TVT units are trivial to find via Shodan, searching for "TVT RTSP" returns ~100K responses.
Retrieving "http://ip.add.re.ss:PORT/Css/Pictures/Login/LoginContent.png" gives you the branding image from the login page for at least some of the units.
TVT Backdoor Disclosed
Published Apr 09, 2018 13:29 PM
Security researcher Bashis has disclosed a backdoor in TVT video surveillance products, with TVT issuing its own 'Notification of Critical Vulnerabilities'. Bashis has found numerous vulnerabilities in video surveillance products, most notably the 2017 Dahua backdoor, which later resulted in the industry's most widespread hacking attack.
In this note, we examine the TVT backdoor and TVT's response.
*******
****** ******** **** ***************:
**** *******:
********* ************** ** ******** ****** ****** configuration - ********* ***** *** ******** in ***** ****.
*** ******* ** ******** ****** *** user's ******** *** ********* **** ******* of *** ****** ** ********** **********.
** **** ** ********* ********:
***** **** ************* ******* **** ****** as '****** ******', ** ****** ****** out ********* ****** *** *** ****.
Fix *********
*** **** **** ***** ** * fix *********:
*** *** ******** *** ******** **** our *******, ** ** ** *** technical ******* ** *** ***** ******* technical ******* ** *** *** ***** firmware.
*** ******* ** *** ********* ** TVT **** *** **** ***.
Impact ** ****
*** ** ********* ** *** *** has****** ** ********** / ******** (*** this **** ** **). ** **** ****** ********* **** time, ** ** ********* ** ** certain ***** ****** ** ***** ****** are ********. ********, ** *** *** that ********* **** **** **** **** immediately ** **** ** *** **** future *** ****.
TVT - ~$** ******* *****
*** ** * ******** ****** ********* *** ******** ***** ********, ** 5% ** *****'* ****. *** *******'* 2017 ******* ** ~$** ******* *** it *** * ****** ************** ** ~$360 *******.
*** ***** ************ *********, *** ** mid-tier, ******* ** ******* ** ********* or ********* *** */**** ** ** the **** ** ***** *** */** or ** *** **** ** *********.
TVT's *******
*****'* ************, **** *** *** ************ ******* defense ** ********* *** ********:
******* ** ******** ****** ******* ****** all *************, ** ****** *** *** or *** *** ** *** ****** they ***, ***** ****** *** ** us ** ** ******** ** ******* our ******* *** *******.
** ******, **** ****** *** *** worse **** ******, **** ** ****-***** passwords *** *********** ********* ** ***** text.
**** **** ***** **** '*****' ***** vulnerabilities:
** ******** ***** * *************** **** a ***** **** **** ******** ******** ******.
*** ********* ****** *** ********* *** stupid ****** *** ** ******* **** if ***** *** ****-***** ********* ** TVT's *** ****, **** ***** *** need ** '****' **** ***** **** put **** ** *****. ********, *** only '*****' **** ***** ****** ******** it *** **** **** ** **** before *** ****** **********.
Comments (18)
U
Undisclosed #1
Apr 09, 2018UE
Undisclosed End User #2
Apr 09, 2018
VS 
U
Undisclosed #1
Apr 09, 2018Thanks. I was only able to do some brief digging around as the wifi on this flight is pretty crappy. Will do more investigation later.
U
Undisclosed #3
Apr 09, 2018...as the wifi on this flight is pretty crappy.
1. IP/port-scan for the in-flight router
2. Run general dictionary attack + aviation terms
3. Change bandwidth allocation for others
4. Have a nice flight.
U
Undisclosed #1
Apr 09, 2018Directions unclear.
Currently ziptied to my seat for attempting to hack the plane.
JH
John Honovich
Apr 09, 2018
DD
Dan Droker
Apr 09, 2018My impression has always been that they are kind of a commercial DIY oriented retail store, with some self branded NVRs. I have driven past their location for years, but never heard their name in the context of any project I have been involved in professionally.
U
Undisclosed #1
Apr 09, 2018Wow, evidently it is and a horrendous website:
Website seems on-par with their surveillance offerings.
SF
Shay Fogel
Apr 09, 2018Does this mean one can login to any TVT system (not patched with latest firmware of course) as an administrator just by entering the hard-coded password in the login page of the web interface?
bm
bashis mcw
Apr 09, 2018UI
Undisclosed Integrator #4
Apr 09, 2018Copy and Paste Code Clone of what Hik/Dahua were using, or is this there own original mess?
bm
bashis mcw
Apr 09, 2018UM
Undisclosed Manufacturer #5
Apr 10, 2018Was this exploit on IP cameras, NVRs, or DVRs...or all of the above?
bm
bashis mcw
Apr 10, 2018
U
Undisclosed #3
Apr 10, 2018Think it’s quite clear message, no?
Since you asked, whose ‘ignorance’ are they talking about?
All of the devices in the warehouse will be upgraded properly by us or by our local partners. Our online upgrading system will do its job, and we expect your attention in case of failure due to ignorance or other reasons.
bm
bashis mcw
Apr 10, 2018UM
Undisclosed Manufacturer #6
Apr 11, 2018"We recently found 3 vulnerabilities with a great help from 3rd party security expert. 2 of them are deeply inside the firmware, and can be used to control the devices, or even damage the info or devices if professional know-how is there. We seriously ask for a update of firmware in proper way to block the vulnerability, in order to avoid the possible risk in the future."
I guess they pay as much attention to grammar, punctuation as they did on their bug ridden firmware.
A few contradictions, least alone trying to save their face!
UE
Undisclosed End User #2
Oct 15, 2019Attention, it seems that Mirai clone (?) has started to exploit this vulnerability.
Source: Google dork
Virustotal samples
VirusTotal (dropper)
VirusTotal (dropper)
VirusTotal (scanner/bot)