 1
  
  Actually it sounds like 2 separate issues:
  1. I note that the device has a backdoor vulnerability in the web frontend (/shell?) in file /root/dvr_app and
  2. appears to email you pictures from the CCTV (target=lawishere@yeah.net&subject=Who are you?&content=%s&snapshot=yes&vin=0&size=320x180)
Probably Just a Peep by Anonymous Coward · 2016-02-17 04:27 · Score: 0

It was probably nothing serious, just a peeping Bai.
Science skulls by SehrAlshark · 2016-02-17 05:42 · Score: 0

A great find for science skulls Thank you for your beautiful and informative website http://stadearabs.blogspot.com...
Fork any repository that's important to you by Anonymous Coward · 2016-02-17 08:53 · Score: 0

It's a shame Gregory Fenton didn't fork the project - the evidence would still be there and users unfortunate enough to have bought one of the devices might have had chance of removing the backdoor.