TVT Backdoor Disclosed

By: IPVM Team, Published on Apr 09, 2018

Security researcher Bashis has disclosed a backdoor in TVT video surveillance products, with TVT issuing its own 'Notification of Critical Vulnerabilities'. Bashis has found numerous vulnerabilities in video surveillance products, most notably the 2017 Dahua backdoor, which later resulted in the industry's most widespread hacking attack.

In this note, we examine the TVT backdoor and TVT's response.

*******

****** ******** **** ***************:

**** *******:

********* ************** ** ******** remote ****** ************* - including ***** *** ******** in ***** ****.

*** ******* ** ******** obtain *** ****'* ******** and ********* **** ******* of *** ****** ** especially **********.

** **** ** ********* password:

***** **** ************* ******* such ****** ** '****** errors', ** ****** ****** out ********* ****** *** not ****.

Fix *********

*** **** **** ***** is * *** *********:

*** *** ******** *** firmware **** *** *******, or ** ** *** technical ******* ** *** local ******* ********* ******* to *** *** ***** firmware.

*** ******* ** *** customers ** *** **** get **** ***.

Impact ** ****

*** ** ********* ** OEM *** ********* ** ********** / ******** (see **** **** ** 79). ** **** ****** suppliers **** ****, ** is ********* ** ** certain ***** ****** ** which ****** *** ********. Moreover, ** *** *** that ********* **** **** OEMs **** *********** ** even ** *** **** future *** ****.

TVT - ~$** ******* *****

*** ** * ******** traded ********* *** ******** ***** exchange, ** *% ** today's ****. *** *******'* 2017 ******* ** ~$** million *** ** *** a ****** ************** ** ~$360 *******.

*** ***** ************ *********, TVT ** ***-****, ******* in ******* ** ********* or ********* *** */**** or ** *** **** of ***** *** */** or ** *** **** of *********.

TVT's *******

*****'* ************, **** *** *** increasingly ******* ******* ** everybody *** ********:

******* ** ******** ****** covered ****** *** *************, no ****** *** *** or *** *** ** how ****** **** ***, which ****** *** ** us ** ** ******** to ******* *** ******* and *******.

** ******, **** ****** are *** ***** **** others, **** ** ****-***** passwords *** *********** ********* in ***** ****.

**** **** ***** **** 'found' ***** ***************:

** ******** ***** * vulnerabilities **** * ***** help **** *** ***** ******** ******.

*** ********* ****** *** customers *** ****** ****** not ** ******* **** if ***** *** ****-***** passwords ** ***'* *** ****, they ***** *** **** to '****' **** ***** they *** **** ** there. ********, *** **** 'found' **** ***** ****** reported ** *** **** them ** **** ****** his ****** **********.

Comments (18)

Undisclosed #1

04/09/18 02:57pm

TVT units are trivial to find via Shodan, searching for "TVT RTSP" returns ~100K responses.

 

Retrieving "http://ip.add.re.ss:PORT/Css/Pictures/Login/LoginContent.png" gives you the branding image from the login page for at least some of the units.

Undisclosed End User #2

In reply to Undisclosed #1 | 04/09/18 03:27pm

The unique HTTP header 'AuthInfo:' gives more than >110K

 

VS 

Undisclosed #1

In reply to Undisclosed End User #2 | 04/09/18 03:33pm

Thanks.  I was only able to do some brief digging around as the wifi on this flight is pretty crappy.  Will do more investigation later.

Undisclosed #3

IPVMU Certified | In reply to Undisclosed #1 | 04/09/18 04:01pm

...as the wifi on this flight is pretty crappy.

1. IP/port-scan for the in-flight router 

2. Run general dictionary attack + aviation terms

3. Change bandwidth allocation for others

4. Have a nice flight.

Undisclosed #1

In reply to Undisclosed #3 | 04/09/18 04:09pm

Directions unclear.

Currently ziptied to my seat for attempting to hack the plane.

 

John Honovich

IPVM | In reply to Undisclosed #1 | 04/09/18 04:13pm

Seattle DVR

Is that a real thing? Wow, evidently it is and a horrendous website:

Dan Droker

LONG Building Technologies
IPVMU Certified | In reply to John Honovich | 04/09/18 04:49pm

My impression has always been that they are kind of a commercial DIY oriented retail store, with some self branded NVRs. I have driven past their location for years, but never heard their name in the context of any project I have been involved in professionally.

Undisclosed #1

In reply to John Honovich | 04/09/18 05:03pm

Wow, evidently it is and a horrendous website:

Website seems on-par with their surveillance offerings.

Shay Fogel

04/09/18 05:45pm

Does this mean one can login to any TVT system (not patched with latest firmware of course) as an administrator just by entering the hard-coded password in the login page of the web interface?

 

bashis mcw

In reply to Shay Fogel | 04/09/18 05:48pm

Correct

Undisclosed Integrator #4

In reply to bashis mcw | 04/09/18 06:30pm

Copy and Paste Code Clone of what Hik/Dahua were using, or is this there own original mess?

bashis mcw

In reply to Undisclosed Integrator #4 | 04/09/18 06:33pm

Didn't see or felt connections to anyone else

Undisclosed Manufacturer #5

04/10/18 12:35pm

Was this exploit on IP cameras, NVRs, or DVRs...or all of the above?  

bashis mcw

In reply to Undisclosed Manufacturer #5 | 04/10/18 04:53pm

Think it's quite clear message, no?

SRC: http://en.tvt.net.cn/news/227.html

 

Undisclosed #3

IPVMU Certified | In reply to bashis mcw | 04/10/18 06:49pm

Think it’s quite clear message, no?

Since you asked, whose ‘ignorance’ are they talking about?

All of the devices in the warehouse will be upgraded properly by us or by our local partners. Our online upgrading system will do its job, and we expect your attention in case of failure due to ignorance or other reasons.

 

bashis mcw

In reply to Undisclosed #3 | 04/10/18 09:06pm

Dude, you are asking wrong dude...

Undisclosed Manufacturer #6

In reply to bashis mcw | 04/11/18 12:51am

"We recently found 3 vulnerabilities with a great help from 3rd party security expert. 2 of them are deeply inside the firmware, and can be used to control the devices, or even damage the info or devices if professional know-how is there. We seriously ask for a update of firmware in proper way to block the vulnerability, in order to avoid the possible risk in the future."

I guess they pay as much attention to grammar, punctuation as they did on their bug ridden firmware.

A few contradictions, least alone trying to save their face!

Undisclosed End User #2

10/15/19 06:14pm

Attention, it seems that Mirai clone (?) has started to exploit this vulnerability.

Source: Google dork

Virustotal samples

VirusTotal (dropper)

VirusTotal (dropper)

VirusTotal (scanner/bot)

Read this IPVM report for free.

This article is part of IPVM's 6,538 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
HID Presents Mercury Security & Aero Access Controllers on Aug 25, 2020
HID presented Mercury Security & Aero Access Controllers at the 2020 IPVM...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
False: Verkada: "If You Want To Remote View Your Cameras You Need To Punch Holes In Your Firewall" on Jul 31, 2020
Verkada falsely declared to “3,000+ customers”, “300 school districts”, and...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Defendry Presents AI Active Shooter Security System on Jul 14, 2020
Defendry presented its Active Shooter security system at the May 2020 IPVM...
Startup Rhombus Presents Cloud Managed Physical Security on Sep 02, 2020
Rhombus Systems, a closed camera, analytics and cloud VMS alternative to...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...