CCTV DVR Vulnerabilities Traced To Chinese OEM Which Spurned Researchers' Advice

An anonymous reader writes: RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and gain root privileges on the affected devices. The problem was actually in the firmware of just one DVR sold by Chinese firm TVT. The practice of "white-labeling" products helped propagate this issue to other "manufacturers" who did nothing more than to buy a non-branded DVR, tweaked its firmware, slapped their logo on top, and sold it a their own, vulnerability included.

Not surprised, really

[DNS-and-BIND]

The Chinese OEMs don't care about security or anything else. They are remarkably dense and will reject changes coming from anywhere. It's hard enough to get them to change anything when you're a paying customer, and if you do get them to change, the moment you are satisfied and think things are under control, they'll change it right back to the old way.

This is because the smart people want to be thought of as creative. When someone else is telling them what to do, they're not being creative and think they're being forced into being mindless slaves. Follow an established security vetting process? That's not what creatives do. That's following procedure, only factory assembly workers do that, and even then only because they are forced to do so. Also, being predictable violates the maxim that one should conceal one's true goals. They're not at war but the Sun Tzu thinking will tell.

Second, details are boring. If you're creative, you think of the effects you want the product to have, not the stupid security protocols it has to follow. And if the product is selling, who cares?

The Western customers who buy the OEM products are clueless about everything, that's why they're buying whitebox in the first place. We shouldn't blame them for security, although perhaps it's tempting. It's not like they can complain and get it fixed. If they make too much of a fuss the OEM will just point out that none of their other 70 customers has any problem and fire them as a customer.

Are there any secure alternatives?

[nystul555]

Is there anywhere you can buy IP cameras, DVRs, and NVRs that aren't made in China and full of vulnerabilities? Does any company offer secure security camera systems?

If anyone knows of any I'd love to hear about your experience with them. I've looked and even the "high-end" (aka expensive) name-brand devices like Sony and Panasonic have major security flaws like TVT firmware, HTTP only access, passwords stored on the device in plain text, etc.

We had to separate the camera systems at my company onto their own VLAN that can only be accessed from a few computers on our internal network or over our VPN. It is a pain but much better than letting anyone in the world onto our camera system. I want to replace all of them with something better, but it seems like OEM or branded its all the same insecure, never patched, never updated Chinese garbage.

Re:This isn't a vulnerability

[gstoddart]

A DVR which is backing the CCTV feed of surveillance cameras. Yup, totally boring.

Why, nobody would want to have access to the take from a bunch of surveillance cameras, right?

Or, this is the full on movie-scenario where the shadowy organization hacks into the video feeds of various places that every complains isn't realistic.

The endless stream of shitty security we keep hearing about has a lot of potential ways to be misused, and apparently very little stopping it.