Hard-Coded Password Exposes Video Surveillance DVRs To Hacking

itwbennett writes: Security researchers from vulnerability intelligence firm Risk Based Security (RBS) have found that DVRs from RaySharp and six other vendors have a basic vulnerability: They accept a hard-coded, unchangeable password for the root account. "RaySharp DVR devices provide a Web-based interface through which users can view camera feeds, manage recording and system settings and use the pan-tilt-zoom (PTZ) controls of connected surveillance cameras. Gaining access to this management interface would provide an attacker with full control over the surveillance system," writes Lucian Constantin. RaySharp claims on its website that it ships over 60,000 DVRs globally every month, but the Chinese company also creates digital video recorders and firmware for other companies. The RBS researchers confirmed that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender (a brand of Circus World Displays) and LOREX Technology, a division of FLIR Systems, contain the same hard-coded root password.

What do you expect?

[bobbied]

You get what you pay for. If you go for the cheap solution, you get the cheap solution, always. Or to quote the article....

"Consumers should be aware that when buying especially lower-end devices made in China, there is a significant risk of the devices having serious flaws that won't ever be addressed," said Carsten Eiram, chief research officer at RBS

Besides, if you REALLY are security minded, who puts this kind of device just out in the wild for all to see and use? At least put it behind a VPN, where you can hope to control access to it. If nothing else, use a protected proxy connection.... Don't just put the HTTP/HTTPS port from some cheap device you own on the internet unless you really don't care who access it..

Re:What do you expect?

[nnull]

The vast majority of security companies who consider themselves "Professional" install these crappy systems and not only that, they request the client to open the port on their firewall to access it from the outside. These are the equivalent of contractors who continuously cut corners and when caught by inspectors, claim they've been doing this for many years without issues, so the inspector is in the wrong. When I tell the owners that their system is out in the open and most likely already compromised, they refuse to listen to me and think I'm crazy, then they sit around wondering why their internet is so slow.

There's only one reason why they hire these people, it's because they're cheaper than the real professionals and cost cutting is the thing for management. Even if it means people would get hurt in the long run, the important thing here for them is that they saved the company money.

Re:well, of course they do

[Jeremi]

(what, you thought they pressed the invisible RESET PASSWORD button you couldn't find on the circuit board??).

At the risk of asking a stupidly obvious question, why not just have a "reset to factory defaults" button somewhere on the device? That's what all the routers seem to have these days, and assuming that you can keep the device physically out of the wrong hands, that seems like a reasonable solution to the inevitable "I don't remember my password anymore" problems.