Interview With Researcher Who Cracked Security Of 70+ DVR Brands

By: Brian Karas, Published on Jul 07, 2016

[link no longer available]The researcher who found an exploit in 70+ brands of TVT OEM DVRs, which he suspected to be the entry point hackers used to gain access to several retailers, elaborated on these hacks to us.

We got in touch with Rotem Kerner [link no longer available], previously a security researcher at RSA, and now co-founder of security research company Cybewrite to discuss the exploitability of embedded security devices.  

[**** ** ****** *********]*** researcher who found** ******* ** **+ brands ** *** *** DVRs, ***** ** ********* ** ** the ***** ***** ******* used ** **** ****** to ******* *********, ********** on ***** ***** ** us.

** *** ** ***** with Rotem ****** [**** ** longer *********], ********** * ******** researcher ** ***, *** *** co-founder ** ******** ******** ******* ********* ** ******* *** ************** of ******** ******** *******.  

[***************]

Old **** ******* *** * ***** ******

****** **** **** ** feels ************* ** ******** devices **** ********* "****** on *** **** **** not * *** ** people *** ****** ** hack ****". ******** ** other ******** ******* **** print ******* ** ***** *******, ******** cameras *** ********* *** not **** ****** ** many ***** ********, *** accessible ** ********, ****** manufacturers **** ********* ***** their ********.  

Now ****** ********

*** ******* ******* *** exploitable *******, ******** ******* were low-value *******, ** ***** up ***** *** **** few *****. **** *** massive **** ** ** camera ******* *** ********* deployment ** ********-********* ******* they have ****** *********, *** easy, *******.

Worse ** ***** ******* ** ********

** ***** ******* ***** rely ** *** **** core ****** *** ******** http ******* *** ************* *** management.  **** *** **** vulnerabilities ***** ** *** device *********** ********** ** other ******/******** ***** *** same ******** ******** *********.  Another ****** ************* ****** showed ******* ******* ** ******** device ****** *** ******* common ********.

How *************** *** *****

***** ***** ****** ** downloading ******** ******, *** using ***** **** ******* ** ********* **** *** look ** *** *** ***** in *** ********.  **** runs ******** ** *** ************ ********** of scanning * ****** ************ for **** ***** *** trying ******** ******* **** *** ********** ** *** ************.    

********* ** **** ** the *** *****, ************* *** ******** files ********, **** ********* a ********* **** ** brands/logos.  **** ******* *** to *********** ********* **** the ******* ** ******* could ** ******* ** thousands ** ******** ******* from **** ** ******.

Two ****** ******* ** ******* ********

** ******* *** ** installed ** * ****** by ******* **** ** shell ****** ** * linux ******* *** **** downloading **** ******** **** the **** **** * remote ******. **** ****** requires *** ****** ** be **** ** *** network ****** ** *** unit (****** *******, ** over *** ********).  ** has *** ******* ** being **** ** ** done ******* *** **** having ** ** ********, but ********** *** ******* to ********** ******** ** private ******** ** ***** that *** ********** ********.

******* *** ** *** an ******* **** * unit ** ** ********* new ******** *** *** device **** *** *** exploit ***** **, *** then ********* **** ******** onto *** ****. **** can **** ** **** remotely, ** *** ****** can *** *** *** the **** ** ******* the ******** **********. *** way ** ******** * user ** ******* *********** firmware ** ** **** the ******** ********* *** download, *** **** **** an ***** **** ******* to **** **** *** manufacturers ******* ********** ********** a ******** ******.

Securing **** *******

** ** ********** ** fully ****** * ****** connected ** *** ********, but *** *** ****** your ******* ** ****** by ********* ***** **********: 

  1. ****** ******* *********, *** usernames ** *** ****** allows **.  ****** ******** "admin" ** "*****" **** foil ****** ********** ****** ********.
  2. **** ******** ******** ***** from ************* ********, ***** this **** *** ********* files *** *** ***********, it **** ****** *** chances ** ******* ***** firmware.
  3. **** ******** ******* ** prevent *** ******** **** being ****, ******** **** the ************ ** ******* up **** ******** *******.
  4. ***** *** ** *********/******** that *** ****** **** equipment, ** ****** *** close ****** ******** ****** and ******* *** ***.

** *** ****** **** ******** ************* ************, ********** ******** ****** to ******* *** ****** risk ** *******.

What ************* *** **

******** ****** *** *** software **** *** ******** eliminates *** *** **** common ******* ** *******. ******* or ***** ****** ** rarely ****** ** ********** use *****, *** ** often **** ** ******* to **** ****** ** the ******.

************ ******** ********* ******** before ************ ******* * ***** attack ******. **** ******* ** not ****** *** ********* of ******** ***** ****** installing ****, ******** ********* to ****** ***** ******** ****** which *** **** ***** devices **** *********** ******* access *****.

********** *** ******** ***** can **** **** ** more ********* *** ******* to ********* **** *** check *** **** *** exploitable **********.

Comments (19)

Nice article. If we kee pushing the industry and best practices, these types of hacks will surely be minimized. Manufacturers, of course, play a large role here, but integrators have to do their part too. VPNs aren't always an option. Sometimes a device needs to be public facing. Restricting the access to that public facing device and monitoring traffic to it is essential.

Like it!

Confused about this though:

This allowed him to immediately determine that the exploit he created could be applied to thousands of deployed devices from over 70 brands...

An exploit can be installed on a device by gaining root or shell access to a linux console and then downloading code directly into the unit from a remote server.

Isn't the 'exploit' the ability to 'gain root' in the first place?

Sounds to me like you are saying, "Cars can be stolen by using the key to start the engine."

Isn't the 'exploit' the ability to 'gain root' in the first place?

In some sense, yes. In this case I was referring more to the exploit being the unintended code that was uploaded to the device and then executed by the device. But just the act of gaining root/shell access is also a form of exploit.

Isn't the 'exploit' the ability to 'gain root' in the first place?

Semantics, but as I see it, the ability to gain unauthorized "root" is the hack. The "exploit" is the change/action you make/take (usually nefarious) as a result of gaining unauthorized access-often installing malware.

The "exploit" is the change/action you make/take (usually nefarious) as a result of gaining unauthorized access-often installing malware.

Disagree. Though that makes sense in the common understanding of the word 'exploit', I don't think that is the usual meaning in cyber-security.

For instance if I use a brute force password program to gain root to a system and then I burn a DVD of all the credit card numbers, the exploit is brute force password attack, not copying files.

This makes sense, since otherwise the exploit could be any number of things, that could be done once you are root.

In this particular case, the result of "exploit he created" is nothing more than the root access itself. This is the usual meaning.

This was one of the two researchers whom I originally thought may have uncovered the Axis vulnerability. I ruled him out on that one and am happy to see this kind of coverage on IPVM.

Is there a way to know if a device has already been compromised? Or will defaulting and then upgrading to latest firmware eliminate any rogue hack placed on the device?

This is an excellent question.

The generally accepted answer is that there is no way to know for sure if a device has been compromised, especially when it comes to things like cameras where tools like chkrootkit are not yet adapted.

Defaulting a camera will only erase user-configured settings in most cases, it won't wipe out any rogue software that has been added.

The good part is that for most devices the firmware contains a complete image, operating system and all additional files/software needed to run the camera or recorder. Upgrading firmware should do a complete wipe and overwrite any malware. However, just like configuration settings can be saved across a firmware upgrade, so could installed malware if the hackers were particularly sophisticated and understood the internals of the device fully.

I do not think we are at the stage where malware targeted to cameras and recorders is at the point where it can survive across a reset/default and a firmware upgrade, but it is technically possible for this to occur. Hopefully we will see more advanced firmware and code checking implemented by manufacturers before the hackers get ahead of them in this regard.

I've got backdoors for DVRs that persist through a firmware upgrade. Most firmware updates don't touch the bootloader.

Considering the brands hacked, maybe it is time to quit selling the low end crap and start designing systems and networks with actual security in mind. You know, that thing we are supposed to do in the beginning.

Salespeople need to quit being price conscious and start selling the service expected of our industry. If end users are so price sensitive, it is time to educate them better to make better informed decisions about their security.

While I agree in general with your sentiments, I would like to know which brands are exempt from exploits, in your opinion?

So when you refer to 'low end crap', do you mean that higher price = cyber secure? 

It isn't the brands, per se, but how the systems are designed. Working with the customers' IT people can limit exploits, dedicated security networks. Or for the safest route, a system that is not connected to the internet, except in cases of service and maintenance.

However, using shells that anyone can write a GUI for can lead to exploits from outside sources, due to not maintaining a standard of care for securing the code.

Staying with companies whose software is vetted to limit potential exploits is part of the due diligence integrators must look at when selecting a VMS.

Can you help me identify "companies who's software is vetted to limit potential exploits" vs ones who don't?

Over the years, I and my co-workers have done that due diligence. I have systems I like, and systems I do not. But sharing that information is something I keep in house and treat as a intellectual property,.

Thanks! :)

I needed a good laugh today!

Whatever dude. Carry on with your systems, and I will do the same with mine.

Thank you Jon, you hit the nail on the head for sure! Comments like those are what leads to all of the "mis-information" we deal with.

There is a new botnet being reported, called "Tsunami", that looks to be targeting the TVT devices. So far ~227,000 vulnerable devices have been identified:

New IoT/Linux Malware Targets DVRs, Forms Botnet

Login to read this IPVM report.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
"He Is An Idiot!" Exclaims SIA Director John Mack on Mar 23, 2020
Here is another inside look into the "leaders" of the security industry. SIA...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Hikvision Illicitly Uses Back To The Future In Marketing on Jul 03, 2020
NBCUniversal told IPVM that Hikvision UK's ongoing coronavirus marketing...
ProCam Low-Cost Open Thermal Temperature Project on May 12, 2020
An engineering professor in Switzerland is building what he hopes will be the...
Fever Cameras Are Medical Devices, Per The FDA, Dahua, Feevr, Hikvision, InVid Contrary Claims Are False on May 28, 2020
Fever cameras are medical devices, despite what euphemisms various sellers...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Milestone Drops ISC West on Mar 06, 2020
Milestone has dropped ISC West, joining a long list of companies to cancel...
Verkada Lead Investor’s Fundamental Errors on Feb 05, 2020
The man behind Verkada’s stunning $1.6 billion valuation, Aydin Senkut, has...
Sunell Panda Cam Body Temperature Measurement Camera Tested on May 14, 2020
Sunell is far less well known than its gargantuan domestic competitors Dahua...
Fever Camera Sales From Integrators Surveyed on Jun 01, 2020
Fever cameras are the hottest trend in video surveillance currently but how...
Hikvision Hides Xinjiang R&D Activities on Apr 22, 2020
Hikvision has systematically deleted evidence showing their R&D base and...

Recent Reports

Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...
US Startup Fever Inspect Examined on Aug 03, 2020
Undoubtedly late to fever cameras, this US company, Fever Inspect, led by a...
Motorola Solutions Acquires Pelco on Aug 03, 2020
Motorola Solutions has acquired Pelco, pledging to bring blue back and make...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Access Control Online Show July 2020 - On-Demand Recording of 45+ Manufacturers Presentations on Jul 30, 2020
The show featured 48 Access Control presentations, all now recorded and...
Face Detection Shootout - Dahua, Hanwha, Hikvision, Uniview, Vivotek on Jul 30, 2020
Face detection analytics are available from a number of manufactures...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...
Ink Labs Relabels China YCX Fever Camera And Steals Dahua's Marketing on Jul 30, 2020
A US company marketed a 'thermal temperature scanner' as its own, selling...
Genetec and Dahua-Backed Intelbras Split Examined on Jul 29, 2020
China is the cause of the breakup between Canada's and Brazil's largest video...
This YouTuber is Now Selling ThermoHealth Temperature Screening on Jul 29, 2020
An enterprising 20-year old is mass marketing medical devices on Facebook and...
Hikvision Returns To Growth Driven By Overseas Fever Cameras on Jul 29, 2020
While Hikvision's revenue fell in Q1 2020, it rebounded in Q2 attributed to...
Brazil's Biggest Domestic Surveillance Company Intelbras Profile on Jul 29, 2020
While Intelbras is not widely known outside of Latin America, Intelbras is a...
The Kiosk Market Pivots To Temperature Screening (Interviewed) on Jul 28, 2020
Video surveillance is not the only market that has pivoted to medical device...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...