TVT Backdoor Disclosed

By IPVM Team, Published Apr 09, 2018, 09:29am EDT

IPVM Image

Security researcher Bashis has disclosed a backdoor in TVT video surveillance products, with TVT issuing its own 'Notification of Critical Vulnerabilities'. Bashis has found numerous vulnerabilities in video surveillance products, most notably the 2017 Dahua backdoor, which later resulted in the industry's most widespread hacking attack.

In this note, we examine the TVT backdoor and TVT's response.

*******

****** ******** **** ***************:

IPVM Image

**** *******:

********* ************** ** ******** remote ****** ************* - including ***** *** ******** in ***** ****.

*** ******* ** ******** obtain *** ****'* ******** and ********* **** ******* of *** ****** ** especially **********.

** **** ** ********* password:

IPVM Image

***** **** ************* ******* such ****** ** '****** errors', ** ****** ****** out ********* ****** *** not ****.

Fix *********

*** **** **** ***** is * *** *********:

*** *** ******** *** firmware **** *** *******, or ** ** *** technical ******* ** *** local ******* ********* ******* to *** *** ***** firmware.

*** ******* ** *** customers ** *** **** get **** ***.

Impact ** ****

*** ** ********* ** OEM *** ********* ** ********** / partners (*** **** **** of **). ** **** ****** suppliers **** ****, ** is ********* ** ** certain ***** ****** ** which ****** *** ********. Moreover, ** *** *** that ********* **** **** OEMs **** *********** ** even ** *** **** future *** ****.

TVT - ~$** ******* *****

*** ** * ******** traded ********* *** ******** ***** exchange, ** *% ** today's ****. *** *******'* 2017 ******* ** ~$** million *** ** *** a ****** ************** ** ~$360 *******.

*** ***** ************ *********, TVT ** ***-****, ******* in ******* ** ********* or ********* *** */**** or ** *** **** of ***** *** */** or ** *** **** of *********.

TVT's *******

*****'* ************, **** *** *** increasingly ******* ******* ** everybody *** ********:

******* ** ******** ****** covered ****** *** *************, no ****** *** *** or *** *** ** how ****** **** ***, which ****** *** ** us ** ** ******** to ******* *** ******* and *******.

** ******, **** ****** are *** ***** **** others, **** ** ****-***** passwords *** *********** ********* in ***** ****.

**** **** ***** **** 'found' ***** ***************:

** ******** ***** * vulnerabilities **** * ***** help **** ******** ******** ******.

*** ********* ****** *** customers *** ****** ****** not ** ******* **** if ***** *** ****-***** passwords ** ***'* *** code, **** ***** *** need ** '****' **** since **** *** **** in *****. ********, *** only '*****' **** ***** Bashis ******** ** *** gave **** ** **** before *** ****** **********.

Comments (18)

TVT units are trivial to find via Shodan, searching for "TVT RTSP" returns ~100K responses.

 

Retrieving "http://ip.add.re.ss:PORT/Css/Pictures/Login/LoginContent.png" gives you the branding image from the login page for at least some of the units.

Agree
Disagree
Informative: 1
Unhelpful
Funny

The unique HTTP header 'AuthInfo:' gives more than >110K

 

VS 

Agree
Disagree
Informative
Unhelpful
Funny

Thanks.  I was only able to do some brief digging around as the wifi on this flight is pretty crappy.  Will do more investigation later.

Agree
Disagree
Informative
Unhelpful
Funny

...as the wifi on this flight is pretty crappy.

1. IP/port-scan for the in-flight router 

2. Run general dictionary attack + aviation terms

3. Change bandwidth allocation for others

4. Have a nice flight.

Agree
Disagree
Informative: 1
Unhelpful
Funny: 6

Directions unclear.

Currently ziptied to my seat for attempting to hack the plane.

 

Agree
Disagree
Informative
Unhelpful
Funny: 7

Seattle DVR

Is that a real thing? Wow, evidently it is and a horrendous website:

Agree: 1
Disagree
Informative
Unhelpful
Funny

My impression has always been that they are kind of a commercial DIY oriented retail store, with some self branded NVRs. I have driven past their location for years, but never heard their name in the context of any project I have been involved in professionally.

Agree
Disagree
Informative
Unhelpful
Funny

Wow, evidently it is and a horrendous website:

Website seems on-par with their surveillance offerings.

Agree
Disagree
Informative
Unhelpful
Funny: 1

Does this mean one can login to any TVT system (not patched with latest firmware of course) as an administrator just by entering the hard-coded password in the login page of the web interface?

 

Agree
Disagree
Informative
Unhelpful
Funny

Correct

Agree
Disagree
Informative: 4
Unhelpful
Funny

Copy and Paste Code Clone of what Hik/Dahua were using, or is this there own original mess?

Agree
Disagree
Informative
Unhelpful
Funny

Didn't see or felt connections to anyone else

Agree
Disagree
Informative: 1
Unhelpful
Funny

Was this exploit on IP cameras, NVRs, or DVRs...or all of the above?  

Agree
Disagree
Informative
Unhelpful
Funny

Think it's quite clear message, no?

SRC: http://en.tvt.net.cn/news/227.html

 

Agree
Disagree
Informative
Unhelpful
Funny

Think it’s quite clear message, no?

Since you asked, whose ‘ignorance’ are they talking about?

All of the devices in the warehouse will be upgraded properly by us or by our local partners. Our online upgrading system will do its job, and we expect your attention in case of failure due to ignorance or other reasons.

 

Agree: 1
Disagree
Informative
Unhelpful
Funny

Dude, you are asking wrong dude...

Agree
Disagree
Informative
Unhelpful
Funny: 2

"We recently found 3 vulnerabilities with a great help from 3rd party security expert. 2 of them are deeply inside the firmware, and can be used to control the devices, or even damage the info or devices if professional know-how is there. We seriously ask for a update of firmware in proper way to block the vulnerability, in order to avoid the possible risk in the future."

I guess they pay as much attention to grammar, punctuation as they did on their bug ridden firmware.

A few contradictions, least alone trying to save their face!

Agree
Disagree
Informative
Unhelpful
Funny

Attention, it seems that Mirai clone (?) has started to exploit this vulnerability.

Source: Google dork

Virustotal samples

VirusTotal (dropper)

VirusTotal (dropper)

VirusTotal (scanner/bot)

Agree
Disagree
Informative: 2
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,098 reports and 941 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports