Apparently DVR security recorder MVPower CCTV DVR Model TV-7108HE which connects to IP security cameras has very poor security and actually sends images back to the email address of the person who designed its firmware.
Here is an assessment of this security risk:
https://www.pentestpartners.com/blog/pw ... v-cameras/
DVR IP security camera sends images back to designer
DVR IP security camera sends images back to designer
- Attachments
-
- 7108HE-300x142.jpg
- (5.86 KiB) Downloaded 563 times
Oh man oh man, I love this write up.
The password check in the web interface
Those are cookie values and if all are not null
the test is passed and it doesn't redirect back to login page
You've got access
And it goes on...
This is a must read.
Thanks for posting, haven't have that much fun reading code in a long time
The password check in the web interface
Code: Select all
if(dvr_camcnt == null || dvr_usr == null || dvr_pwd == null)
{
location.href = "/index.html";
}
the test is passed and it doesn't redirect back to login page
You've got access
And it goes on...
This is a must read.
Thanks for posting, haven't have that much fun reading code in a long time
-
gcmartin
+1 for anyone with a home/small business DVR.
Thanks @GreenGeek. I read in following order It appears there may be a 3rd forthcoming.
Over the past 2 decades, I have setup over 3 dozen of these at various locations. The idea of exploiting those units did not ever come up until now. In many of those locations, I have Cisco routers set to monitor and control outgoing traffic, but, had not thought of the possibility of anyone wanting to exploit the low-powered DVRs....until now.
This is a serious flaw in ALL currently installed units if this or another method of exploit surfaces. The flaw is PERMANENT as very few, including small Security company's equipment they've installed at customer locations, have the means to fix this flaw. ALL DVRs I have worked with DO NOT HAVE the means to automate its OS/firmware updates like smartPhones/smartTablets do via the Internet. So any existing units will remain vulnerable for the life of the unit deployed.
A serious concern only if you see the potential of being a target for this exploit. And, because your device is publicly known in the internet, there is the potential that, by chance, you could become a useful target.
Thanks again for this thread.
Thanks @GreenGeek. I read in following order It appears there may be a 3rd forthcoming.
Over the past 2 decades, I have setup over 3 dozen of these at various locations. The idea of exploiting those units did not ever come up until now. In many of those locations, I have Cisco routers set to monitor and control outgoing traffic, but, had not thought of the possibility of anyone wanting to exploit the low-powered DVRs....until now.
This is a serious flaw in ALL currently installed units if this or another method of exploit surfaces. The flaw is PERMANENT as very few, including small Security company's equipment they've installed at customer locations, have the means to fix this flaw. ALL DVRs I have worked with DO NOT HAVE the means to automate its OS/firmware updates like smartPhones/smartTablets do via the Internet. So any existing units will remain vulnerable for the life of the unit deployed.
A serious concern only if you see the potential of being a target for this exploit. And, because your device is publicly known in the internet, there is the potential that, by chance, you could become a useful target.
Thanks again for this thread.
-
gcmartin
The DVR's selling feature and the reason so many Security company's use them (as well as consumers) is the remote access features provided by the DVR units.
And, in most every cases, viewing is NOT seen as a security flaw; rather a feature to allow owner/managers to view activities the cameras show.
But, the article is sharing that with some simple efforts one can exploit the DVR for other purposes beyond the viewing feature(s). The usual targets are PCs for doing those kinds of activities. This shows another pathway, beyond use of LAN's PCs, that would not be suspects to compromising a location which is accessible over the web.
What the article shows, though, that makes the use of the DVR much more difficult is how to do this when you have this DVR series. YOU MUST have local access to know how to insert the initial culprit, so that remote access can occur. As the article shows, having the means to do this directly is not a straight forward ability on these units. BUT, if one is able to compromise a LAN PC, this action would be "planted" so that remote manipulation could occur on a LAN device that is most cases would not be a suspect. So a get in, make the DVR change, and get out to manage LAN exploit via the DVR instead of a local PC can be accomplished.
Not every deviant is willing to do this as the article guides, but, it is a pathway.
And, in most every cases, viewing is NOT seen as a security flaw; rather a feature to allow owner/managers to view activities the cameras show.
But, the article is sharing that with some simple efforts one can exploit the DVR for other purposes beyond the viewing feature(s). The usual targets are PCs for doing those kinds of activities. This shows another pathway, beyond use of LAN's PCs, that would not be suspects to compromising a location which is accessible over the web.
What the article shows, though, that makes the use of the DVR much more difficult is how to do this when you have this DVR series. YOU MUST have local access to know how to insert the initial culprit, so that remote access can occur. As the article shows, having the means to do this directly is not a straight forward ability on these units. BUT, if one is able to compromise a LAN PC, this action would be "planted" so that remote manipulation could occur on a LAN device that is most cases would not be a suspect. So a get in, make the DVR change, and get out to manage LAN exploit via the DVR instead of a local PC can be accomplished.
Not every deviant is willing to do this as the article guides, but, it is a pathway.
-
gcmartin
Vulnerablity if government/criminal wants access to you
What this thread's discussion has started is a peer into the problem all of us have been faced with; namely the vulnerability of our homes, as today's technology marches forward. That vulnerability may be intentional, but, nevertheless, it is ever present.
Here is a report that draws more attention to this problem all consumers in the world face.
We used to store paper trails for everything. Many have been using electronic means for such important papers, today.
Here is a report that draws more attention to this problem all consumers in the world face.
We used to store paper trails for everything. Many have been using electronic means for such important papers, today.