CCTV DVR Vulnerabilities Traced To Chinese OEM Which Spurned Researchers' Advice

An anonymous reader writes: RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and gain root privileges on the affected devices. The problem was actually in the firmware of just one DVR sold by Chinese firm TVT. The practice of "white-labeling" products helped propagate this issue to other "manufacturers" who did nothing more than to buy a non-branded DVR, tweaked its firmware, slapped their logo on top, and sold it a their own, vulnerability included.

This isn't a vulnerability

[jsse]

It's a mandatory feature. Deal with it.

Re:This isn't a vulnerability

[WarJolt]

Clearly the FBI is happy about this one. They like vulnerable devices.

Of all the devices to gain root on I'm fairly certain a DVR is one of the lamest. Wake me up when someone does something interesting with it.

Re:This isn't a vulnerability

[fuzzyfuzzyfungus]

These DVRs are utterly boring devices; but they are really pretty obvious high value targets(high value in terms of their position within a target's infrastructure; I imagine that cheap, shit, cameras aren't as likely to show up in the highest value target organizations).

Aside from the benefits of owning a basic embedded linux box that is probably inside whatever pitiful perimeter security their network has, you get access to the video feeds from the security cameras and can both case the target from the comfort of your own computer and disable or wipe the DVR when occasion suits.

Re:This isn't a vulnerability

[gstoddart]

A DVR which is backing the CCTV feed of surveillance cameras. Yup, totally boring.

Why, nobody would want to have access to the take from a bunch of surveillance cameras, right?

Or, this is the full on movie-scenario where the shadowy organization hacks into the video feeds of various places that every complains isn't realistic.

The endless stream of shitty security we keep hearing about has a lot of potential ways to be misused, and apparently very little stopping it.

Re:This isn't a vulnerability

[omnichad]

Of all the devices to gain root on I'm fairly certain a DVR is one of the lamest.

I take you haven't been watching Person of Interest. What the NSA could do with this and facial recognition is scary without AI.

Re:This isn't a vulnerability

[KGIII]

This is all well and good but has this *ever* resulted in something bad happening? Anything bad? Has anyone ever cased a joint (I think that's the correct lingo) through these things and then erased the recording of their nefarious deeds after the act?

Don't read that wrong - the shit should be secure. I'm just not able to recall a point where this was actually a factor any crime. I imagine high-tech thieves may have spliced into stuff but that's entirely different than hacking it by remote. I did some of that "Google hacking" back in the early 2000s. I found lots of things but nothing interesting and had no idea where I was looking at - more often than not. A few times I could figure it out and narrow it down. Seldom could I be certain.

Re:This isn't a vulnerability

[KGIII]

I don't watch real television or movies, as a general rule, but I've seen that meme and/or demotivational. Sure they can. I believe they just use an enhance button.

You can see it for yourself. Just click anywhere on the page that isn't a link or a text field and then press and hold CTRL and then press the + button.

Re:This isn't a vulnerability

[gstoddart]

If these things are so trivially hacked, how would you know?

Everything from knowing if someone is away from home to actually erasing footage is entirely possible with this exploit. As much as we laugh at movies which show this, why would you assume it can't happen once you realize there's tons of these things with little or no security?

If it can be exploited it probably will. And if cameras have GPS, or you can somehow determine whose PVR you've hacked (which likely isn't that tough since you know the IP you hacked it with and geolocation isn't exactly new) ... then it's likely not that tough to know exactly where you're looking.

The problem with shit security and internet connected things is it can snowball in ways nobody really expected.

Can I cite a specific place where I know this was exploited? Absolutely not. Would anybody know if it had happened? Who knows.

But once a hack becomes plausible and then downright easy, you should probably assume it's being used.

Re:This isn't a vulnerability

[KGIII]

I'd not make those assumptions - not that they *were* in use.

I'd take precautions against them but I'd not assume they were being used. I'm not sure how to articulate it better. Basically, I keep my video feeds behind hardware and require very specific means to access it. I literally, without changing things, can not give you a link to watch the feeds of my home in Maine. Well, I could give you a link and a port, specifically an IP address being pushed through a server, but even if you knew the password you could not access it.

But, at the same time, I don't assume that it is being used to check for occupancy for the purposes of robbing the place. Just because it could doesn't mean that I assume someone is. But, because it could, I take precautions against it. Make sense?

Re:This isn't a vulnerability

[gstoddart]

Sure, but you're smart and know about security and take precautions.

But all of the regular consumers out there, running this stuff without additional knowledge about security, behind routers which themselves are probably compromised (assuming they even have a firewall) ... I assume there are people out there who are potentially actively being exploited already.

I don't need to assume every single one is being exploited. But, really, a widely known exploit against commodity DVRs used to back CCTV? Yeah, that's been hacked already.

The things that informed people with a healthy dose of fear and skepticism do is nothing like the guy who goes to Circuit City and buys a home surveillance system ... and it's those people I assume have a pretty high chance of having been hacked.

Are Chinese CCTV Products To Be Trusted?

[Freshly+Exhumed]

Recent Foscam security cameras: http://krebsonsecurity.com/201...

IoT concerns: http://thenewstack.io/snooping...

Re:Are Chinese CCTV Products To Be Trusted?

[adolf]

Short answer: No.

Long answer: Even Panasonic is building their CCTV products in China these days.

Different answer: These days, buying anything and hanging it on a network is inviting problems. Everything is sloppier than it used to be.

Re:Are Chinese CCTV Products To Be Trusted?

[Gr8Apes]

You shouldn't blindly trust anything you buy to connect to your network. Always verify, and lock it down regardless.

Re:Are Chinese CCTV Products To Be Trusted?

[tlhIngan]

Short answer: No.

Long answer: Even Panasonic is building their CCTV products in China these days.

Different answer: These days, buying anything and hanging it on a network is inviting problems. Everything is sloppier than it used to be.

You have to realize how things are done.

TVT makes a surveillance system setup - cameras, DVR, etc. They make it a turnkey system they can sell to people to build and sell. This is known as an "Original Design Manufacturer", or ODM.

A company comes and buys the design, builds the circuit boards and gets the firmware source code and builds that and ships it. These guys are the Original Equipment Manufacturer or OEM. Some people may take the design and build it as is with minimal changes, others may put in better lenses and redo the UI, etc.

Then there are companies like Panasonic who do their own designs and build them, who don't typically buy other people's designs.

The problem here is that Swann, Lorex and other cheap surveillance system companies bought the system from TVT, did their branding and that's it.

Companies like TVT don't deal with customers other than whoever buys their design. Their goal is to sell designs, so software is but a minor part of it, and when you're asked to kick out of a firmware you do it as quick as possible, security warts and all.

Re:China Central Television

[Freshly+Exhumed]

CCTV, aka China Central Television, traced to the Chinese.

Realty?

I would stay away from Chinese realty. Costa Rica might be better.

Re:Yeah

[Quzak]

I wish he had. We are up to our eyeballs in this problem.

This is still better than the US Government

[OrangeTide]

Which wants all device and operating system vendors to standardize on vulnerabilities on the assumption that only the "good guys" will know how to exploit them.

Not surprised, really

[DNS-and-BIND]

The Chinese OEMs don't care about security or anything else. They are remarkably dense and will reject changes coming from anywhere. It's hard enough to get them to change anything when you're a paying customer, and if you do get them to change, the moment you are satisfied and think things are under control, they'll change it right back to the old way.

This is because the smart people want to be thought of as creative. When someone else is telling them what to do, they're not being creative and think they're being forced into being mindless slaves. Follow an established security vetting process? That's not what creatives do. That's following procedure, only factory assembly workers do that, and even then only because they are forced to do so. Also, being predictable violates the maxim that one should conceal one's true goals. They're not at war but the Sun Tzu thinking will tell.

Second, details are boring. If you're creative, you think of the effects you want the product to have, not the stupid security protocols it has to follow. And if the product is selling, who cares?

The Western customers who buy the OEM products are clueless about everything, that's why they're buying whitebox in the first place. We shouldn't blame them for security, although perhaps it's tempting. It's not like they can complain and get it fixed. If they make too much of a fuss the OEM will just point out that none of their other 70 customers has any problem and fire them as a customer.

Chinese software - what do you expect?

Is anyone at all surprised that the manufacturers don't care? - Chinese companies seem to place little value on software quality - once it's just good enough to be useable, out the door it goes and they have no interest in improving it.
This attitude is so widespread that I can only assume it must be some sort of cultural thing

Re:Chinese software - what do you expect?

So you're saying we've been successful at Americanizing the Chinese?

I got the T shirt.

On my common cheapo 'H960 DVR' I used Nessus for discovery.
Nessus navigated my directory structure via the web interface.
Nessus showed me the contents of the /etc/password file.

It only took me a minute to google "rainbow table" and find JTR.
It took JTR less than 1/4 hour to crack the SIX CHARACTER password WITHOUT any rainbow tables.

It took me many many many emails to convince the distributor's cust. serv. that I was talking about an actual vulnerability.

I never expected it to be secure at the price I paid.
I'm glad I can root my box.
Now I can, if I choose, fix the shitty user interface.
I doubt the typical user would think it is a 'feature' as I do.

The fact that it BY DESIGN interfaces with an external server not under my control convinced me never to use the web features.
I knew that before the purchase, I wanted an offline recorder.
Oddly, the typical user DOES consider the remote server a feature. Most people hand a stranger the keys on day #1.

I have an inexpensive 'H.264 tribred' DVR that is slightly more secure. Provided I don't hand the keys to an unknown 3rd party.

Are there any secure alternatives?

[nystul555]

Is there anywhere you can buy IP cameras, DVRs, and NVRs that aren't made in China and full of vulnerabilities? Does any company offer secure security camera systems?

If anyone knows of any I'd love to hear about your experience with them. I've looked and even the "high-end" (aka expensive) name-brand devices like Sony and Panasonic have major security flaws like TVT firmware, HTTP only access, passwords stored on the device in plain text, etc.

We had to separate the camera systems at my company onto their own VLAN that can only be accessed from a few computers on our internal network or over our VPN. It is a pain but much better than letting anyone in the world onto our camera system. I want to replace all of them with something better, but it seems like OEM or branded its all the same insecure, never patched, never updated Chinese garbage.

Re:Are there any secure alternatives?

[softnewsit]

As you said. VPN+Firewall should do it. Unless you look at the firmware yourself, and have the skills to, you can;t guarantee you'll buy devices without security flaws.

Re:Are there any secure alternatives?

[jabuzz]

Yeah but VLAN support in switches these days is virtually ubiquitous even in SOHO switches. I got 16 ports of 1GbE goodness with VLAN, and link aggregation support for 75GBP the other week in the form of a Netgear GS116Ev2.

Re:Are there any secure alternatives?

[fuzzyfuzzyfungus]

I'd certainly like to know; but my impressions haven't been terribly positive. At work we were handed the fancy 'n expensive video surveillance system after the contractors finished poking at it; and while the quality of the sensors, optics, weatherproof housings, etc. is certainly much nicer in the classy systems; the software was...not inspiring. The newcomers(either new companies or ground-up new product lines) approach the problem with the same enthusiasm that goes into writing horrific home router firmware, just with a camera and a video streaming service in addition to the http server. The Old 'n Respectable aren't quite as overtly shoddy; but are still barely waking up to the fact that this isn't the good old days when every camera had a point-to-point coax link for video and RS-422 or 485 for PTZ and similar command chatter, and 'just trust the link layer' wasn't actually terrible advice.

We ended up doing much the same thing, since finding a better vendor or getting the issues fixed seemed like an intractable problem(especially since the budget had already been spent by the time we were handed the issue).

Honestly, while this would spoil the 'neat, integrated, and PoE powered' options provided by the all in one IP cameras; if I actually had to provide a vaguely trustworthy camera that was intended to share a network with other devices; I'd probably resort to a NUC or similar small PC with a framegrabber or USB camera and a real operating system. Overkill; but 'embedded' just means 'total shit, just nonstandard enough that replacing the firmware with something that doesn't suck isn't always practical' so often that it would be the less painful option.

Re:Are there any secure alternatives?

> Is there anywhere you can buy IP cameras, DVRs, and NVRs that aren't made in China and full of vulnerabilities? Does any company offer secure security camera systems?

Why yes! Exacq Technologies (a Tyco Security Products company) makes DVR software (server, desktop client, web client, mobile client, enterprise management) and sells pre-built and configured servers, and American Dynamics, another Tyco company, makes IP cameras (the DVR of course works with many kinds of IP camera besides AD).

Disclaimer: I work for Tyco.

Re:Are there any secure alternatives?

[aaarrrgggh]

No first hand experience, but based on other products I expect good things from Ubiquity's NVR and cameras. The NVR is $300 and supports external USB drives, cameras are pretty much market rate.

Re:Are there any secure alternatives?

[KGIII]

I have video feeds running from and being recorded at my house (and pushing the stream off-site. All of it is indirect. The only way in, or to watch the live feeds, is through specific hardware, through a hardware firewall, and using a certain address. I did have it set to need a USB key at the same time (to login to the server that let me then tunnel into the video feeds) but I dropped that off. I would like to do timed authentication with a cell phone or email code. I've not yet figured that one out.

Re: Are there any secure alternatives?

[softnewsit]

The Chinese government, from what I read, is specialized in hacking anything that moves.

Zoneminder is full-featured, -more- secure, open s

[raymorris]

For the DVR and management interface, Zone Minder is THE open source solution and has been for a long time. It can do all kinds of things like run motion detection on the feeds and when motion is detected it turns on the light and pans your high-quality camera to view the area where the motion was.

It's -more- secure than the stuff made by Happy Fun Camera Ltd, in China, with instructions that read "button the press longly is record of picture motions", which also happens to be the exact same system sold under many brand names. I don't know that it's had a complete security audit, but it's better than Chinese "button the press longly ".

https://zoneminder.com/

As others have mentioned, configuring a separate video vlan (or ssid) which isn't connected to the internet will get you most of the way there for camera security. Your cheap consumer wifi router can do a no-internet ssid by using the parental control feature.

Ubiquiti Unifi Video is pretty good.

[zerofoo]

Ubiquiti makes a line of cameras with an NVR, that is probably more trustworthy than the loads of cheap Chinese DVRs heading to our shores.

https://www.ubnt.com/products/...

It's all IP based stuff no Analog/CVI/TVI - so you can't use your existing siamese cable.

Re:Yeah

[KGIII]

Up to your eyeballs in free labor, cotton, grandfathers, or black people?

Re:China must be stopped

[KGIII]

Nah, they're pretty good at starting wars or setting the situations up to be volatile enough to where war is the likely outcome.

Weak? Not at all. They've been warring since the dawn of recorded history in that area.

Which leads me to this... Going to war against China is going to be bad. Not just typical-bad 'cause it's war but a badness on a scale not seen in a very long time. Look at the percentage of casualties, displaced persons, and economic negative impacts of the larger wars. Now imagine that with a pissed off China, now modernized and organized under one heading, and see if war versus China still sounds like a good idea.