Backdoor In MVPower DVR Firmware Sends CCTV Stills To an Email Address In China (softpedia.com)

← Back to Stories (view on slashdot.org)

Backdoor In MVPower DVR Firmware Sends CCTV Stills To an Email Address In China (softpedia.com)

Posted by timothy on Wednesday February 17, 2016 @01:00AM from the candid-camera dept.

An anonymous reader writes: An IoT security research company has discovered that a DVR model manufactured by MVPower includes a backdoor-like feature in its code that takes a screenshot of your CCTV feed and sends it to an email address hosted somewhere in China. The device's firmware is based on an open source project from GitHub that was pulled by its developer when someone confronted him about the backdoor.

37 of 60 comments (clear)

Min score:

Reason:

Sort:

DUH. by Lumpy · 2016-02-17 01:07 · Score: 4, Informative

All of the China crap you need to ASSUME it is riddled with backdoors and other security problems and even sending your info elsewhere. The China ONVIF security cameras are FILLED with this kind of crap.

--
Do not look at laser with remaining good eye.
1. Re:DUH. by Anonymous Coward · 2016-02-17 01:53 · Score: 1
  
  All of the China crap you need to ASSUME it is riddled with backdoors and other security problems and even sending your info elsewhere. The China ONVIF security cameras are FILLED with this kind of crap.
  Is that you Donald?
  Is that you Mao?
2. Re: DUH. by bill_mcgonigle · 2016-02-17 01:56 · Score: 1
  
  Yeah, I have one of those cameras - by default it makes your security camera into a public webcam.
  Now, I can do VLANs and put firewall rules in, but most people aren't even paranoid enough to think to look.
  Then again, they just want to buy cheap crap off eBay, not hire a pro who knows the ins and outs of the product field.
  For most cases of blaming cheap manufacturers, there's a cheap consumer who wants pro quality for rock-bottom pricing.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
3. Re: DUH. by Anonymous Coward · 2016-02-17 02:10 · Score: 1
  
  Cough.... Is using search engines a dead lost skill?
  They could not find a reference to MVPOWER???
  How hard did they try?
  Did they not try looking up trademarks? There is that little (R) symbol ya know....
  Aukey E-Business Co. owns the trademark MVPower
  Anthea Lee is registered name
  Been active since 2013.
  Shosho II, Ernest is the lawyers name that registered
  Other company registered same people is Aglaia
  The parent companies name is Aukey E-Business Co., Ltd
  www.aukeys.com
  LongGang
  Huanan City
  Shenzhen, 518111
  China
4. Re:DUH. by AmiMoJo · 2016-02-17 02:18 · Score: 4, Insightful
  
  Why single out the Chinese? Most American crap has a backdoor and multiple security holes too. At least the Chinese haven't started giving you the "Error 53" middle finger when you try to repair their crap.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
5. Re:DUH. by k6mfw · 2016-02-17 02:37 · Score: 1
  
  American companies seem to not care about security either.
  Interesting contrast to the other story about American govts want backdoors to iPhones, all those who searched for ISIS on Google, etc.
  
  --
  mfwright@batnet.com
6. Re: DUH. by k6mfw · 2016-02-17 02:39 · Score: 1
  
  Then again, they just want to buy cheap crap off eBay,
  There are some cheap VHS machines on ebay, and none of those send emails to China.
  
  --
  mfwright@batnet.com
7. Re:DUH. by DNS-and-BIND · 2016-02-17 03:17 · Score: 1
  
  Because every time this happens, you look on the back of the device and it says, "MADE IN CHINA". Seriously, people have to tell you these things?
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
8. Re: DUH. by kilfarsnar · 2016-02-17 03:32 · Score: 2
  
  Yeah, I have one of those cameras - by default it makes your security camera into a public webcam.
  Now, I can do VLANs and put firewall rules in, but most people aren't even paranoid enough to think to look.
  Then again, they just want to buy cheap crap off eBay, not hire a pro who knows the ins and outs of the product field.
  For most cases of blaming cheap manufacturers, there's a cheap consumer who wants pro quality for rock-bottom pricing.
  “We’ve arranged a society on science and technology in which nobody understands anything about science and technology, and this combustible mixture of ignorance and power sooner or later is going to blow up in our faces. I mean, who is running the science and technology in a democracy if the people don’t know anything about it?” – Carl Sagan
  Modern technology might as well be magic to most people. They don't have the expertise, critical thinking skills, or self restraint to make informed decisions about the tech they buy and use. As you say, they just want it. And people are naive. I had to laugh years ago when it came out that Taco Bell's $.79 taco didn't contain 100% beef. People were pissed. But Taco Bell's response was basically, "You buy a 79 cent taco and think it's all beef?"
  But yeah, that's what people thought because they are naive. On another note, one of my old bosses got out of corporate IT a while ago. When I asked him why he said, "Everyone expects dial tone." What he meant was people want stuff to just work. They have no idea of what it takes to make things work and they don't care. Just make it work. So we get things like insecure or backdoored IoT devices.
  
  --
  "What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
9. Re:DUH. by drinkypoo · 2016-02-17 03:48 · Score: 1
  
  At least the Chinese haven't started giving you the "Error 53" middle finger when you try to repair their crap.
  Sure, they just don't give you an error, so you think it's your fault, just as they don't put brand names on their most shit products so that you can't track down who made them to complain. That's improvement?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
10. Re:DUH. by dave420 · 2016-02-17 04:11 · Score: 2
  
  So you don't understand how electronics work. Gotcha. Thanks for clearing that up for all of us.
11. Re:DUH. by AmiMoJo · 2016-02-17 04:36 · Score: 1
  
  Most products without branding are built for western companies to western specifications, so that they can have a western label slapped on them later. If you buy quality branded Chinese stuff it's pretty good. OnePlus, Xaomi, Yuin, Rigol, Siglent, Huwawei.... Just a few I can think of off the top of my head that have similar quality to western companies, but don't try to screw you so hard with DRM.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
12. Re:DUH. by Lumpy · 2016-02-17 06:12 · Score: 1
  
  News flash. your iPhone is MADE IN CHINA.
  
  --
  Do not look at laser with remaining good eye.
Internet of Turds ... by Anonymous Coward · 2016-02-17 01:10 · Score: 1

The only good internet connected device is one which isn't connected to the internet.
You people can keep your stupid fucking IoT garbage.
There's no need for this shit other than idiots who want something shiny to use with their cellphone.
Have fun getting pwn3ed, suckers.
1. Re:Internet of Turds ... by Sax+Russell+5449D29A · 2016-02-17 01:26 · Score: 2
  
  It's OK for devices to be networked over WAN, but devices such as security cameras should *never* be accessible or able to access WAN directly. A few simple firewall rules and some site-to-site VPN piping would do the trick and wouldn't take long at all to set up. Just one of many possible ways of doing it right.
  By the way, I wouldn't count security cameras as IoT.
  
  --
  -SR
2. Re:Internet of Turds ... by Applehu+Akbar · 2016-02-17 01:27 · Score: 1
  
  There's a lot more potential to IoT than cellphone control of personal gadgets. I would really like to see bridge beams that provide continuous real-time reports of the stress they are under with daily traffic. Engineers would use the data not just to warn of imminent failure, but in the long run to design better infrastructure. So what if China might be watching the data stream to design better bridges of their own?
3. Re:Internet of Turds ... by dj245 · 2016-02-17 03:42 · Score: 1
  
  There's a lot more potential to IoT than cellphone control of personal gadgets. I would really like to see bridge beams that provide continuous real-time reports of the stress they are under with daily traffic. Engineers would use the data not just to warn of imminent failure, but in the long run to design better infrastructure. So what if China might be watching the data stream to design better bridges of their own?
  That wouldn't be difficult to do. You would just need to epoxy strain gauges (very cheap devices) onto the locations of your choosing, collect that data with data aquisition devices, and store it for periodic pickup, or else transmit it over a network. Unfortunately, that wouldn't tell us much of interest. Most bridge failures are caused by a small part or parts of the bridge that have deteriorated or were built incorrectly from the beginning. Catastrophic and unexpected failures occur because nobody noticed the defect, or if a defect was noticed, it was judged to be less critical than it actually was.
  
  I am fairly sure that defects in critical areas, when they are noticed, do get periodic or real-time monitoring. The problem is that our bridges are just in a bad state of repair and inspection/maintenance budgets are often not adequate.
  
  --
  Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Firewalls for the Great Wall by The+Eight-Bit+Link · 2016-02-17 01:15 · Score: 5, Informative

Whenever I use something that connects to my network that I ordered direct from China, as a rule-of-thumb I don't let anything to or from it cross my router. I have a specific access point for anything wireless, and ports on my managed switch for anything wired.
This is why by Anonymous Coward · 2016-02-17 01:17 · Score: 1

All internet access for untrusted devices like this are blocked at my router firewall by their MAC address. Access denied, you assholes.
1. Re:This is why by gstoddart · 2016-02-17 01:24 · Score: 1
  
  All internet access for untrusted devices like this are blocked at my router firewall by their MAC address.
  LOL, brilliant ... that'll show your IoT devices what for. Take away the Internet part, and they're just things.
  Might I suggest not connecting them to the network either? That'll keep them secure.
  Or, you know, just don't buy them.
  
  --
  Lost at C:>. Found at C.
2. Re:This is why by Anonymous Coward · 2016-02-17 01:38 · Score: 2, Insightful
  
  My network UPNP radios play music from my server only. They don't need internet access.
  My IP cameras record video to my server as well. They don't need internet access so they are blocked too.
  My managed network switch doesn't need internet access, so it is blocked.
  My network printer doesn't need internet.
  The IPMI on my server doesn't get internet access.
  My Windows machines are next.
3. Re:This is why by Anonymous Coward · 2016-02-17 01:38 · Score: 1
  
  Don't be dull. It's perfectly rational to run a camera with a TCP/IP stack so it can send pictures to a server in your local network, but block it from sending anything anything elsewhere.
  The problem is and always has been "the Cloud", which is synonymous with free access for your government, your enemy's government, any enterprise large enough to have a cushy contract with either of the above, any private organisation with enough resources to break into the above, anyone with enough money to pay any of the above, and the occasional 17 year old who finds a vulnerability.
4. Re:This is why by kamaaina · 2016-02-17 01:47 · Score: 1
  
  Over time I start to trust some applications, I keep an eye out for vulnerabilities though, but one of those applications is openvpn. I block all my IOT devices from accessing the Internet, and when I want access I VPN in. In some cases, I can put a web server in front of the IOT device, with cameras, I like ZoneMinder and others have said they like Blue Iris.
  I am looking at outside services, like Adafruit.IO and AWS IoT to show me some pretty graphs. Still assessing, but would hope there is a way I can proxy the data through a Linux box and securely via SSL, send the data to them. At least in that case I can control what data goes to them, some stuff I might not care if the public knows, like the temp outside my house or if the deck lights turned on.
5. Re:This is why by dfn5 · 2016-02-17 02:11 · Score: 2
  
  LOL, brilliant ... that'll show your IoT devices what for. Take away the Internet part, and they're just things.
  No, it becomes an Intranet of things. Which conveniently still has the acronym IoT and is probably what the device was intended for in the first place.
  
  --
  -- Thou hast strayed far from the path of the Avatar.
6. Re:This is why by number6x · 2016-02-17 03:48 · Score: 1
  
  That's perfect, since your router has a back door it will be easy for hackers to get that list of mac addresses so they can target all of your devices more quickly!
7. Re:This is why by hoggoth · 2016-02-17 06:59 · Score: 1
  
  Note to team: Add ability to sniff the LAN for good MAC addresses and spoof them when sending photos back to the mother country
  Thanks.
  
  --
  - For the complete works of Shakespeare: cat /dev/random (may take some time)
8. Re:This is why by Sax+Russell+5449D29A · 2016-02-17 08:12 · Score: 1
  
  Might I suggest not connecting them to the network either? That'll keep them secure.
  Or, you know, just don't buy them.
  I agree. We should invest our money in trustworthy major companies such as Cisco and Juniper instead.
  
  --
  -SR
Open source? by Bert64 · 2016-02-17 01:35 · Score: 1

It looks like the source wasn't actually open, based on the guy requesting a copy of the sources...

--
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
1. Re:Open source? by Anonymous Coward · 2016-02-17 01:53 · Score: 1
  
  Found it:
  https://github.com/simonjiuan/ipc/blob/77d15510f24fdd8215756c36ddd8d0f3d525b53e/src/cgi_misc.c
2. Re:Open source? by softnewsit · 2016-02-17 02:58 · Score: 1
  
  He took it off GitHub
  
  --
  Go away!
Try google better by Anonymous Coward · 2016-02-17 01:40 · Score: 4, Informative

They could not find a reference to MVPOWER???
How hard did they try?
Did they not try looking up trademarks? There is that little (R) symbol ya know....
Aukey E-Business Co. owns the trademark MVPower
Anthea Lee is registered name
Been active since 2013.
Shosho II, Ernest is the lawyers name that registered
Other company registered same people is Aglaia
The parent companies name is Aukey E-Business Co., Ltd
www.aukeys.com
LongGang
Huanan City
Shenzhen, 518111
China
Default Gateway by clonehappy · 2016-02-17 01:48 · Score: 2

For any cheap/no-name/questionable IoT device: 0.0.0.0
There is no reason any of this crap needs to be able to communicate directly out to the open internet. If you need to access it from off-site, use a VPN. If have reason to believe the device may compromise other devices that DO have the ability to communicate outbound to the internet, then that device should be destroyed with fire and the manufacturer publicly shamed.
When in doubt, don't give it a route.
1. Re:Default Gateway by Aqualung812 · 2016-02-17 03:19 · Score: 4, Informative
  
  When in doubt, don't give it a route.
  I recall some of those Kronos time card devices I used years ago would learn the default gateway address on their own without being provided a route. They didn't even have a place to put in the default gateway.
  I have to assume these devices can find their way out, so I VLAN all IP cameras and don't allow them to access anything.
  
  --
  Grammer Nazis - I mod you "troll" unless you actually add something on-topic. Yes, I know I have mispellings in my sig.
Re:GitHub, The Savior by k6mfw · 2016-02-17 02:48 · Score: 1

. Note I fully support the "we stand on the shoulders of giants." And that's the thing, it's stand on their shoulders, not "steal" everything they have with no understanding of it whatsoever.
Sounds like "on the shoulders of giants" meaning not re-invent a software language that already exists but still have to work and study to know how to use it, how to write and implement it, get a good feeling on what works/what doesn't work. It ain't easy learning this stuff (and I sometimes wonder how those "giants" ever figured out this stuff), as opposed to "oh, just copy/paste/download/run-this-stuff and it's real easy and cheap."

--
mfwright@batnet.com
Re:Might explain a few things by phishybongwaters · 2016-02-17 03:37 · Score: 1

You must have a pretty lax ISP, the second my script borked and started port scanning I was contacted and reminded of the acceptable use policy. The other major ISP here actually blocks a lot of stuff by default and you have to specifically request it be opened for you.
Re:It's not a back door, it is a feature! by phishybongwaters · 2016-02-17 03:41 · Score: 1

The article makes it sound like this feature was enabled in the code, by default, with no user interaction to actually activate it. It's still not a backdoor, but it IS sending screenshots off to an EMAIL address. Think about that. How does that enable you retrieving your feed? It doesn't. But it does give the developer a bunch of screenshots of whatever you were filming, direct to his inbox. Honestly this sounds like a debugging feature left in the code to me. But whatever.
Re:It's not a back door, it is a feature! by Anonymous Coward · 2016-02-17 08:12 · Score: 1

Actually it sounds like 2 separate issues:
1. I note that the device has a backdoor vulnerability in the web frontend (/shell?) in file /root/dvr_app and
2. appears to email you pictures from the CCTV (target=lawishere@yeah.net&subject=Who are you?&content=%s&snapshot=yes&vin=0&size=320x180)