CCTV DVR Vulnerabilities Traced To Chinese OEM Which Spurned Researchers' Advice

An anonymous reader writes: RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and gain root privileges on the affected devices. The problem was actually in the firmware of just one DVR sold by Chinese firm TVT. The practice of "white-labeling" products helped propagate this issue to other "manufacturers" who did nothing more than to buy a non-branded DVR, tweaked its firmware, slapped their logo on top, and sold it a their own, vulnerability included.

Not surprised, really

[DNS-and-BIND]

The Chinese OEMs don't care about security or anything else. They are remarkably dense and will reject changes coming from anywhere. It's hard enough to get them to change anything when you're a paying customer, and if you do get them to change, the moment you are satisfied and think things are under control, they'll change it right back to the old way.

This is because the smart people want to be thought of as creative. When someone else is telling them what to do, they're not being creative and think they're being forced into being mindless slaves. Follow an established security vetting process? That's not what creatives do. That's following procedure, only factory assembly workers do that, and even then only because they are forced to do so. Also, being predictable violates the maxim that one should conceal one's true goals. They're not at war but the Sun Tzu thinking will tell.

Second, details are boring. If you're creative, you think of the effects you want the product to have, not the stupid security protocols it has to follow. And if the product is selling, who cares?

The Western customers who buy the OEM products are clueless about everything, that's why they're buying whitebox in the first place. We shouldn't blame them for security, although perhaps it's tempting. It's not like they can complain and get it fixed. If they make too much of a fuss the OEM will just point out that none of their other 70 customers has any problem and fire them as a customer.

I got the T shirt.

On my common cheapo 'H960 DVR' I used Nessus for discovery.
Nessus navigated my directory structure via the web interface.
Nessus showed me the contents of the /etc/password file.

It only took me a minute to google "rainbow table" and find JTR.
It took JTR less than 1/4 hour to crack the SIX CHARACTER password WITHOUT any rainbow tables.

It took me many many many emails to convince the distributor's cust. serv. that I was talking about an actual vulnerability.

I never expected it to be secure at the price I paid.
I'm glad I can root my box.
Now I can, if I choose, fix the shitty user interface.
I doubt the typical user would think it is a 'feature' as I do.

The fact that it BY DESIGN interfaces with an external server not under my control convinced me never to use the web features.
I knew that before the purchase, I wanted an offline recorder.
Oddly, the typical user DOES consider the remote server a feature. Most people hand a stranger the keys on day #1.

I have an inexpensive 'H.264 tribred' DVR that is slightly more secure. Provided I don't hand the keys to an unknown 3rd party.

Zoneminder is full-featured, -more- secure, open s

[raymorris]

For the DVR and management interface, Zone Minder is THE open source solution and has been for a long time. It can do all kinds of things like run motion detection on the feeds and when motion is detected it turns on the light and pans your high-quality camera to view the area where the motion was.

It's -more- secure than the stuff made by Happy Fun Camera Ltd, in China, with instructions that read "button the press longly is record of picture motions", which also happens to be the exact same system sold under many brand names. I don't know that it's had a complete security audit, but it's better than Chinese "button the press longly ".

https://zoneminder.com/

As others have mentioned, configuring a separate video vlan (or ssid) which isn't connected to the internet will get you most of the way there for camera security. Your cheap consumer wifi router can do a no-internet ssid by using the parental control feature.