A security researcher called “someLuser” has identified a number of vulnerabilities in security camera digital video recorders (DVRs), which could be leveraged by cybercriminals to gain root access to the devices.
someLuser has found that an attacker could leverage the security holes to gain access to the DVR’s configuration, including user credentials in clear text. With this information in hand, a hacker can execute arbitrary system commands via another vulnerability in the web interface.
Rapid 7’s HD Moore has also examined the Ray Sharp DVR platform and someLuser’s findings. He has discovered that the devices of at least 17 other companies are also affected.
“The Ray Sharp DVR platform supports the Universal Plug and Play (UPnP) protocol and automatically exposes the device to the internet if a UPnP-compatible router is responsible for network address translation (NAT) on the network,” Moore explained.
“Many home and small office routers enable UPnP by default. This has the effect of exposing tens of thousands of vulnerable DVRs to the internet. For reference, the Ray Sharp firmware uses the ‘minupnp’ open source implementation to perform this port mapping.”
The expert told Forbes that criminals could access all the recorded videos, and even turn off the security cameras if they planned on robbing the store.
The affected products are from Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000. Initially, Zmodo was also on the list, but the company’s representatives told Forbes that they were using their own, more secure firmware.
In the meantime, while these vulnerabilities are addressed (if they’re ever addressed) Rapid 7 has developed a Metasploit module which allows users to scan for vulnerable devices.