Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hard-Coded Password Exposes Video Surveillance DVRs To Hacking (csoonline.com)

Posted by yaelk on from the hackers dept.

itwbennett writes: Security researchers from vulnerability intelligence firm Risk Based Security (RBS) have found that DVRs from RaySharp and six other vendors have a basic vulnerability: They accept a hard-coded, unchangeable password for the root account. "RaySharp DVR devices provide a Web-based interface through which users can view camera feeds, manage recording and system settings and use the pan-tilt-zoom (PTZ) controls of connected surveillance cameras. Gaining access to this management interface would provide an attacker with full control over the surveillance system," writes Lucian Constantin. RaySharp claims on its website that it ships over 60,000 DVRs globally every month, but the Chinese company also creates digital video recorders and firmware for other companies. The RBS researchers confirmed that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender (a brand of Circus World Displays) and LOREX Technology, a division of FLIR Systems, contain the same hard-coded root password.

24 of 41 comments (clear)

  1. Tired Of COPS & Barney Miller Reruns Anyways by zenlessyank · · Score: 1

    Watching folks cut their lawn and the cars go by seems a little more entertaining.

  2. Let me guess.... by DidgetMaster · · Score: 1

    Username = Admin, Password = Admin

    1. Re: Let me guess.... by DidgetMaster · · Score: 1

      Well, if its at least case sensitive that will slow the hackers down...a few microseconds

  3. 'Cause they prolly use 'em by Impy+the+Impiuos+Imp · · Score: 1

    Thanks for exposing this!

    Sigh.

    So much for another fappening.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  4. What do you expect? by bobbied · · Score: 2

    You get what you pay for. If you go for the cheap solution, you get the cheap solution, always. Or to quote the article....

    "Consumers should be aware that when buying especially lower-end devices made in China, there is a significant risk of the devices having serious flaws that won't ever be addressed," said Carsten Eiram, chief research officer at RBS

    Besides, if you REALLY are security minded, who puts this kind of device just out in the wild for all to see and use? At least put it behind a VPN, where you can hope to control access to it. If nothing else, use a protected proxy connection.... Don't just put the HTTP/HTTPS port from some cheap device you own on the internet unless you really don't care who access it..

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:What do you expect? by arth1 · · Score: 1

      My local franchise haircut place has free wifi. After visiting once, I saw an unrecognized IP come up on GMail as recently logging in my account. Had no idea who it was, checked ARIN, allocated to Time Warner. So my next instinct was to try the IP in my browser. Up pops a camera/recorder interface. A quick trip to google to find the default password, sure enough, it's a viewport to all the security cams in the haircut place. At least now I can check if there's any line or waiting before I go over there.

      From this, we can conclude that you're not Richard Stallman. This is Useful Information.

    2. Re:What do you expect? by aaarrrgggh · · Score: 1

      Well said. Also, a lot of the people doing this themselves don't want the network person involved-- they don't want to tell anyone else the password... you know, so it is secure. We are guilty of having one of the Costco Lorex Specials that is also likely vulnerable. I have meant to do a firewall black hole on these but haven't gotten around to it yet. I can see the firewall is blocking traffic from it already, but I don't have everything locked down yet...

      Those pesky port 443 remote access keep-Alice's can be a pain to deal with.

    3. Re:What do you expect? by aaarrrgggh · · Score: 1

      Damn auto correct... Not Alice's... alives!!

    4. Re:What do you expect? by nnull · · Score: 2

      The vast majority of security companies who consider themselves "Professional" install these crappy systems and not only that, they request the client to open the port on their firewall to access it from the outside. These are the equivalent of contractors who continuously cut corners and when caught by inspectors, claim they've been doing this for many years without issues, so the inspector is in the wrong. When I tell the owners that their system is out in the open and most likely already compromised, they refuse to listen to me and think I'm crazy, then they sit around wondering why their internet is so slow.

      There's only one reason why they hire these people, it's because they're cheaper than the real professionals and cost cutting is the thing for management. Even if it means people would get hurt in the long run, the important thing here for them is that they saved the company money.

    5. Re:What do you expect? by trevc · · Score: 1
      So the camera at the haircut place logged into your email account?

      This kind of stuff is sold as plug and play, security is an afterthought if it's considered at all. The people who deploy these setups don't know or don't care either. They assume if they're paying hundreds of dollars for something it must be good.

      My local franchise haircut place has free wifi. After visiting once, I saw an unrecognized IP come up on GMail as recently logging in my account. Had no idea who it was, checked ARIN, allocated to Time Warner. So my next instinct was to try the IP in my browser. Up pops a camera/recorder interface. A quick trip to google to find the default password, sure enough, it's a viewport to all the security cams in the haircut place. At least now I can check if there's any line or waiting before I go over there.

  5. IoT Everywhere! Get with the future! by GerryGilmore · · Score: 1

    While there are certainly some benefits to be found in some of the IoT stuff, but - again - another case of people relying on providers who rely on suppliers who always shop on price and...tada! Lowest-common-denominator. Be very, very careful out there! Forget Big Brother, it's Big Everyone!

    1. Re:IoT Everywhere! Get with the future! by nnull · · Score: 1

      The thing is, even if you buy the more expensive gear, they would still install it so and so that it would get compromised regardless. The people installing these things have no clue what they're doing. IoT stuff is perfectly fine if the system is designed to keep it secure.

  6. Atleast it wasn't user/admin and admin/password by Anonymous Coward · · Score: 1

    From the article...

    At the very least, a DVR that accepts root and 519070 as username and password should not be exposed directly to the Internet.

    So
    Username root
    password 519070

    sweet free live drama :)

  7. Re:well, of course they do by Dutch+Gun · · Score: 1

    Apparently, Apple is the only company in the world that doesn't have some idiotic hard-coded master password embedded in their firmware.

    Or... that's what they want us to think...

    --
    Irony: Agile development has too much intertia to be abandoned now.
  8. Qsee is Bad too by kamaaina · · Score: 1

    If you have a Q-SEE QC444 DVR, you can telnet as root and hit enter and you have CLI

    Then add your own account to /mnt/mtd/Config/passwd and you will have a username and password to log in to the box.

    The banner when you log in says "Welcome to HiLinux." so there may be other DVRs that use this version that are vulnerable too.

    1. Re:Qsee is Bad too by Bert64 · · Score: 1

      A ton of vendors use the same software, just nominally rebranded... But often the passwords differ by vendor among other things.

      Given that these devices are all basically the same, and the default firmware is complete crap both from a security and usability perspective perhaps we could develop an open source replacement?

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  9. Re:well, of course they do by Jeremi · · Score: 2

    (what, you thought they pressed the invisible RESET PASSWORD button you couldn't find on the circuit board??).

    At the risk of asking a stupidly obvious question, why not just have a "reset to factory defaults" button somewhere on the device? That's what all the routers seem to have these days, and assuming that you can keep the device physically out of the wrong hands, that seems like a reasonable solution to the inevitable "I don't remember my password anymore" problems.

    --


    I don't care if it's 90,000 hectares. That lake was not my doing.
  10. Re:FLIR, you scare me now. by Bert64 · · Score: 1

    All these vendors are basically running the same software with minor rebranding, and its linux based, shouldn't be all that difficult to build a replacement...

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  11. Re:well, of course they do by KGIII · · Score: 1

    Please tell me that you don't actually believe that to be true? I mean, "everything?" Seriously? Do you have a rather shiny hat or something?

    --
    "So long and thanks for all the fish."
  12. Re:well, of course they do by Nikademus · · Score: 1

    You mean like root:alpine ?

    --
    I gave up with the idea of an useful sig...
  13. Off-line by NotInHere · · Score: 1

    Told my parents to keep their surveillance cams offline and not connected to the internet. TFA is yet another confirmation that this was a good idea.

  14. Re:FLIR, you scare me now. by nnull · · Score: 1

    A lot of the more expensive stuff is rebranded Chinese made cheap stuff.

  15. Law Enforcement Backdoor by ImprovOmega · · Score: 1

    It's totally cool. Just like the FBI wants a backdoor for iPhones they can use this backdoor for surveillance systems! I'm sure nothing bad will ever happen from having this backdoor in place!

  16. "König, Swann, COP-USA by dasgoober · · Score: 1

    - ALL MADE IN TAIWAN!!!"