back to article Video surveillance recorders riddled with zero-days

There are multiple Web interface vulnerabilities in a network video recorder under Netgear's ReadyNAS brand and various devices by video recording company NUUO. The affected NUUO units are NVRmini 2, NVRsolo, and Crystal. The CERT advisory lists six Common Vulnerabilities and Exposures (CVE) notices attacked to the affected …

  1. Kevin McMurtrie Silver badge
    Facepalm

    PHP

    What is it with PHP programmers never escaping data? Hacked with a semicolon? Really? You grabbed a URL parameter full of whatever, concatenated onto the end of a shell command, and called it done? Maybe filtered out control characters after somebody said you're doing it wrong. Wait, why are you even launching a shell?

  2. John Geek

    the vendor undoubtedly outsourced software development to the lowest bidder, and has no infrastructure or staff capable of ongoing development.

  3. John Smith 19 Gold badge
    Unhappy

    And the vendor doesn't seem to have anyone who can *test* their code either.

    Shouldn't a "find hard coded logins" test be fairly straight forward to do ?

    This should put people off buying them, which is the only effective way to discipline companies.

    But it looks like this will be another great product for the Internet of S**t

  4. M7S

    Are there any robust systems out there?

    I'm considering installing CCTV with the ability to view remotely as part of a general upgrade to security, however articles like this give me pause, and remote "locks" are almost certainly off the menu.

    Are there any systems, available to the retail customer/general installer in the UK which are both physically and electronically secure, at least so far as can be reasonably determined? This might also be of interest to other readers.

    Recommendations (with any supporting reasoning) for and against any makes/models would be appreciated. Even the stuff from Maplins!

    1. Cloud, what..... Sorry... Um... - you just made that up.

      Re: Are there any robust systems out there?

      Best I have found is y-cam.com

      There homemonitor range is excellent.

    2. Anonymous Coward
      Anonymous Coward

      Re: Are there any robust systems out there?

      I'm in a similar position and am looking at the camera systems from Ubiquiti at the moment, more because I have their wifi gear than anything else. Like their wifi, the CCTV is well-featured with good interfaces (every Maplin-style DVR I've used seems to be stuck in the old Active X, IE8 phase) and regular updates. As for security, I'm not sure but am basically going on trust (you have to, don't you) that a company that knows how to secure wireless networks will use that knowledge and approach elsewhere.

    3. This post has been deleted by its author

    4. razorfishsl

      Re: Are there any robust systems out there?

      yes it is called a firewall & a VPN, do it any other way and you deserve what you get.

      Like those muppets at synology, complained WHY our customers NAS is not internet-facing, so they can run diagnostics.... and why we don't use 8.8.8.8 as our DNS resolver.......

      Oh... and stay away from "hikvision" ESP if you have a mac air book., we managed to burn a motherboard on a portable because their web display over drove the video...., it was something else...... (I actually thought Mr Robot was bollox about the environmental controls)

    5. TheVogon Silver badge

      Re: Are there any robust systems out there?

      "Are there any systems, available to the retail customer/general installer in the UK which are both physically and electronically secure, at least so far as can be reasonably determined?"

      Suggest a Synology NAS / Surveillance Pro software and Axis (Linux based) network cameras are about as good as it gets...

    6. Hans 1 Silver badge
      Linux

      Re: Are there any robust systems out there?

      USB camera with raspberryPi, mate, YOU can do a better job at hacking something together than this useless bunch, even if you've never used Linux or a compiler before ...

      Think vpn, nc (aka netcat), and vlc ... you could do the server-side 100% shell script, done. You also probably want presence detector, see https://github.com/rohitdureja/Smart-Sensing ...

      Ensure there is a wall between the camera and the PI, PI connected via ethernet (cable SHOULD NOT be accessible from outside) alert should go off when presence detected or camera tampered with... remember you need an all weather camera (see http://www.camsecure.co.uk/CamsecureIPratings.html).

      Problem with off the shelf solutions, in general, is that they have published/known weaknesses ... something you set up does not, it might have other issues but the burglar will have to discover them without being detected, which is MUCH harder.

      Think of at least two separate setups (two pi's, two cameras), and a few fake cameras here and there ;-).

      Beware of the off-the-shelf "Internet Of Thick" ware, nobody wants to trust that, except TheVogon (who trusts any{one|thing})!

      1. This post has been deleted by its author

    7. Kevin McMurtrie Silver badge

      Re: Are there any robust systems out there?

      Axis seems good, both in quality and customer support. Their IP cameras are little Linux computers that can operate by themselves or integrate with other standard components.

      I second the recommendation to avoid all Hikvision cameras if you're interested in robust software. Maybe 2/3 of the cameras on any online web site are white-label Hikvisions.

  5. heyrick Silver badge

    The joy of The Internet of Things

    Just this morning, there are security flaws in this product, spy-friendly massagers (bluetooth hack), and bluetooth hacks against smart locks.

    Isn't it about time we just assume that the default setting is security = nonexistent?

    1. MacroRodent Silver badge

      Re: The joy of The Internet of Things

      Isn't it about time we just assume that the default setting is security = nonexistent?

      Looks like it. The problem is, security problems are not visible to most customers, until too late, and the vendors escape any liability. Same thing has happened in comparable situations with other technology. Cars used to be "unsafe at any speed", until increased awareness and regulation improved the situation.

      1. Hans 1 Silver badge

        Re: The joy of The Internet of Things

        > Cars used to be "unsafe at any speed", until increased awareness and regulation improved the situation.

        Cars are still unsafe at speeds above 0mph, and always will be.

        1. Dan 55 Silver badge

          Re: The joy of The Internet of Things

          Cars are still unsafe at speeds above 0mph, and always will be.

          I suppose the person who downvoted you for that has already forgotten about Anton Yelchin's accident a month and a half ago.

    2. Hans 1 Silver badge

      Re: The joy of The Internet of Things

      >bluetooth hacks against smart locks.

      So are most locks, when you come along with a cordless drill.

      1. Stoneshop Silver badge
        Boffin

        Re: The joy of The Internet of Things

        So are most locks, when you come along with a cordless drill.

        Your cordless drill has Bluetooth?

        Physically attacking a lock takes a bit of time and requires standing right at the door. Bluetooth, and other forms of wireless, may take a little more time, but can be done at a distance.

        1. Kevin McMurtrie Silver badge

          Re: The joy of The Internet of Things

          You drill down the soft brass bottom of the keyhole. The tumblers tear out and the barrel turns.

          A Bluetooth hack is good for cases where social engineering is needed to get past neighbors. You can pretend that you're talking to the resident and being invited in while sending the unlock code. It's less convincing with the cordless drill.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019