TVT Backdoor Disclosed

By IPVM Team, Published Apr 09, 2018, 09:29am EDT

IPVM Image

Security researcher Bashis has disclosed a backdoor in TVT video surveillance products, with TVT issuing its own 'Notification of Critical Vulnerabilities'. Bashis has found numerous vulnerabilities in video surveillance products, most notably the 2017 Dahua backdoor, which later resulted in the industry's most widespread hacking attack.

In this note, we examine the TVT backdoor and TVT's response.

*******

****** ******** **** ***************:

IPVM Image

**** *******:

********* ************** ** ******** remote ****** ************* - including ***** *** ******** in ***** ****.

*** ******* ** ******** obtain *** ****'* ******** and ********* **** ******* of *** ****** ** especially **********.

** **** ** ********* password:

IPVM Image

***** **** ************* ******* such ****** ** '****** errors', ** ****** ****** out ********* ****** *** not ****.

Fix *********

*** **** **** ***** is * *** *********:

*** *** ******** *** firmware **** *** *******, or ** ** *** technical ******* ** *** local ******* ********* ******* to *** *** ***** firmware.

*** ******* ** *** customers ** *** **** get **** ***.

Impact ** ****

*** ** ********* ** OEM *** ********* ** ********** / partners (*** **** **** of **). ** **** ****** suppliers **** ****, ** is ********* ** ** certain ***** ****** ** which ****** *** ********. Moreover, ** *** *** that ********* **** **** OEMs **** *********** ** even ** *** **** future *** ****.

TVT - ~$** ******* *****

*** ** * ******** traded ********* *** ******** ***** exchange, ** *% ** today's ****. *** *******'* 2017 ******* ** ~$** million *** ** *** a ****** ************** ** ~$360 *******.

*** ***** ************ *********, TVT ** ***-****, ******* in ******* ** ********* or ********* *** */**** or ** *** **** of ***** *** */** or ** *** **** of *********.

TVT's *******

*****'* ************, **** *** *** increasingly ******* ******* ** everybody *** ********:

******* ** ******** ****** covered ****** *** *************, no ****** *** *** or *** *** ** how ****** **** ***, which ****** *** ** us ** ** ******** to ******* *** ******* and *******.

** ******, **** ****** are *** ***** **** others, **** ** ****-***** passwords *** *********** ********* in ***** ****.

**** **** ***** **** 'found' ***** ***************:

** ******** ***** * vulnerabilities **** * ***** help **** ******** ******** ******.

*** ********* ****** *** customers *** ****** ****** not ** ******* **** if ***** *** ****-***** passwords ** ***'* *** code, **** ***** *** need ** '****' **** since **** *** **** in *****. ********, *** only '*****' **** ***** Bashis ******** ** *** gave **** ** **** before *** ****** **********.

Comments (18)

Undisclosed #1

04/09/18 02:57pm

TVT units are trivial to find via Shodan, searching for "TVT RTSP" returns ~100K responses.

 

Retrieving "http://ip.add.re.ss:PORT/Css/Pictures/Login/LoginContent.png" gives you the branding image from the login page for at least some of the units.

Agree
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed End User #2

In reply to Undisclosed #1 | 04/09/18 03:27pm

The unique HTTP header 'AuthInfo:' gives more than >110K

 

VS 

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

In reply to Undisclosed End User #2 | 04/09/18 03:33pm

Thanks.  I was only able to do some brief digging around as the wifi on this flight is pretty crappy.  Will do more investigation later.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #3

IPVMU Certified | In reply to Undisclosed #1 | 04/09/18 04:01pm

...as the wifi on this flight is pretty crappy.

1. IP/port-scan for the in-flight router 

2. Run general dictionary attack + aviation terms

3. Change bandwidth allocation for others

4. Have a nice flight.

Agree
Disagree
Informative: 1
Unhelpful
Funny: 6

Undisclosed #1

In reply to Undisclosed #3 | 04/09/18 04:09pm

Directions unclear.

Currently ziptied to my seat for attempting to hack the plane.

 

Agree
Disagree
Informative
Unhelpful
Funny: 7

John Honovich

IPVM | In reply to Undisclosed #1 | 04/09/18 04:13pm

Seattle DVR

Is that a real thing? Wow, evidently it is and a horrendous website:

Agree: 1
Disagree
Informative
Unhelpful
Funny

Dan Droker

LONG Building Technologies
IPVMU Certified | In reply to John Honovich | 04/09/18 04:49pm

My impression has always been that they are kind of a commercial DIY oriented retail store, with some self branded NVRs. I have driven past their location for years, but never heard their name in the context of any project I have been involved in professionally.

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

In reply to John Honovich | 04/09/18 05:03pm

Wow, evidently it is and a horrendous website:

Website seems on-par with their surveillance offerings.

Agree
Disagree
Informative
Unhelpful
Funny: 1

Shay Fogel

04/09/18 05:45pm

Does this mean one can login to any TVT system (not patched with latest firmware of course) as an administrator just by entering the hard-coded password in the login page of the web interface?

 

Agree
Disagree
Informative
Unhelpful
Funny

bashis mcw

In reply to Shay Fogel | 04/09/18 05:48pm

Correct

Agree
Disagree
Informative: 4
Unhelpful
Funny

Undisclosed Integrator #4

In reply to bashis mcw | 04/09/18 06:30pm

Copy and Paste Code Clone of what Hik/Dahua were using, or is this there own original mess?

Agree
Disagree
Informative
Unhelpful
Funny

bashis mcw

In reply to Undisclosed Integrator #4 | 04/09/18 06:33pm

Didn't see or felt connections to anyone else

Agree
Disagree
Informative: 1
Unhelpful
Funny

Undisclosed Manufacturer #5

04/10/18 12:35pm

Was this exploit on IP cameras, NVRs, or DVRs...or all of the above?  

Agree
Disagree
Informative
Unhelpful
Funny

bashis mcw

In reply to Undisclosed Manufacturer #5 | 04/10/18 04:53pm

Think it's quite clear message, no?

SRC: http://en.tvt.net.cn/news/227.html

 

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed #3

IPVMU Certified | In reply to bashis mcw | 04/10/18 06:49pm

Think it’s quite clear message, no?

Since you asked, whose ‘ignorance’ are they talking about?

All of the devices in the warehouse will be upgraded properly by us or by our local partners. Our online upgrading system will do its job, and we expect your attention in case of failure due to ignorance or other reasons.

 

Agree: 1
Disagree
Informative
Unhelpful
Funny

bashis mcw

In reply to Undisclosed #3 | 04/10/18 09:06pm

Dude, you are asking wrong dude...

Agree
Disagree
Informative
Unhelpful
Funny: 2

Undisclosed Manufacturer #6

In reply to bashis mcw | 04/11/18 12:51am

"We recently found 3 vulnerabilities with a great help from 3rd party security expert. 2 of them are deeply inside the firmware, and can be used to control the devices, or even damage the info or devices if professional know-how is there. We seriously ask for a update of firmware in proper way to block the vulnerability, in order to avoid the possible risk in the future."

I guess they pay as much attention to grammar, punctuation as they did on their bug ridden firmware.

A few contradictions, least alone trying to save their face!

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed End User #2

10/15/19 06:14pm

Attention, it seems that Mirai clone (?) has started to exploit this vulnerability.

Source: Google dork

Virustotal samples

VirusTotal (dropper)

VirusTotal (dropper)

VirusTotal (scanner/bot)

Agree
Disagree
Informative: 2
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,890 reports, 921 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports