back to article Hackers squeeze through DVR hole, break into CCTV cameras

The digital video recorders of several CCTV video cameras are vulnerable to attacks that create a means for hackers to watch, copy or delete video streams, according to security researchers. The researchers added that unless systems are properly firewalled, security flaws in the the firmware of the DVR platform also create a …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    someLuser should find more interesting things to do with his time, instead of wasting mine, the twat.

    1. Whitter
      Thumb Up

      Sarcasm tags required for some it seems!

      1. Fatman

        RE: Sarcasm tags ...

        are beyond the scope of the previous poster.

    2. Anonymous Coward
      Anonymous Coward

      I hear that this exploit doesn't work when naked ladies are likely to be on camera (showers, changing rooms, suntan beds, etc). Maybe someone can prove me wrong?

  2. Anonymous Coward
    Anonymous Coward

    VPN

    And thats why i put all my customers CCTV systems behind a VPNs, so many of these systems use clear text passwords.

    1. Anonymous Coward
      Anonymous Coward

      Re: VPN

      Funny.

      The landlord at a very large building I once worked at just ran his own CAT5 infrastructure for the camera's to standalone PC's with an airgap to anything connected to the internet.

      Pretty cheap to do and very secure since the starting point for an attack is literally hacking into the devices with a hacksaw to get to a cable.

  3. Anonymous Coward
    Anonymous Coward

    If what you refer to is the H.264 DVR Camera Remote File Discolure Vulnerability

    Google became your best friend!

  4. Chemist

    This business about uPNP..

    .. has been known about for years. I turned it off on my router when it was new and that was 4-5 years ago

  5. Anonymous Coward
    Anonymous Coward

    Best turn RDP off if you've got that UPnP open :-/

    http://www.youtube.com/watch?v=z7AcL_WM3_0

    Oh and avoid a few office documents unless your using 2013 :-/

    http://www.youtube.com/watch?v=pKhulHEFrR0

    1. This post has been deleted by its author

    2. adnim

      Thanks

      I enabled UPnP for some testing a short while ago I got distracted during the testing and and forgot to disable.

      I run a web server at home and port 80 has been the only port ever visible from my public IP address. After reading your post I remembered I still had UPnP enabled and did a quick scan. I found port 443 open to the Internet. I connected using https:mydomainname.co.uk and my NAS logon appeared in the browser window!!!

      I blocked https in and out over the WAN to both the NAS box and the web server yet my NAS log on still appeared when I connected over the Internet. I disabled UPnP and 443 is no longer open. So UPnP completely ignored my firewall rules.

      I have always known UPnP was a security risk, but it was a shock to discover, at least on my router, that it just bypasses the firewall.

      1. koolholio
        WTF?

        Re: Thanks

        Depending upon NAT routing and DNS Daemon type (relays/proxies for instance), depends on whether it resolves the DNS resolution internally or externally

        Externally, this may not be possible? Else you may need to manually configure the config from the router (in Wordpad, since some formats are incompatible with notepad editing)

  6. Handler
    Facepalm

    Nothing new here. Hackers and LEOs have been doing this for years on TV and in the flicks.

  7. Anonymous Coward
    Anonymous Coward

    That's my problem with UPnP port forwarding

    That's my biggest problem with UPnP port forwarding: there simply is no control - you enable it, and any device can punch a Christmas Island-sized hole in your firewall, and there's not much you can do about it.

    Had UPnP port forwarding been designed by somebody who understood and cared about systems administration, every UPnP device would have been required to have some shared secret assigned by the administrator, and the firewall would present a list of entities that requested forwarding and allow the administrator to say yeah or nay. You could even have made it more stupid-user friendly by having dedicated firewalls and and devices have a button (like the WiFi paring button) that could allow for this to be done automatically: Press the gizmo's button, press the firewall's button at the same time, done.

    But that would have required the makers of UPnP port forwarding to understand the concepts of "security", "administrator", and "responsibility".

    1. Anonymous Coward
      Anonymous Coward

      Re: That's my problem with UPnP port forwarding

      Agreed, I've never paid the slightest interest in the benefits of UPnP because the risk simply isn't worth it. The only thing I've ever done with it is disable it.

    2. koolholio
      Thumb Up

      Re: That's my problem with UPnP port forwarding

      You mean a bit like HNAP ? *hic hic*

    3. Gordon Fecyk
      Coat

      That's my problem with UPnP detractors

      you enable it, and any device can punch a Christmas Island-sized hole in your firewall, and there's not much you can do about it.

      Isn't that a problem with the device that requests the open ports?

      Have we banned raw sockets yet? Should we petition MS to ban IP support? Oh wait... this is The Register I'm posting to here...

    4. Oddb0d

      Re: That's my problem with UPnP port forwarding

      You could even have made it more stupid-user friendly by having dedicated firewalls and and devices have a button (like the WiFi paring button) that could allow for this to be done automatically: Press the gizmo's button, press the firewall's button at the same time, done.

      WiFi Protected Setup probably isn't the best example as many implementations have a nasty PIN flaw that is easily exploited, further reading: http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf

  8. stefan 5
    FAIL

    been going on for years

    Its like the story was cut and paste from 10 years ago.

  9. Scott Pedigo
    Devil

    All your video are belong to us.

  10. Flabbergarstedbastard

    Aaargh...

    I was lured here by side boob and all I got was a hole in my UPnP.

  11. Khaptain Silver badge
    Happy

    Crime video streams for sale

    So now the hackers can sell real time video streams to criminals who can they survey if they are being surveyed.

    OR

    the Hacker could sell live streams of Policemen not doing their duties......

    You have to love the ingenuity of it all...

  12. Bernard M. Orwell

    How about....

    ...my spy-happy friends, you save yourself the cost of upgrading your firmware or hiring staff that know what they are doing when it comes to security, and remove some of those obnoxious cameras that surveil us every day? After all, they don't work, and are now very obviously vulnerable to those that would....ahem....repurpose them.

  13. Anonymous Coward
    WTF?

    See, the problem with increased security standards in general is that in a world where I can't sign up to post on a forum without a 25 character password containing at least one high ASCII character, you still get crap like this:

    To make matters worse, the DVRs support Universal Plug And Play, making control panels externally visible on the net.

    It honestly never occurred to me that UPnP would do something like that. I mean... just... why? Who set that up and thought, "Yeah, this seems like a really good idea!"?

    I've never used UPnP just because I didn't understand it precisely and prefer to have a bit more control over things, but I think one could be forgiven for not imagining that it actually hangs a giant billboard on your IP address saying, "COME IN AND FUCK ME UP!"

    1. Dom 3

      Don't blame UPnP...

      if the DVR or NAS manufacturers decide to open up the admin port to the world. That is what UPnP is *for* - automagically setting up port forwarding. And within limits, jolly useful it is too.

      1. Peter Gathercole Silver badge
        Megaphone

        Re: Don't blame UPnP... @Dom 3

        I think that you've misunderstood what a firewall is for. It's there to protect you from devices and services that try to compromise your security regardless of their intent.

        My view is that having a mechanism that can override your firewall without your knowledge can never be a good thing regardless of how much easier it may make running your environment. If you need remote access, configure it yourself, and learn in the process. Trying to justify anything else is just lax thinking.

        1. Old Handle

          Re: Don't blame UPnP... @Peter

          It's not a firewall, it's a router. The purpose (in a typical use case) is to share an internet connection with all devices on a LAN. Specifically by providing NAT so we can keep using IPv4 forever. And that requires, among other things, forwarding inbound connections to the proper device. The fact that you can tell it not to forward certain connections at all is nice, but that's really a side benefit.

          Reasonable people can disagree about whether something like uPnP should be on by default, but to me it looks perfectly consistent with the real primary goal of the device: Letting your other gadgets communicate on the internet.

          1. Peter Gathercole Silver badge
            Meh

            Re: Don't blame UPnP... @Peter

            I'm not sure that I believe you that it is just a router. Most routers now claim to have statefull firewalls in them, and bearing in mind that they are the first line of defence in most peoples home networks, I think that you need to treat them as a firewall.

            Indeed, some misguided PC world sales youth tried to persuade me to buy an (expensive) all-singing, all-dancing ADSL router to replace my ADSL modem/router, separate Smoothwall firewall and wireless router, as it would do everything I needed in one box. I don't normally lecture people while in PC world, but he was an exception. I had gone in to try and find a wireless range extender.

            But you are right, I should have been more careful in my comment.

            Back on topic, you can turn UPnP on if you want, but I am never going to allow a vendor device on my network permission to open up inbound connections without being bloody sure I trust it, and I will offer that advice to anybody who asks me. I believe that it is just asking for your network to get pwned. It only takes one mis-configured or deliberately malicious device or software service/piece of malware (PCs can use UPnP as well) to appear on your network to let in things you do not want. If you do not see the danger, then that is not my concern, apart from having to fend off a future botnet in which your machines are enrolled.

  14. Twitless
    Joke

    Call Bob Howard

    Does this mean they can upload Scorpion Stare? OMG!

    1. John Smith 19 Gold badge
      Unhappy

      Re: Call Bob Howard

      "Does this mean they can upload Scorpion Stare? OMG!"

      You forget what happened when maginot blue stars got hacked.

      That did not end well.

  15. teebie

    watch, copy or delete

    So you can't cause false positives by replacing the stored video with footage of people dressed like Burglar Bill acting suspiciously. That's a shame.

  16. Valeyard
    Black Helicopters

    that reminds me to dig out my copy of hackers II for the speccy/c64/CPC464 (can't remember which i have it on)

    All he needs is a little remote control drone and he has the game. Probably a convoluted way of avoiding the old-school loading screens though.

  17. Anonymous Coward
    Anonymous Coward

    How do I do a port scan to see what ports my uPNP router has exposed?

    Any software or site recommendations?

    1. Peter Gathercole Silver badge

      Re: How do I do a port scan to see what ports my uPNP router has exposed?

      Steve Gibson's own Shields Up! on www.grc.com may be a good place to start.

      1. Intractable Potsherd

        Re: How do I do a port scan to see what ports my uPNP router has exposed?

        I agree with Peter Gathercole - "Shields Up!" is a good place to go. The site isn't intuitive, but it tests comprehensively. I have just used it, because I changed broadband providers just before Christmas (no cable at the new house, so had to go to DSL) and hadn't thought to check the default security of the router other than a quick run through the setup options. Delighted to find that I am effectively invisible on the internet (except for when I post here!)

  18. Anonymous Coward
    Anonymous Coward

    http://www.xldevelopment.net/upnpwiz.php

  19. Steen Hive
    Thumb Up

    Makes a change

    "In short - this provides remote, unauthorised access to security camera recording systems," Moore concludes in a blog post that does a good job of summarising the issue"

    As opposed to fuckwits behind cameras being provided with unauthorised access to my whereabouts, lack of dress-sense and allegedly suspicious demeanor .

  20. Anonymous Coward
    Anonymous Coward

    Alleged firmware flaws?

    The hack only works if you first connect a cable to the serial port and run an activeX applet without authentication.

    DVR Insecurity

    1. Anonymous Coward
      Anonymous Coward

      Re: Alleged firmware flaws?

      As far as I can tell, he used the cable etc to *find out* that this was an issue. I can't imagine it's required for the 'vulnerability' to work - if that's the case it's completely pointless. You might as well define every device with a hard drive as insecure because you could take it out and hack the OS at your leisure!

  21. Mark Allen
    Facepalm

    Horrendous Security

    It has always been the way with this kind of kit. I helped one client to get "remote access" to his cameras and found out that the company who supplied his cameras had written a useful document to explain how to install an ActiveX control to let IE access the cameras. The documents were clearly written by the guys installing the cameras as it basically told you to disable ALL security in your web browser to a point that ANY active X control from any untrusted site would be allowed to work.

    In that example I at least sent them a copy of their document back updated with details on how to restrict access to just the relevant camera site instead of "the whole world".

    This kit is all the same though. Slap dash construction in a cheap country. Then installed by people who don't understand computers. "Look at the pretty pictures".

    Biggest joke of course being that these are "Security" cameras.

  22. Anonymous Coward
    Facepalm

    Why not start with decent password policies?

    Now, I think its good to have some attention for the risk of intrusions and the likes. However, it would sound more impressive if these agencies actually used some sane password policies to begin with.

    Generalizing here, I know, but every once in a while you read stories where "hackers" gained access to such devices by merely guessing (!) the password. Because it is the street the device is in, or because no one bothered to change the factory defaults, or because all devices which fall under the supervision of a single police station all use the name of said station as password (a scenario which was discovered in Holland some time ago), etc.

    Having some attention for security is a good thing, but I'd say start at the beginning.

  23. Mike Flugennock
    Pint

    Ahh, there's good news tonight!

    No, really I mean it. Anything with the potential to fuck up Big Brother's shit is OK by me.

  24. Coen Dijkgraaf
    Joke

    Photos ^H^H^H^H^H^H Videos

    or it didn't happen.

  25. Anonymous Coward
    Anonymous Coward

    "D-Link DCS Cameras suffer from authentication bypass and remote command execution vulnerabilities due to a remote information disclosure of the configuration"

  26. Anonymous Coward
    Anonymous Coward

    http://seclists.org/fulldisclosure/2013/Jan/246

  27. Anonymous Coward
    Anonymous Coward

    http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html

This topic is closed for new posts.

Other stories you might like