Interview With Researcher Who Cracked Security Of 70+ DVR Brands

Author: Brian Karas, Published on Jul 07, 2016

The researcher who found an exploit in 70+ brands of TVT OEM DVRs, which he suspected to be the entry point hackers used to gain access to several retailers, elaborated on these hacks to us.

We got in touch with Rotem Kerner, previously a security researcher at RSA, and now co-founder of security research company Cybewrite to discuss the exploitability of embedded security devices.

*** ********** *** ******* ******* ** **+ ****** ** *** *** ****, ***** ** ********* ** ** *** ***** ***** ******* used ** **** ****** ** ******* *********, ********** ** ***** hacks ** **.

** *** ** ***** ********* ******, ********** * ******** ********** ** ***, *** *** **-******* of ******** ******** ****************** ******* *** ************** ** ******** ******** *******.

[***************]

Old **** ******* *** * ***** ******

****** **** **** ** ***** ************* ** ******** ******* **** routinely "****** ** *** **** **** *** * *** ** people *** ****** ** **** ****". ******** ** ***** ******** devices **** ***** ******* ** ***** *******, ******** ******* *** recorders *** *** **** ****** ** **** ***** ********, *** accessible ** ********, ****** ************* **** ********* ***** ***** ********.

Now ****** ********

*** ******* ******* *** *********** *******, ******** ******* **** ***-***** targets, ** ***** ** ***** *** **** *** *****. **** the ******* **** ** ** ****** ******* *** ********* ********** of ********-********* ******* **** **** ****** *********, *** ****, *******.

Worse ** ***** ******* ** ********

** ***** ******* ***** **** ** *** **** **** ****** and ******** **** ******* *** ************* *** **********. **** *** make *************** ***** ** *** ****** *********** ********** ** ***** brands/products ***** *** **** ******** ******** *********. ******* ****** ************* report ****** ******* ******* ** ******** ****** ****** *** ******* ****** ********.

How *************** *** *****

***** ***** ****** ** *********** ******** ******, *** ***** ***** like********* ********* **** *** **** ** *** *** ***** ** the ********. **** **** ******** ** *** ************ ********** ** scanning * ****** ************ *** **** ***** *** ****** ******** methods ******* *************** ************.

********* ** **** ** *** *** *****, ************* *** ******** ***** ********, **** ********* * ********* full ** ******/*****. **** ******* *** ** *********** ********* **** the ******* ** ******* ***** ** ******* ** ********* ** deployed ******* **** **** ** ******.

Two ****** ******* ** ******* ********

** ******* *** ** ********* ** * ****** ** ******* root ** ***** ****** ** * ***** ******* *** **** downloading **** ******** **** *** **** **** * ****** ******. This ****** ******** *** ****** ** ** **** ** *** network ****** ** *** **** (****** *******, ** **** *** internet). ** *** *** ******* ** ***** **** ** ** done ******* *** **** ****** ** ** ********, *** ********** the ******* ** ********** ******** ** ******* ******** ** ***** that *** ********** ********.

******* *** ** *** ** ******* **** * **** ** by ********* *** ******** *** *** ****** **** *** *** exploit ***** **, *** **** ********* **** ******** **** *** unit. **** *** **** ** **** ********, ** *** ****** can *** *** *** *** **** ** ******* *** ******** themselves. *** *** ** ******** * **** ** ******* *********** firmware ** ** **** *** ******** ********* *** ********, *** then **** ** ***** **** ******* ** **** **** *** manufacturers ******* ********** ********** * ******** ******.

Securing **** *******

** ** ********** ** ***** ****** * ****** ********* ** the ********, *** *** *** ****** **** ******* ** ****** by ********* ***** **********:

  1. ****** ******* *********, *** ********* ** *** ****** ****** **. Simply ******** "*****" ** "*****" **** **** **************** **************.
  2. **** ******** ******** ***** **** ************* ********, ***** **** **** not ********* ***** *** *** ***********, ** **** ****** *** chances ** ******* ***** ********.
  3. **** ******** ******* ** ******* *** ******** **** ***** ****, assuming **** *** ************ ** ******* ** **** ******** *******.
  4. ***** *** ** *********/******** **** *** ****** **** *********, ** better *** ***** ****** ******** ****** *** ******* *** ***.

** *** ********** ******** *************************, ********** ******** ****** ** ******* *** ****** **** ** exploit.

What ************* *** **

******** ****** *** *** ******** **** *** ******** ********** *** the **** ****** ******* ** *******. ******* ** ***** ****** is ****** ****** ** ********** *** *****, *** ** ***** used ** ******* ** **** ****** ** *** ******.

************ ******** ********* ******** ****** ************ ******* * ***** ****** vector. **** ******* ** *** ****** *** ********* ** ******** files ****** ********** ****, ******** ********* ** ****** ***** ******** images ***** *** **** ***** ******* **** *********** ******* ****** nodes.

********** *** ******** ***** *** **** **** ** **** ********* for ******* ** ********* **** *** ***** *** **** *** exploitable **********.

Comments (19)

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | 07/07/16 02:46pm

**** *******. ** ** *** ******* *** ******** *** **** practices, ***** ***** ** ***** **** ****** ** *********. *************, of ******, **** * ***** **** ****, *** *********** **** to ** ***** **** ***. **** ****'* ****** ** ******. Sometimes * ****** ***** ** ** ****** ******. *********** *** access ** **** ****** ****** ****** *** ********** ******* ** it ** *********.

Undisclosed #1

07/07/16 04:29pm

**** **!

******** ***** **** ******:

**** ******* *** ** *********** ********* **** *** ******* ** created ***** ** ******* ** ********* ** ******** ******* **** over ** ******...

** ******* *** ** ********* ** * ****** ** ******* root ** ***** ****** ** * ***** ******* *** **** downloading **** ******** **** *** **** **** * ****** ******.

***'* *** '*******' *** ******* ** '**** ****' ** *** first *****?

****** ** ** **** *** *** ******, "**** *** ** stolen ** ***** *** *** ** ***** *** ******."

Thumbnail brk1

Brian Karas

IPVM | In reply to Undisclosed #1 | 07/07/16 04:42pm

***'* *** '*******' *** ******* ** '**** ****' ** *** first *****?

** **** *****, ***. ** **** **** * *** ********* more ** *** ******* ***** *** ********** **** **** *** uploaded ** *** ****** *** **** ******** ** *** ******. But **** *** *** ** ******* ****/***** ****** ** **** a **** ** *******.

Undisclosed #2

In reply to Undisclosed #1 | 07/07/16 04:43pm

***'* *** '*******' *** ******* ** '**** ****' ** *** first *****?

*********, *** ** * *** **, *** ******* ** **** unauthorized "****" ** *** ****. *** "*******" ** *** ******/****** you ****/**** (******* *********) ** * ****** ** ******* ************ access-often ********** *******.

Undisclosed #1

In reply to Undisclosed #2 | 07/07/16 05:26pm

*** "*******" ** *** ******/****** *** ****/**** (******* *********) ** a ****** ** ******* ************ ******-***** ********** *******.

********. ****** **** ***** ***** ** *** ****** ************* ** the **** '*******', * ***'* ***** **** ** *** ***** meaning ** *****-********.

*** ******** ** * *** * ***** ***** ******** ******* to **** **** ** * ****** *** **** * **** a *** ** *** *** ****** **** *******, *** ******* is ***** ***** ******** ******, *** ******* *****.

**** ***** *****, ***** ********* *** ******* ***** ** *** number ** ******, **** ***** ** **** **** *** *** root.

** **** ********** ****, *** ****** ** "******* ** *******" is ******* **** **** *** **** ****** ******. **** ** the ***** *******.

Undisclosed #2

07/07/16 04:47pm

**** *** *** ** *** *** *********** **** * ********** thought *** **** ********* *** **** *************. * ***** *** out ** **** *** *** ** ***** ** *** **** kind ** ******** ** ****.

jason oneal

07/08/16 11:41am

** ***** * *** ** **** ** * ****** *** already **** ***********? ** **** ********** *** **** ********* ** latest ******** ********* *** ***** **** ****** ** *** ******?

Thumbnail brk1

Brian Karas

IPVM | In reply to jason oneal | 07/08/16 12:39pm

**** ** ** ********* ********.

*** ********* ******** ****** ** **** ***** ** ** *** to **** *** **** ** * ****** *** **** ***********, especially **** ** ***** ** ****** **** ******* ***** ***** like************* *** *** *******.

********** * ****** **** **** ***** ****-********** ******** ** **** cases, ** ***'* **** *** *** ***** ******** **** *** been *****.

*** **** **** ** **** *** **** ******* *** ******** contains * ******** *****, ********* ****** *** *** ********** *****/******** needed ** *** *** ****** ** ********. ********* **************** * ******** **** *** ********* *** *******. *******, **** like ************* ******** *** ** ***** ****** * ******** *******, so ***** ********* ******* ** *** ******* **** ************ ************* and ********** *** ********* ** *** ****** *****.

* ** *** ***** ** *** ** *** ***** ***** malware ******** ** ******* *** ********* ** ** *** ***** where ** *** ******* ****** * *****/******* *** * ******** upgrade, *** ** ** *********** ******** *** **** ** *****. Hopefully ** **** *** **** ******** ******** *** **** ******** implemented ** ************* ****** *** ******* *** ***** ** **** in **** ******.

Andrew Tierney

In reply to Brian Karas | 04/08/17 09:13am

*'** *** ********* *** **** **** ******* ******* * ******** upgrade. **** ******** ******* ***'* ***** *** **********.

Michael Henderson

07/12/16 03:24pm

*********** *** ****** ******, ***** ** ** **** ** **** selling *** *** *** **** *** ***** ********* ******* *** networks **** ****** ******** ** ****. *** ****, **** ***** we *** ******** ** ** ** *** *********.

*********** **** ** **** ***** ***** ********* *** ***** ******* the ******* ******** ** *** ********. ** *** ***** *** so ***** *********, ** ** **** ** ******* **** ****** to **** ****** ******** ********* ***** ***** ********.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Michael Henderson | 07/12/16 03:36pm

***** * ***** ** ******* **** **** **********, * ***** like ** **** ***** ****** *** ****** **** ********, ** your *******?

Thumbnail marty2016

Marty Calhoun

IPVMU Certified | In reply to Michael Henderson | 04/08/17 12:39am

** **** *** ***** ** '*** *** ****', ** *** mean **** ****** ***** = ***** ******?

Michael Henderson

07/12/16 03:47pm

** ***'* *** ******, *** **, *** *** *** ******* are ********. ******* **** *** *********' ** ****** *** ***** exploits, ********* ******** ********. ** *** *** ****** *****, * system **** ** *** ********* ** *** ********, ****** ** cases ** ******* *** ***********.

*******, ***** ****** **** ****** *** ***** * *** *** can **** ** ******** **** ******* *******, *** ** *** maintaining * ******** ** **** *** ******** *** ****.

******* **** ********* ***** ******** ** ****** ** ***** ********* exploits ** **** ** *** *** ********* *********** **** **** at **** ********* * ***.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Michael Henderson | 07/12/16 04:02pm

*** *** **** ** ******** "********* ***'* ******** ** ****** to ***** ********* ********" ** **** *** ***'*?

Michael Henderson

In reply to Jon Dillabaugh | 07/12/16 05:32pm

**** *** *****, * *** ** **-******* **** **** **** due *********. * **** ******* * ****, *** ******* * do ***. *** ******* **** *********** ** ********* * **** in ***** *** ***** ** * ************ ********,.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Michael Henderson | 07/12/16 06:04pm

******! :)

* ****** * **** ***** *****!

Michael Henderson

In reply to Jon Dillabaugh | 07/12/16 06:07pm

******** ****. ***** ** **** **** *******, *** * **** do *** **** **** ****.

Thumbnail marty2016

Marty Calhoun

IPVMU Certified | In reply to Jon Dillabaugh | 04/08/17 12:42am

***** *** ***, *** *** *** **** ** *** **** for ****! ******** **** ***** *** **** ***** ** *** of *** "***-***********" ** **** ****.

Thumbnail brk1

Brian Karas

IPVM | 04/07/17 03:35pm

***** ** * *** ****** ***** ********, ****** "*******", **** looks ** ** ********* *** *** *******. ** *** ~***,*** vulnerable ******* **** **** **********:

*** ***/***** ******* ******* ****, ***** ******

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Genetec Launches Cloud Access Control (Synergis SaaS) on Sep 21, 2017
Genetec's cloud everything expansion continues, with their announcement of Synergis SaaS edition, joining their cloud video offering Stratocast,...
Genetec CEO Warns Against Insider Threats on Sep 21, 2017
With Dahua and Hikvision cybersecurity issues becoming indisputable, a new counter has emerged. Just put them behind a firewall, buy cheap...
Automatic Door Operators For Access Tutorial on Sep 20, 2017
Opening and closing doors might sound simple, but it takes a high-tech piece of door hardware to pull it off. Integrating automatic door operators...
'Clowns' Allege Ubiquiti 'Completely Fraudulent' on Sep 20, 2017
A short seller has alleged Ubiquiti is 'completely fraudulent'. Ubiquiti's CEO has responded calling them 'clowns'. Here is the short...
Avigilon 'Blue' Cloud Entry Examined on Sep 19, 2017
Avigilon is moving to the cloud. The company announced their Avigilon Blue platform, designed to be a web-managed surveillance system, utilizing...
HID Buys Mercury Security on Sep 19, 2017
One of the biggest access control deals in years. Mercury Security, the most widely used access hardware OEM, and partner to 20+ manufacturers,...
Hikvision Backdoor Exploit on Sep 18, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...
Avigilon Touting 'Made In America' on Sep 18, 2017
Canadian manufacturer Avigilon, who completed a US manufacturing facility in 2015, is now running a marketing campaign touting 'Made In America',...
Cloud Guy Prints Book, Misses Irony on Sep 15, 2017
On-premise security systems are dead. But $75 print books are alive and well. Such are the lessons from Brivo's CEO new book "The Five...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact