Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hard-Coded Password Exposes Video Surveillance DVRs To Hacking (csoonline.com)

Posted by yaelk on from the hackers dept.

itwbennett writes: Security researchers from vulnerability intelligence firm Risk Based Security (RBS) have found that DVRs from RaySharp and six other vendors have a basic vulnerability: They accept a hard-coded, unchangeable password for the root account. "RaySharp DVR devices provide a Web-based interface through which users can view camera feeds, manage recording and system settings and use the pan-tilt-zoom (PTZ) controls of connected surveillance cameras. Gaining access to this management interface would provide an attacker with full control over the surveillance system," writes Lucian Constantin. RaySharp claims on its website that it ships over 60,000 DVRs globally every month, but the Chinese company also creates digital video recorders and firmware for other companies. The RBS researchers confirmed that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender (a brand of Circus World Displays) and LOREX Technology, a division of FLIR Systems, contain the same hard-coded root password.

41 comments

  1. well, of course they do by turkeydance · · Score: 0, Troll

    most everything does

    1. Re:well, of course they do by Killall+-9+Bash · · Score: 0

      +1 insightful.

      Seriously, everything has a manufacturer back door. Most of the time you don't know about it, but its there. Usually they're smart enough to not give it out, making you instead ship it back to them for a password reset (what, you thought they pressed the invisible RESET PASSWORD button you couldn't find on the circuit board??).

      The security breach here is the manufacturer releasing this info, and it getting posted on the web.

      --
      "Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
    2. Re:well, of course they do by Dutch+Gun · · Score: 1

      Apparently, Apple is the only company in the world that doesn't have some idiotic hard-coded master password embedded in their firmware.

      Or... that's what they want us to think...

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re:well, of course they do by Jeremi · · Score: 2

      (what, you thought they pressed the invisible RESET PASSWORD button you couldn't find on the circuit board??).

      At the risk of asking a stupidly obvious question, why not just have a "reset to factory defaults" button somewhere on the device? That's what all the routers seem to have these days, and assuming that you can keep the device physically out of the wrong hands, that seems like a reasonable solution to the inevitable "I don't remember my password anymore" problems.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    4. Re:well, of course they do by Anonymous Coward · · Score: 0

      A mfg backdoor can take many forms.

      In the large majority of use cases, one which compromises the *physical* security of the device in exchange for convenience is tolerable because physical security is presumed to have been dealt with at a higher level (the locked door to the home, machine room or business), and the much greater level of targeting required and downside risks associated with a physical attack: No, Virginia, the hackers aren't going to commit B&E at your suburban house to plug into your router's root serial console or press the password-reset button in order to take it over.

      Physical security has never been the problem (for most users). But welcome to the era of ubiquitous networking! A hardcoded non-changeable root p/w is a 10/10-severity, remote-root, complete-instant-and-total-pwn@g3 security compromise for anything that's networked, and if it was burned into ROM it's even worse because there's literally nothing you can do to fix it. Frankly, any manufacturer which sells devices containing such an easily-avoidable and incredibly dangerous security failure should be subject to harsh legal sanctions. Their incompetence is directly threatening *everybody's* network usability and security.

    5. Re:well, of course they do by KGIII · · Score: 1

      Please tell me that you don't actually believe that to be true? I mean, "everything?" Seriously? Do you have a rather shiny hat or something?

      --
      "So long and thanks for all the fish."
    6. Re:well, of course they do by Nikademus · · Score: 1

      You mean like root:alpine ?

      --
      I gave up with the idea of an useful sig...
  2. Tired Of COPS & Barney Miller Reruns Anyways by zenlessyank · · Score: 1

    Watching folks cut their lawn and the cars go by seems a little more entertaining.

  3. Let me guess.... by DidgetMaster · · Score: 1

    Username = Admin, Password = Admin

    1. Re: Let me guess.... by Anonymous Coward · · Score: 0

      Sometimes it's User: admin Password: password

    2. Re: Let me guess.... by DidgetMaster · · Score: 1

      Well, if its at least case sensitive that will slow the hackers down...a few microseconds

    3. Re:Let me guess.... by Anonymous Coward · · Score: 0

      To be fair, the password may have been: 12345
      That's what Panasonic uses, anyways.

  4. 'Cause they prolly use 'em by Impy+the+Impiuos+Imp · · Score: 1

    Thanks for exposing this!

    Sigh.

    So much for another fappening.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  5. What do you expect? by bobbied · · Score: 2

    You get what you pay for. If you go for the cheap solution, you get the cheap solution, always. Or to quote the article....

    "Consumers should be aware that when buying especially lower-end devices made in China, there is a significant risk of the devices having serious flaws that won't ever be addressed," said Carsten Eiram, chief research officer at RBS

    Besides, if you REALLY are security minded, who puts this kind of device just out in the wild for all to see and use? At least put it behind a VPN, where you can hope to control access to it. If nothing else, use a protected proxy connection.... Don't just put the HTTP/HTTPS port from some cheap device you own on the internet unless you really don't care who access it..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:What do you expect? by Anonymous Coward · · Score: 0

      This kind of stuff is sold as plug and play, security is an afterthought if it's considered at all. The people who deploy these setups don't know or don't care either. They assume if they're paying hundreds of dollars for something it must be good.

      My local franchise haircut place has free wifi. After visiting once, I saw an unrecognized IP come up on GMail as recently logging in my account. Had no idea who it was, checked ARIN, allocated to Time Warner. So my next instinct was to try the IP in my browser. Up pops a camera/recorder interface. A quick trip to google to find the default password, sure enough, it's a viewport to all the security cams in the haircut place. At least now I can check if there's any line or waiting before I go over there.

    2. Re:What do you expect? by Anonymous Coward · · Score: 0

      Besides, if you REALLY are security minded, who puts this kind of device just out in the wild for all to see and use? At least put it behind a VPN, where you can hope to control access to it. If nothing else, use a protected proxy connection.... Don't just put the HTTP/HTTPS port from some cheap device you own on the internet unless you really don't care who access it..

      You have no idea how many people likely do this. I had a job installing systems a bit over a decade ago. I would come install the systems, and then they would come in and have some friend who knows basic networking come in and hook the PVRs up to the internet. Most wanting to be able to keep an eye on things from a laptop while they were away on vacation.

      Sad thing is most of these PVR systems the company I worked for was selling were just running Windows XPe systems, unpatched, no service packs, full installs. Tampering with the system in any way, like uninstalling unneeded components, or installing extra software, for say firewall of antivirus, voided the warranty,

      Needless to say a lot of my return service calls involved systems that became infected with malware. My job was basically to unplug the things and send them off to the manufacture for servicing.

      I have often wondered how many of these damn systems today are part of some botnet.

    3. Re:What do you expect? by arth1 · · Score: 1

      My local franchise haircut place has free wifi. After visiting once, I saw an unrecognized IP come up on GMail as recently logging in my account. Had no idea who it was, checked ARIN, allocated to Time Warner. So my next instinct was to try the IP in my browser. Up pops a camera/recorder interface. A quick trip to google to find the default password, sure enough, it's a viewport to all the security cams in the haircut place. At least now I can check if there's any line or waiting before I go over there.

      From this, we can conclude that you're not Richard Stallman. This is Useful Information.

    4. Re:What do you expect? by aaarrrgggh · · Score: 1

      Well said. Also, a lot of the people doing this themselves don't want the network person involved-- they don't want to tell anyone else the password... you know, so it is secure. We are guilty of having one of the Costco Lorex Specials that is also likely vulnerable. I have meant to do a firewall black hole on these but haven't gotten around to it yet. I can see the firewall is blocking traffic from it already, but I don't have everything locked down yet...

      Those pesky port 443 remote access keep-Alice's can be a pain to deal with.

    5. Re:What do you expect? by aaarrrgggh · · Score: 1

      Damn auto correct... Not Alice's... alives!!

    6. Re:What do you expect? by nnull · · Score: 2

      The vast majority of security companies who consider themselves "Professional" install these crappy systems and not only that, they request the client to open the port on their firewall to access it from the outside. These are the equivalent of contractors who continuously cut corners and when caught by inspectors, claim they've been doing this for many years without issues, so the inspector is in the wrong. When I tell the owners that their system is out in the open and most likely already compromised, they refuse to listen to me and think I'm crazy, then they sit around wondering why their internet is so slow.

      There's only one reason why they hire these people, it's because they're cheaper than the real professionals and cost cutting is the thing for management. Even if it means people would get hurt in the long run, the important thing here for them is that they saved the company money.

    7. Re:What do you expect? by Anonymous Coward · · Score: 0

      You get what you pay for. If you go for the cheap solution, you get the cheap solution, always.

      Nope, not in this case. Seems like even the most expensive and "quality" brands have back-doors and security holes galore or haven't you been reading the news this last couple of years?

    8. Re:What do you expect? by trevc · · Score: 1
      So the camera at the haircut place logged into your email account?

      This kind of stuff is sold as plug and play, security is an afterthought if it's considered at all. The people who deploy these setups don't know or don't care either. They assume if they're paying hundreds of dollars for something it must be good.

      My local franchise haircut place has free wifi. After visiting once, I saw an unrecognized IP come up on GMail as recently logging in my account. Had no idea who it was, checked ARIN, allocated to Time Warner. So my next instinct was to try the IP in my browser. Up pops a camera/recorder interface. A quick trip to google to find the default password, sure enough, it's a viewport to all the security cams in the haircut place. At least now I can check if there's any line or waiting before I go over there.

  6. Look at the Chinese by Anonymous Coward · · Score: 0

    I'm sure Donald Trump is happy!

  7. IoT Everywhere! Get with the future! by GerryGilmore · · Score: 1

    While there are certainly some benefits to be found in some of the IoT stuff, but - again - another case of people relying on providers who rely on suppliers who always shop on price and...tada! Lowest-common-denominator. Be very, very careful out there! Forget Big Brother, it's Big Everyone!

    1. Re:IoT Everywhere! Get with the future! by nnull · · Score: 1

      The thing is, even if you buy the more expensive gear, they would still install it so and so that it would get compromised regardless. The people installing these things have no clue what they're doing. IoT stuff is perfectly fine if the system is designed to keep it secure.

  8. Atleast it wasn't user/admin and admin/password by Anonymous Coward · · Score: 1

    From the article...

    At the very least, a DVR that accepts root and 519070 as username and password should not be exposed directly to the Internet.

    So
    Username root
    password 519070

    sweet free live drama :)

  9. Don't have a camera or microphone on your computer by Anonymous Coward · · Score: 0

    Oh, your computer is a phone?

  10. The password is . . . by Anonymous Coward · · Score: 0

    "password".

  11. Qsee is Bad too by kamaaina · · Score: 1

    If you have a Q-SEE QC444 DVR, you can telnet as root and hit enter and you have CLI

    Then add your own account to /mnt/mtd/Config/passwd and you will have a username and password to log in to the box.

    The banner when you log in says "Welcome to HiLinux." so there may be other DVRs that use this version that are vulnerable too.

    1. Re:Qsee is Bad too by Bert64 · · Score: 1

      A ton of vendors use the same software, just nominally rebranded... But often the passwords differ by vendor among other things.

      Given that these devices are all basically the same, and the default firmware is complete crap both from a security and usability perspective perhaps we could develop an open source replacement?

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    2. Re:Qsee is Bad too by Anonymous Coward · · Score: 0

      You certainly could. The HiSilicon SDK and documentation can be found on the internet. Use the chinese documentation and translate it with google translate, it is much more complete than the English version. The English is good, but typically gives 1-2 sentences of explanation per item where the Chinese one gives 1-2 pages.

      Sadly you need many closed source blobs that are not redistributable so it may not be possible to do it legally. The blobs are for important parts of the chip: video encoder, camera interface, isp, ...

  12. Web vs login password by Anonymous Coward · · Score: 0

    Does anyone know if these are different?

    I have never found any for physical log in.

  13. FLIR, you scare me now. by Anonymous Coward · · Score: 0

    Glad Slashdot posted this, I was going to buy a Lorax system. Now I am not going to buy a Lorax system. I might buy a Flir Camera, but I will pick my own DVR. This is another I wonder if you can buy a blank firmware, and program it with open source firmware on things like this.

    1. Re:FLIR, you scare me now. by Bert64 · · Score: 1

      All these vendors are basically running the same software with minor rebranding, and its linux based, shouldn't be all that difficult to build a replacement...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    2. Re:FLIR, you scare me now. by nnull · · Score: 1

      A lot of the more expensive stuff is rebranded Chinese made cheap stuff.

  14. Confirmed by Anonymous Coward · · Score: 0

    Just confirmed my DVR has it (K-Guard SHA-108.V2), used it to log into the DVR directly and through the web interface. Guess its time to buy a new one, though as always you shouldn't put such devices anywhere really sensitive. All of my cameras are aimed outside the house so anyone who did gain access would get a wonderful view of a lawn/driveway. But seriously, when are companies going to learn how monumentally stupid it is to put hard coded pass-codes in devices.

  15. Welcome to the recycling centre by Anonymous Coward · · Score: 0

    Hello all RaySharp DVRs. Welcome to your local recycling centre.

    Worthless junk.

  16. Off-line by NotInHere · · Score: 1

    Told my parents to keep their surveillance cams offline and not connected to the internet. TFA is yet another confirmation that this was a good idea.

  17. Law Enforcement Backdoor by ImprovOmega · · Score: 1

    It's totally cool. Just like the FBI wants a backdoor for iPhones they can use this backdoor for surveillance systems! I'm sure nothing bad will ever happen from having this backdoor in place!

  18. Even a newb can find it. by Anonymous Coward · · Score: 0

    I have a SWann DVR.
    It took Nessus about a minute to display the password file.
    It took less than 1/2 hour to find, install, learn, and run JTR on the hash.
    The password is only 6 characters in length.
    It was my first experience with JTR, it was not painful at all.
    I did all this months ago, it took forever to get a message to SW regarding the vuln.
    The worst part is that there is not even a FW upgrade infrastructure in place (assuming they patch the vuln.).

  19. "König, Swann, COP-USA by dasgoober · · Score: 1

    - ALL MADE IN TAIWAN!!!"