Forgot your password?
typodupeerror
Bug Privacy Security IT

58,000 Security Camera Systems Critically Vulnerable To Attackers 157

Posted by Unknown Lamer
from the your-curtains-are-ugly dept.
Sparrowvsrevolution writes with news of some particularly insecure security cameras. From the article: "Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."
This discussion has been archived. No new comments can be posted.

58,000 Security Camera Systems Critically Vulnerable To Attackers

Comments Filter:
  • What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.
    • by Nyder (754090)

      What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.

      You are first post, people will get saying that in a few...

    • by Taco Cowboy (5327) on Monday January 28, 2013 @11:33PM (#42722699) Journal

      The Chinese are out to get us

      If I were you, I'll be more worried about Uncle Sam

      • by Anonymous Coward

        worse yet... uncle sam and the chinese collaborating on something like this.

      • Uncle Samurai?

      • The Chinese are out to get us

        If I were you, I'll be more worried about Uncle Sam

        Is there really any difference left?

    • by fuzzyfuzzyfungus (1223518) on Tuesday January 29, 2013 @12:43AM (#42722923) Journal

      What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.

      I'm inclined to keep "Never attribute to malice something much stupider than malice would have implemented" in mind as a variant on the usual phrase.

      Given the hordes of profit-driven, variously political, and simply lulz-oriented attackers on the internet, relatively blatant backdooring(when you are in the privileged position of being the guys shipping the firmware, no less, hard to ask for more insider access than that) amounts to squandering an advantage. Had the units shipped with, say, a bugged sshd that is hardcoded to always allow access via keypair auth with a specific private key, it is both much more likely that nobody would ever have noticed, and that nobody but the intended attacker would ever have been able to make use of the vulnerability. A wholly unauthenticated hole, on the other hand, is an open invitation to every bot-herder and na'er-do-well on the planet to come and have a rummage through the systems, leading to much greater competition for the creator of the backdoor.

      • by AK Marc (707885)
        Consumers want it to "just work" When that's delivered, they complain. Delivering what the customer asks for (even if they are wrong) isn't malice. It's a deliberate feature. "How do I make this as easy as possible for the owner to control it from anywhere on the Internet?" It wasn't a hidden feature, it was an unintended side effect of a deliberate feature. Like a cat door in the front door that's big enough for a regular sized person. It wasn't hidden, ans was probably explicitly advertised (UPnP,
    • by shitzu (931108)

      Well... If you plug your random DVR (or print server, or any device for that matter) tcp port through your router, you deserve what you get. If you leave upnp on, you deserve what you get. Openvpn costs nothing.

      • by pnutjam (523990)
        OpenVPN is very simple if you know what your doing. Unfortunately most SMB's don't, and they don't realize the need to pay someone who does.
    • by stjobe (78285)

      Pray it's the Chinese... and it's not SCORPION STARE.

      Although if you know what that is and don't have GAME ANDES REDSHIFT clearance, I'm afraid you're in for a change in work environments - hope you like British bureaucracy!

  • by hduff (570443) <hoytduff.gmail@com> on Monday January 28, 2013 @11:12PM (#42722547) Homepage Journal

    "As Seen On TV"

  • Damn! and i was just looking for a system for my house and my mom's house.
  • So there I was, trying to retrieve the video of the suspect for the cops, and it turns out that recording had been turned off on all 16 cameras 12 hours before the incident.

    No network issue here, I never connected the system to the network.

    One of the last things the system recorded, was the wee little hands of the owner's 4 year old grandson, playing with the mouse. He made all 16 little boxes in the status grid turn black. Just 16 little clicks.

    • Re: (Score:2, Interesting)

      by Technician (215283)

      #1 lesson. Turn off Universal Plug and Play in your router and turn on the firewall. Open only ports you use.

      • Which will protect so well against a child playing with the physical hardware device on the premises.

        • by alanshot (541117)

          yep. I can see that happening again... and coincidentally I just finished firing off an email to an up and coming IP camera and managed wifi vendor that provides free NVR and WAP controller software... too bad none of their "server" software installs as a service. So not even a CHANCE of hiding it from little hands. (unless you want to jump through a bunch of hoops to force it into service mode)

          And in this case all the kid would have had to do was THREE clicks to log grandpa's PC off. (thus shutting down t

          • by shitzu (931108)

            Why would you let your kid use the same user account as yourself (or grandpa). Are you a fan of deleted documents? Just make a separate account for DVR, leave the soft running and fast-user-switch out of it. And a separate restricted accoun for the kid.

            And on a side note - if the computer recording your cameras is in a place where a 3 year old can access it, this computer will probably be the very first thing stolen - so i think you are making this crap up.

            • by alanshot (541117)

              And on a side note - if the computer recording your cameras is in a place where a 3 year old can access it, this computer will probably be the very first thing stolen - so i think you are making this crap up.

              Nobody said Grandpa was smart or thought his cunning plan through... LOL

    • One of the last things the system recorded, was the wee little hands of the owner's 4 year old grandson, playing with the mouse. He made all 16 little boxes in the status grid turn black. Just 16 little clicks.

      The perfect crime...

  • by mpoulton (689851) on Monday January 28, 2013 @11:29PM (#42722667)
    I can't even get my Swann DVR to work right WITH the login credentials!
    • by nschubach (922175)

      I got a hold of one (ZModo) and after putting a known good hard drive in it it worked for a while and then suddenly the SATA controller must have fried. It will no longer recognize any hard disk. Since I didn't pay all that much for it, I pretty much consider it disposable. I'll probably end up using the cheap cameras I got on something a little less flaky.

  • by baobrien (2672743) on Monday January 28, 2013 @11:33PM (#42722691)
    We bought a 24 channel q-see brand DVR. When it went to boot up, during disk initialization, it specifically mentioned '/dev/sda' and such, so I knew it ran some embedded Linux. I decided to check it out via nmap to see if there was anything interesting running. Port 23 was open. I telnet-ed into the damn thing and was able to log into root with no password. Needless to say, that was fixed.
    • The soul-crushing thing about your story is that it suggests that somebody deliberately went to additional effort to build/install a telnet daemon while hacking the firmware together. That's just sick and wrong.

      • by thegarbz (1787294)

        That's just sick and wrong.

        Not to mention a godsend and a timesaver for debugging. Every embedded application I've ever made whether linux based or some tiny microcontroller on a UART had some terminal based debugging interface.

        I'm willing to bet that this is just a leftover from testing that shouldn't have made it out the door.

      • by AmiMoJo (196126) *

        Na, they just adapted some else's embedded Linux distro that happened to have telnet running (most do). I doubt they were competent enough to set it up themselves.

        This is quite typical of embedded Linux systems. Perhaps they think it will be used on a private network where everyone is a trusted user or something.

      • by baobrien (2672743)
        From what I saw while poking around the system, it looks like telnet is just a leftover from development that should have been removed. If it really were malicious, I would expect it to be more well hidden.
  • Port knocking (Score:5, Informative)

    by Okian Warrior (537106) on Monday January 28, 2013 @11:33PM (#42722695) Homepage Journal

    Port knocking is where the inbound system won't connect until a series of unsuccessful attempts is tried on a known sequence of ports - the system will open the door only when the visitor gives the "secret knock".

    For example, a system won't normally accept connection requests. If the visitor attempts (unsuccessfully) ports 1010, 1050, 3042, and 4725 in that order, the system then accepts a connection at port 9000. (Use different numbers and length as needed for security.)

    It is nigh impossible for a security audit to detect this type of camouflage. This technique has been well-known for years.

    If China were putting back-doors in hardware systems, they could make them virtually impossible to find.

    That's circumstantial evidence that this isn't a case of espionage on the part of the manufacturer. It's more likely a flaw in the software or a debugging port that wasn't compiled out in the released version.

    • Re:Port knocking (Score:5, Interesting)

      by GNUALMAFUERTE (697061) <almafuerte@NospaM.gmail.com> on Monday January 28, 2013 @11:55PM (#42722783)

      Port knocking is insane. It's the worst nightmare the security-through-obscurity mindset brought us, and it's so fucking annoying.

      My company develops a CCTV DVR/NVR. It's GNU/Linux based, we keep it up to date by offering free updates for life. Upgrades are not a huge firmware blob you need to download and then install (something customers won't do), It's a simple package (we use our own pkg management, and it's slackware-like), usually a few mb of download, but to the customer it's transparent. They just get a warning when they log-in, and the system lets them know via e-mail there are available updates, they can install them with a single click. The whole system is web-based, HTML5, and works out of the box on anything Gecko or Webkit based plus Opera (IE not supported). We don't require additional ports, everything works through a single HTTP port. Everything is session-based. We force the customer to use secure passwords, and to change them frequently. We use uPNP to open that single port, but that's when the customer runs the setup wizard, and we explain what we are going to do, and request customer authorization.

      It's easy to do the right thing, and if the manufacturer does the right thing, you don't need any additional security (for example, you don't really need to firewall the damn DVR). Sadly, most manufacturers don't do the right thing. They don't even bother providing upgrades. And the customers don't usually care, even when you offer a better solution, most will go with the generic chinese crap just because it's a few dollars cheaper. That's why more secure and functional solutions such as ours are usually only found in corporations (95% of our customer base).

      This issue is not restricted to DVRs, China doesn't give a fuck, and people in general only care about the price tag. That's a deadly combination for the technology used by 90% of the population.

      • by k8to (9046)

        Sure hope you:

        * Make it possible to disable or alter password expiry policies. This sort of thing just pushes people to put them on paper.
        * Do not use UPnP without customer authorization.

        Otherwise, I wouldn't really trust you / want to use your things.

        • You can disable password expire and strength policies, or change them at will in the config. There is a HUGE warning in that page. When the customer uses the product for the first time, there's a wizard that guides them through this process, and it asks them if they want the product to be exposed to the net, then provides the option to try and autoconfigure everything using upnp, or to go to our website to read a guide on how to configure port forwarding on most routers. Same for our free DDNS service, it's

      • This issue is not restricted to DVRs, China doesn't give a fuck, and people in general only care about the price tag.

        You mean in the same way that the US doesn't give a fuck? Or the EU. Or any other nation or continent you care to name.

        No-one gives a fuck - that's the problem. If the collective we cared, security would be much higher, simply because insecure technology wouldn't sell.

        Don't blame China - blame the retailers. Security costs money, and if retailers can save a thousand dollars on a million sales

        • That is simply not truth. I know many people that are proud of their country's engineering. I certainly am proud that my company manufactures high quality products right where I am and not in China.

          Regardless, no country has lower standards than China.

      • by YurB (2583187)

        works out of the box on anything Gecko or Webkit based plus Opera (IE not supported).

        Glad to hear there are people who sell things without IE support to businesses. World's changing for the better.

        • We've been doing so since '08. We have four major products (our DVR/NVR family of products,an e-learning platform, an ERP, and a Digital Signage solution). If you access any of our products with IE it'll send you to a landing page explaining why it's not supported, why it's a bad idea to use it, and providing alternatives, plus links and easy installation instructions for every platform. Many people told us that policy would doom us. To the contrary, people loved the idea, and to this day we get emails from

      • by pnutjam (523990)
        Intellinet [networkipcamera.com]??
      • by houghi (78078)

        We force the customer to use secure passwords, and to change them frequently.

        Frequent changes will force them to write them down. Congratulations, you have just made it less secure.
        OTOH you can just claim you did what was needed and that what they do is THEIR problem, just like everybody else does.

        Not factoring in human behavior in security is solving a social problem with a technical solution.

    • Yeah, I know. I should have been more explicit in my post.

      I'm not saying that port knocking should be the product API. Port knocking is a terrible security measure.

      I'm saying that a backdoor could be hidden in such a way that it would be impossible to find - and port knocking is one of those methods. It's simple and effective - even if it's "security by obscurity".

      Since this exploit is not well hidden, chances are it isn't a purpose-built backdoor, but more likely an oversight of some kind.

    • by JigJag (2046772)

      I thought the same approach could be used with user authentication on websites. You enter your (correct) password, it kicks you out saying "wrong password". You enter it a second time, this time is accepts you.

      Right there, you've doubled the amount of time to bruteforce your password.

      Or you could combine the port knocking approach. Pick 2 simple passwords. Enter first password, and get a "wrong password" message, enter the second password and you're accepted.

      Remember folks, you first saw it here! (or not in

  • by 0123456 (636235)

    Is there really anyone in the world who hasn't turned this monstrous security hole off yet?

    • apparently 99% of the people that do this dont do it right. i dont even allow WPS to be active on my routers and i tell business that i do work for to disable the feature for the fact that it is a security hole.. and UPnP is the worst idea that has been done including WPS fix the holes or get rid of the software and find something new...
  • Turn off UPNP and run this behind a firewall. Want to watch your cameras remotely, use OpenVPN and connect into your network. Problem solved.
  • The previous owner of the motel I work at got ripped off by a company that installed one of these 16 camera systems. The cameras never work right, and I knew something funny was was with the DVR when it said that you need IE and Active-X to watch it!

    My current boss occasionally asks me to connect it up like the system his uncle (his boss) has, and I keep blowing him off, not because it would be hard, but because I'd both have to open a hole in the firewall to the outside world AND it would be fully accessi

    • Erm...full disclosure, I worked in casinos, and also don't feel like being constantly under surveillance, either...

      Just WHERE in a casino can you WORK and not be under constant surveillance?

      • by julesh (229690)

        Erm...full disclosure, I worked in casinos, and also don't feel like being constantly under surveillance, either...

        Just WHERE in a casino can you WORK and not be under constant surveillance?

        In the surveillance room?

  • The reason we have such a thing going on is because of stuff like this... this is why i like OSS because if there is a problem i know that it will be fixed immediately instead of waiting for a patch to be released 6 months later. im not worried about China spying on us however i would worry about it if our government allowed something to be imported from another country without going thru some sort of software test before being sold...
  • Awesome! So will we have a remake of Rising Sun with China as the antagonist instead of Japan?

    Let's see, we can work in say a Chinese router manufacturer, and a major U.S. database manufacturer, which buys the tech for a major software platform like say Java, and tie in purchases of real estate by Chinese cartels under assumed names, and uh, the Chinese military of course, and we can have some hot Chinese or maybe Taiwanese-American engineer at some corporate lab or maybe U.S. university.. it all seems to b

  • But if history is any indicator, there's a pretty good chance that someone will get arrested for disclosing this
  • Q-See vulnerable too (Score:3, Informative)

    by kamaaina (1071006) on Tuesday January 29, 2013 @02:31AM (#42723293)

    I have the QC444 and you can telnet to it as root with no password.

    Also when you access the camera, your creds go out via cleartext and you can easily see what your password is.

    ActiveX is used to log in and manage the box remotely, also if you use a password longer than 6 characters, you cannot use the PSS software that they put otu on their web site.

    There was also some weirdness with it trying to talk to IP address 70.151.24.203

  • ... but a feature. How else are the cops supposed to erase footage that condemns them and exonerates you?

  • by Alioth (221270)

    This is the *first thing* I turn off on a router. UPnP is basically a security hole by design.

  • Yahoo group was created in 2009 for some hacking into these.

    http://tech.groups.yahoo.com/group/q_see_hack [yahoo.com]

  • shadowrun anyone...?
  • by funkboy (71672) on Tuesday January 29, 2013 @09:41AM (#42725025) Homepage

    A local electronics/computer chain (now bankrupt) had all their security webcams on an open wifi network, and all the webcams had the default administrator password ("admin" of course). From a bench outside I was able to see everything going on in the store without even guessing the admin password.

  • ....is a documentary, then. Who knew?

Happiness is a positive cash flow.

Working...