Interview With Researcher Who Cracked Security Of 70+ DVR Brands

Author: Brian Karas, Published on Jul 07, 2016

The researcher who found an exploit in 70+ brands of DVRs, which he suspected to be the entry point hackers used to gain access to several retailers, elaborated on these hacks to us.

We got in touch with Rotem Kerner, previously a security researcher at RSA, and now co-founder of security research company Cybewrite to discuss the exploitability of embedded security devices.  

[***************] 

Old **** ******* *** * ***** ******

****** **** **** ** ***** ************* ** ******** ******* **** routinely "****** ** *** **** **** *** * *** ** people *** ****** ** **** ****". ******** ** ***** ******** devices **** ***** ******* ** ***** *******, ******** ******* *** ********* *** not **** ****** ** **** ***** ********, *** ********** ** networks, ****** ************* **** ********* ***** ***** ********.  

Now ****** ********

*** ******* ******* *** *********** *******, ******** ******* **** ***-***** *******, at ***** ** ***** *** **** *** *****. **** *** massive **** ** ** ****** ******* *** ********* ********** ** Internet-connected ******* **** **** ****** *********, *** ****, *******.

Worse ** ***** ******* ** ********

** ***** ******* ***** **** ** *** **** **** ****** and ******** **** ******* *** ************* *** **********.  **** *** **** vulnerabilities ***** ** *** ****** *********** ********** ** ***** ******/******** using *** **** ******** ******** *********.  ******* ****** ************* ****** showed ******* ******* ** ******** ****** ****** *** ******* ****** ********.

How *************** *** *****

***** ***** ****** ** *********** ******** ******, *** ***** ***** like ******* *********** **** *** **** ** *** *** ***** ** *** ********.  This **** ******** ** *** ************ ********** ** ******** * ****** ************ *** **** ***** *** ****** ******** methods **** *** ********** ** *** ************.    

********* ** **** ** *** *** *****, ************* *** ******** ***** ********, **** ********* * ********* full ** ******/*****.  **** ******* *** ** *********** ********* **** the ******* ** ******* ***** ** ******* ** ********* ** deployed ******* **** **** ** ******.

Two ****** ******* ** ******* ********

** ******* *** ** ********* ** * ****** ** ******* root ** ***** ****** ** * ***** ******* *** **** downloading **** ******** **** *** **** **** * ****** ******. This ****** ******** *** ****** ** ** **** ** *** network ****** ** *** **** (****** *******, ** **** *** internet).  ** *** *** ******* ** ***** **** ** ** done ******* *** **** ****** ** ** ********, *** ********** the ******* ** ********** ******** ** ******* ******** ** ***** that *** ********** ********.

******* *** ** *** ** ******* **** * **** ** by ********* *** ******** *** *** ****** **** *** *** exploit ***** **, *** **** ********* **** ******** **** *** unit. **** *** **** ** **** ********, ** *** ****** can *** *** *** *** **** ** ******* *** ******** themselves. *** *** ** ******** * **** ** ******* *********** firmware ** ** **** *** ******** ********* *** ********, *** then **** ** ***** **** ******* ** **** **** *** manufacturers ******* ********** ********** * ******** ******.

Securing **** *******

** ** ********** ** ***** ****** * ****** ********* ** the ********, *** *** *** ****** **** ******* ** ****** by ********* ***** **********: 

  1. ****** ******* *********, *** ********* ** *** ****** ****** **.  Simply ******** "*****" ** "*****" **** **** ****** ********** ****** ********.
  2. **** ******** ******** ***** **** ************* ********, ***** **** **** not ********* ***** *** *** ***********, ** **** ****** *** chances ** ******* ***** ********.
  3. **** ******** ******* ** ******* *** ******** **** ***** ****, assuming **** *** ************ ** ******* ** **** ******** *******.
  4. ***** *** ** *********/******** **** *** ****** **** *********, ** better *** ***** ****** ******** ****** *** ******* *** ***.

** *** ****** **** ******** ************* ************, ********** ******** ****** ** ******* *** ****** **** ** exploit.

What ************* *** **

******** ****** *** *** ******** **** *** ******** ********** *** the **** ****** ******* ** *******. ******* ** ***** ****** ** rarely ****** ** ********** *** *****, *** ** ***** **** by ******* ** **** ****** ** *** ******.

************ ******** ********* ******** ****** ************ ******* * ***** ****** ******. **** devices ** *** ****** *** ********* ** ******** ***** ****** installing ****, ******** ********* ** ****** ***** ******** ****** ***** *** turn ***** ******* **** *********** ******* ****** *****.

********** *** ******** ***** *** **** **** ** **** ********* for ******* ** ********* **** *** ***** *** **** *** exploitable **********.

Comments (19)

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | 07/07/16 02:46pm

**** *******. ** ** *** ******* *** ******** *** **** practices, ***** ***** ** ***** **** ****** ** *********. *************, of ******, **** * ***** **** ****, *** *********** **** to ** ***** **** ***. **** ****'* ****** ** ******. Sometimes * ****** ***** ** ** ****** ******. *********** *** access ** **** ****** ****** ****** *** ********** ******* ** it ** *********.

Undisclosed #1

07/07/16 04:29pm

**** **!

******** ***** **** ******:

**** ******* *** ** *********** ********* **** *** ******* ** created ***** ** ******* ** ********* ** ******** ******* **** over ** ******...

** ******* *** ** ********* ** * ****** ** ******* root ** ***** ****** ** * ***** ******* *** **** downloading **** ******** **** *** **** **** * ****** ******.

***'* *** '*******' *** ******* ** '**** ****' ** *** first *****?

****** ** ** **** *** *** ******, "**** *** ** stolen ** ***** *** *** ** ***** *** ******."

Thumbnail brk1

Brian Karas

IPVM | In reply to Undisclosed #1 | 07/07/16 04:42pm

***'* *** '*******' *** ******* ** '**** ****' ** *** first *****?

** **** *****, ***. ** **** **** * *** ********* more ** *** ******* ***** *** ********** **** **** *** uploaded ** *** ****** *** **** ******** ** *** ******. But **** *** *** ** ******* ****/***** ****** ** **** a **** ** *******.

Undisclosed #2

In reply to Undisclosed #1 | 07/07/16 04:43pm

***'* *** '*******' *** ******* ** '**** ****' ** *** first *****?

*********, *** ** * *** **, *** ******* ** **** unauthorized "****" ** *** ****. *** "*******" ** *** ******/****** you ****/**** (******* *********) ** * ****** ** ******* ************ access-often ********** *******.

Undisclosed #1

In reply to Undisclosed #2 | 07/07/16 05:26pm

*** "*******" ** *** ******/****** *** ****/**** (******* *********) ** a ****** ** ******* ************ ******-***** ********** *******.

********. ****** **** ***** ***** ** *** ****** ************* ** the **** '*******', * ***'* ***** **** ** *** ***** meaning ** *****-********.

*** ******** ** * *** * ***** ***** ******** ******* to **** **** ** * ****** *** **** * **** a *** ** *** *** ****** **** *******, *** ******* is ***** ***** ******** ******, *** ******* *****.

**** ***** *****, ***** ********* *** ******* ***** ** *** number ** ******, **** ***** ** **** **** *** *** root.

** **** ********** ****, *** ****** ** "******* ** *******" is ******* **** **** *** **** ****** ******. **** ** the ***** *******.

Undisclosed #2

07/07/16 04:47pm

**** *** *** ** *** *** *********** **** * ********** thought *** **** ********* *** **** *************. * ***** *** out ** **** *** *** ** ***** ** *** **** kind ** ******** ** ****.

jason oneal

07/08/16 11:41am

** ***** * *** ** **** ** * ****** *** already **** ***********? ** **** ********** *** **** ********* ** latest ******** ********* *** ***** **** ****** ** *** ******?

Thumbnail brk1

Brian Karas

IPVM | In reply to jason oneal | 07/08/16 12:39pm

**** ** ** ********* ********.

*** ********* ******** ****** ** **** ***** ** ** *** to **** *** **** ** * ****** *** **** ***********, especially **** ** ***** ** ****** **** ******* ***** ***** like************* *** *** *******.

********** * ****** **** **** ***** ****-********** ******** ** **** cases, ** ***'* **** *** *** ***** ******** **** *** been *****.

*** **** **** ** **** *** **** ******* *** ******** contains * ******** *****, ********* ****** *** *** ********** *****/******** needed ** *** *** ****** ** ********. ********* **************** * ******** **** *** ********* *** *******. *******, **** like ************* ******** *** ** ***** ****** * ******** *******, so ***** ********* ******* ** *** ******* **** ************ ************* and ********** *** ********* ** *** ****** *****.

* ** *** ***** ** *** ** *** ***** ***** malware ******** ** ******* *** ********* ** ** *** ***** where ** *** ******* ****** * *****/******* *** * ******** upgrade, *** ** ** *********** ******** *** **** ** *****. Hopefully ** **** *** **** ******** ******** *** **** ******** implemented ** ************* ****** *** ******* *** ***** ** **** in **** ******.

Andrew Tierney

In reply to Brian Karas | 04/08/17 09:13am

*'** *** ********* *** **** **** ******* ******* * ******** upgrade. **** ******** ******* ***'* ***** *** **********.

Michael Henderson

07/12/16 03:24pm

*********** *** ****** ******, ***** ** ** **** ** **** selling *** *** *** **** *** ***** ********* ******* *** networks **** ****** ******** ** ****. *** ****, **** ***** we *** ******** ** ** ** *** *********.

*********** **** ** **** ***** ***** ********* *** ***** ******* the ******* ******** ** *** ********. ** *** ***** *** so ***** *********, ** ** **** ** ******* **** ****** to **** ****** ******** ********* ***** ***** ********.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Michael Henderson | 07/12/16 03:36pm

***** * ***** ** ******* **** **** **********, * ***** like ** **** ***** ****** *** ****** **** ********, ** your *******?

Thumbnail marty2016

Marty Calhoun

IPVMU Certified | In reply to Michael Henderson | 04/08/17 12:39am

** **** *** ***** ** '*** *** ****', ** *** mean **** ****** ***** = ***** ******?

Michael Henderson

07/12/16 03:47pm

** ***'* *** ******, *** **, *** *** *** ******* are ********. ******* **** *** *********' ** ****** *** ***** exploits, ********* ******** ********. ** *** *** ****** *****, * system **** ** *** ********* ** *** ********, ****** ** cases ** ******* *** ***********.

*******, ***** ****** **** ****** *** ***** * *** *** can **** ** ******** **** ******* *******, *** ** *** maintaining * ******** ** **** *** ******** *** ****.

******* **** ********* ***** ******** ** ****** ** ***** ********* exploits ** **** ** *** *** ********* *********** **** **** at **** ********* * ***.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Michael Henderson | 07/12/16 04:02pm

*** *** **** ** ******** "********* ***'* ******** ** ****** to ***** ********* ********" ** **** *** ***'*?

Michael Henderson

In reply to Jon Dillabaugh | 07/12/16 05:32pm

**** *** *****, * *** ** **-******* **** **** **** due *********. * **** ******* * ****, *** ******* * do ***. *** ******* **** *********** ** ********* * **** in ***** *** ***** ** * ************ ********,.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to Michael Henderson | 07/12/16 06:04pm

******! :)

* ****** * **** ***** *****!

Michael Henderson

In reply to Jon Dillabaugh | 07/12/16 06:07pm

******** ****. ***** ** **** **** *******, *** * **** do *** **** **** ****.

Thumbnail marty2016

Marty Calhoun

IPVMU Certified | In reply to Jon Dillabaugh | 04/08/17 12:42am

***** *** ***, *** *** *** **** ** *** **** for ****! ******** **** ***** *** **** ***** ** *** of *** "***-***********" ** **** ****.

Thumbnail brk1

Brian Karas

IPVM | 04/07/17 03:35pm

***** ** * *** ****** ***** ********, ****** "*******", **** looks ** ** ********* *** *** *******. ** *** ~***,*** vulnerable ******* **** **** **********:

*** ***/***** ******* ******* ****, ***** ******

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Anixter - Falling Video Prices on Jul 26, 2017
Falling video prices are such a concern that it has become a notable topic for Anixter's financial results and Anixter's executives. In this...
Bosch G-Series Intrusion Tested on Jul 26, 2017
Bosch is one of the biggest names in intrusion, and the company's G-Series panels are their most advanced commercial and high-security panels. But...
Healthy Skepticism for Deep Learning Is Prudent on Jul 26, 2017
The hype for deep learning in video surveillance is accelerating. Between the race to the bottom and dearth of a 'next big thing', certainly pent...
$28M Drone Detection Startup Examined (Dedrone) on Jul 25, 2017
Dedrone has received ~$28M in funding to build what they call an "automatic anti-drone solution", a system to detect drones, and then automatically...
Dahua Suffers Second Major Vulnerability, Silent [Finally Acknowledges] on Jul 25, 2017
Less than 3 months ago, Dahua received DHS ICS-CERT's worst score of 10.0 for their backdoor. Now, Dahua has received another 10.0 score for a new...
Hikvision H.265+ Bullet Tested (2035) on Jul 24, 2017
Continuing our tests of Hikvision's new low cost Value Plus line, we bought and tested the 3MP DS-2CD2035FWD-I, now including H.265+. We shot the...
Sports Stadium Security Design Recommendations on Jul 24, 2017
Sports stadiums pose many challenges for designing security systems. The facilities vary from being mostly vacant, to packed with tens of thousands...
Competing Against Convergint on Jul 24, 2017
No integrator is more aggressively expanding than Convergint Technologies. Owned and funded by private equity firm KRG, Convergint has acquired...
Security Robots Are Just Entertainment on Jul 21, 2017
Great entertainment, no real security value.  That is the happy (or sad) state of security robots in 2017. Knightscope robot's drowning, the...
Wireless Burglar Alarm Sensors Guide on Jul 21, 2017
Wireless sensors for burglar alarm sensors are an increasingly common option for the historical labor intensive wired alarm systems. However,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact