Hard-Coded Password Exposes Video Surveillance DVRs To Hacking

itwbennett writes: Security researchers from vulnerability intelligence firm Risk Based Security (RBS) have found that DVRs from RaySharp and six other vendors have a basic vulnerability: They accept a hard-coded, unchangeable password for the root account. "RaySharp DVR devices provide a Web-based interface through which users can view camera feeds, manage recording and system settings and use the pan-tilt-zoom (PTZ) controls of connected surveillance cameras. Gaining access to this management interface would provide an attacker with full control over the surveillance system," writes Lucian Constantin. RaySharp claims on its website that it ships over 60,000 DVRs globally every month, but the Chinese company also creates digital video recorders and firmware for other companies. The RBS researchers confirmed that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender (a brand of Circus World Displays) and LOREX Technology, a division of FLIR Systems, contain the same hard-coded root password.