Slashdot Mirror

← Back to Stories (view on slashdot.org)

CCTV DVR Vulnerabilities Traced To Chinese OEM Which Spurned Researchers' Advice (softpedia.com)

Posted by timothy on from the quote-scare-quotes-scare-quote-square-quotes-quote dept.

An anonymous reader writes: RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and gain root privileges on the affected devices. The problem was actually in the firmware of just one DVR sold by Chinese firm TVT. The practice of "white-labeling" products helped propagate this issue to other "manufacturers" who did nothing more than to buy a non-branded DVR, tweaked its firmware, slapped their logo on top, and sold it a their own, vulnerability included.

3 of 51 comments (clear)

  1. Are Chinese CCTV Products To Be Trusted? by Freshly+Exhumed · · Score: 3, Interesting

    Recent Foscam security cameras: http://krebsonsecurity.com/201...

    IoT concerns: http://thenewstack.io/snooping...

    --
    I deny that I have not avoided attaining the opposite of that which I do not want.
    1. Re:Are Chinese CCTV Products To Be Trusted? by tlhIngan · · Score: 3, Interesting

      Short answer: No.

      Long answer: Even Panasonic is building their CCTV products in China these days.

      Different answer: These days, buying anything and hanging it on a network is inviting problems. Everything is sloppier than it used to be.

      You have to realize how things are done.

      TVT makes a surveillance system setup - cameras, DVR, etc. They make it a turnkey system they can sell to people to build and sell. This is known as an "Original Design Manufacturer", or ODM.

      A company comes and buys the design, builds the circuit boards and gets the firmware source code and builds that and ships it. These guys are the Original Equipment Manufacturer or OEM. Some people may take the design and build it as is with minimal changes, others may put in better lenses and redo the UI, etc.

      Then there are companies like Panasonic who do their own designs and build them, who don't typically buy other people's designs.

      The problem here is that Swann, Lorex and other cheap surveillance system companies bought the system from TVT, did their branding and that's it.

      Companies like TVT don't deal with customers other than whoever buys their design. Their goal is to sell designs, so software is but a minor part of it, and when you're asked to kick out of a firmware you do it as quick as possible, security warts and all.

  2. I got the T shirt. by Anonymous Coward · · Score: 5, Interesting

    On my common cheapo 'H960 DVR' I used Nessus for discovery.
    Nessus navigated my directory structure via the web interface.
    Nessus showed me the contents of the /etc/password file.

    It only took me a minute to google "rainbow table" and find JTR.
    It took JTR less than 1/4 hour to crack the SIX CHARACTER password WITHOUT any rainbow tables.

    It took me many many many emails to convince the distributor's cust. serv. that I was talking about an actual vulnerability.

    I never expected it to be secure at the price I paid.
    I'm glad I can root my box.
    Now I can, if I choose, fix the shitty user interface.
    I doubt the typical user would think it is a 'feature' as I do.

    The fact that it BY DESIGN interfaces with an external server not under my control convinced me never to use the web features.
    I knew that before the purchase, I wanted an offline recorder.
    Oddly, the typical user DOES consider the remote server a feature. Most people hand a stranger the keys on day #1.

    I have an inexpensive 'H.264 tribred' DVR that is slightly more secure. Provided I don't hand the keys to an unknown 3rd party.