Backdoor In MVPower DVR Firmware Sends CCTV Stills To an Email Address In China

An anonymous reader writes: An IoT security research company has discovered that a DVR model manufactured by MVPower includes a backdoor-like feature in its code that takes a screenshot of your CCTV feed and sends it to an email address hosted somewhere in China. The device's firmware is based on an open source project from GitHub that was pulled by its developer when someone confronted him about the backdoor.

DUH.

[Lumpy]

All of the China crap you need to ASSUME it is riddled with backdoors and other security problems and even sending your info elsewhere. The China ONVIF security cameras are FILLED with this kind of crap.

Re:DUH.

[AmiMoJo]

Why single out the Chinese? Most American crap has a backdoor and multiple security holes too. At least the Chinese haven't started giving you the "Error 53" middle finger when you try to repair their crap.

Re: DUH.

[kilfarsnar]

Yeah, I have one of those cameras - by default it makes your security camera into a public webcam.

Now, I can do VLANs and put firewall rules in, but most people aren't even paranoid enough to think to look.

Then again, they just want to buy cheap crap off eBay, not hire a pro who knows the ins and outs of the product field.

For most cases of blaming cheap manufacturers, there's a cheap consumer who wants pro quality for rock-bottom pricing.

“We’ve arranged a society on science and technology in which nobody understands anything about science and technology, and this combustible mixture of ignorance and power sooner or later is going to blow up in our faces. I mean, who is running the science and technology in a democracy if the people don’t know anything about it?” – Carl Sagan

Modern technology might as well be magic to most people. They don't have the expertise, critical thinking skills, or self restraint to make informed decisions about the tech they buy and use. As you say, they just want it. And people are naive. I had to laugh years ago when it came out that Taco Bell's $.79 taco didn't contain 100% beef. People were pissed. But Taco Bell's response was basically, "You buy a 79 cent taco and think it's all beef?"

But yeah, that's what people thought because they are naive. On another note, one of my old bosses got out of corporate IT a while ago. When I asked him why he said, "Everyone expects dial tone." What he meant was people want stuff to just work. They have no idea of what it takes to make things work and they don't care. Just make it work. So we get things like insecure or backdoored IoT devices.

Re:DUH.

[dave420]

So you don't understand how electronics work. Gotcha. Thanks for clearing that up for all of us.

Firewalls for the Great Wall

[The+Eight-Bit+Link]

Whenever I use something that connects to my network that I ordered direct from China, as a rule-of-thumb I don't let anything to or from it cross my router. I have a specific access point for anything wireless, and ports on my managed switch for anything wired.

Re:Internet of Turds ...

[Sax+Russell+5449D29A]

It's OK for devices to be networked over WAN, but devices such as security cameras should *never* be accessible or able to access WAN directly. A few simple firewall rules and some site-to-site VPN piping would do the trick and wouldn't take long at all to set up. Just one of many possible ways of doing it right.

By the way, I wouldn't count security cameras as IoT.

Re:This is why

My network UPNP radios play music from my server only. They don't need internet access.

My IP cameras record video to my server as well. They don't need internet access so they are blocked too.

My managed network switch doesn't need internet access, so it is blocked.

My network printer doesn't need internet.

The IPMI on my server doesn't get internet access.

My Windows machines are next.

Try google better

They could not find a reference to MVPOWER???
How hard did they try?

Did they not try looking up trademarks? There is that little (R) symbol ya know....

Aukey E-Business Co. owns the trademark MVPower
Anthea Lee is registered name
Been active since 2013.

Shosho II, Ernest is the lawyers name that registered
Other company registered same people is Aglaia

The parent companies name is Aukey E-Business Co., Ltd
www.aukeys.com

LongGang
Huanan City
Shenzhen, 518111
China

Default Gateway

[clonehappy]

For any cheap/no-name/questionable IoT device: 0.0.0.0

There is no reason any of this crap needs to be able to communicate directly out to the open internet. If you need to access it from off-site, use a VPN. If have reason to believe the device may compromise other devices that DO have the ability to communicate outbound to the internet, then that device should be destroyed with fire and the manufacturer publicly shamed.

When in doubt, don't give it a route.

Re:Default Gateway

[Aqualung812]

When in doubt, don't give it a route.

I recall some of those Kronos time card devices I used years ago would learn the default gateway address on their own without being provided a route. They didn't even have a place to put in the default gateway.

I have to assume these devices can find their way out, so I VLAN all IP cameras and don't allow them to access anything.

Re:This is why

[dfn5]

LOL, brilliant ... that'll show your IoT devices what for. Take away the Internet part, and they're just things.

No, it becomes an Intranet of things. Which conveniently still has the acronym IoT and is probably what the device was intended for in the first place.