RCE flaw affects DVRs sold by over 70 different vendors

RSA security researcher Rotem Kerner has discovered a remote code execution vulnerability that affects digital video recorders (DVRs) sold by more than 70 different vendors around the world.

What are DVRs?

Camera-based surveillance systems have become the norm in both public and private spaces, companies and retailers. Whether they are CCTV cameras or IP cameras, their operators often set them up to record what they capture for future perusal. In the case of CCTV systems, this is often done by utilizing DVRs (either in the form of an actual device or an application).

These DVRs are regularly connected to the Internet and/or the organization’s LAN, so that they can be accessed remotely in case of need. Naturally, this means that malicious actors could also stumble upon them and try to hack them to gain an initial foothold into an organization’s network.

Kerner found this particular vulnerability in the device firmware of a DVR sold by an Israeli company, but further analysis of the firmware code revealed comments suggesting that the code was made in China.

This spurred Kerner to find its true origin and, as it turns out, the real manufacturer is a Chinese company called TVT. But he also discovered that there are over 70 vendors reselling almost identical DVRs.

“They may have different logo, or slightly different plastics, but they share the same vulnerable software. This is basically what they call ‘white labeling’ – probably China’s most common business model,” he noted.

He says he repeatedly tried to contact TVT to share his finding, but that they are ignoring him, so he decided to share this information with the public.

Which ones are affected?

He included the list of vendors (but not the specific products), as well as techical details about the exploitation process and the exploit itself in a blog post. The vulnerability exists within the implementation of the HTTP server included in the firmware, and exploitation of it can result in the attacker gaining root access to the DVR. This implementation opens ports 81/82 of the device to the Internet, and with a simple Shodan query Kerner discovered over 30,000 of these devices (just by that vendor) deployed around the world.

The fact that this same software is used by so many different vendors, and TVT doesn’t seem eager to make the needed changes, makes it likely that most of those systems will never be patched.

“I believe there are few more vulnerabilities being exploited in the wild against these machines and therefore your best shot would probably be to deny any connection from an unknown IP address to the DVR services,” Kerner concluded.

Of course, this is just one vulnerability – who knows how many are still there, undiscovered or, worse yet, discovered and exploited? A relatively recent study into the security of the Internet of Things has confirmed that embedded firmware images and web interfaces for user administration of commercial, off-the-shelf embedded devices – routers, DSL/cable modems, VoIP phones, IP/CCTV cameras – represent a significant attack surface.