14 DAY TRIAL // DVR equipment manufactured by Chinese firm RaySharp come with a hard-coded root password that allows attackers to remotely access the device if left unprotected on the Internet.
Security firm Risk Based Security (RBS) discovered the issue last fall and contacted the manufacturer, who failed to address the issue until now.
According to RBS researchers, anyone can log in as the root user on RaySharp DVR devices via its built-in Web administration panel and using the 519070 password.
Any device left unprotected online can be accessed this way, if the attacker knows its IP or he can access a company LAN. Once he authenticates on the device, he has full control over its settings, and all of the CCTV video streams.
Other DVR vendors are also affected, indirectly
On its website, RaySharp claims that it ships over 60,000 units per month. A search on Shodan reveals that on a daily basis you can find between 40,000 and 45,000 RaySharp DVRs.
If a hard-coded root password wasn't bad enough, according to RBS researchers, RaySharp has also been selling its devices under other brands, with the same firmware.
Researchers say that over 55 vendors have agreements with RaySharp to sell devices under their brands. RBS state they've managed to confirm that the root password is alive and working in DVRs sold by Lorex, König, Defender, DSP COP, K-Guard Security, and Swann.
All of these companies have been informed about the vulnerability after RBS contacted US-CERT last autumn. Out of the 55 companies named in the RBS vulnerability disclosure, the security company says that only Defender has issued firmware patches to remove the root password.
A few days prior, in a separate research, a UK-based security firm also discovered a privacy violation in the firmware of MVPower DVRs, which was secretly taking screenshots of the first camera feed and sending it to the developer's email inbox.