58,000 Security Camera Systems Critically Vulnerable To Attackers

Sparrowvsrevolution writes with news of some particularly insecure security cameras. From the article: "Eighteen brands of security camera digital video recorders are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company's firewall, according to tests by two security researchers. And 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet. Early last week a hacker who uses the handle someLuser found that commands sent to a Swann DVR via port 9000 were accepted without any authentication. That trick would allow anyone to retrieve the login credentials for the DVR's web-based control panel. To compound the problem, the DVRs automatically make themselves visible to external connections using a protocol known as Universal Plug And Play, (UPnP) which maps the devices' location to any local router that has UPnP enabled — a common default setting. ...Neither Ray Sharp nor any of the eighteen firms have yet released a firmware fix."

Never attribute to malice...

[AK Marc]

What, nobody has complained about this being an intentional backdoor yet? The Chinese are out to get us.

Re:How to make a fool of yourself with the cops.

[Technician]

#1 lesson. Turn off Universal Plug and Play in your router and turn on the firewall. Open only ports you use.

Closed up a hole on our DVR

[baobrien]

We bought a 24 channel q-see brand DVR. When it went to boot up, during disk initialization, it specifically mentioned '/dev/sda' and such, so I knew it ran some embedded Linux. I decided to check it out via nmap to see if there was anything interesting running. Port 23 was open. I telnet-ed into the damn thing and was able to log into root with no password. Needless to say, that was fixed.

Re:Port knocking

[GNUALMAFUERTE]

Port knocking is insane. It's the worst nightmare the security-through-obscurity mindset brought us, and it's so fucking annoying.

My company develops a CCTV DVR/NVR. It's GNU/Linux based, we keep it up to date by offering free updates for life. Upgrades are not a huge firmware blob you need to download and then install (something customers won't do), It's a simple package (we use our own pkg management, and it's slackware-like), usually a few mb of download, but to the customer it's transparent. They just get a warning when they log-in, and the system lets them know via e-mail there are available updates, they can install them with a single click. The whole system is web-based, HTML5, and works out of the box on anything Gecko or Webkit based plus Opera (IE not supported). We don't require additional ports, everything works through a single HTTP port. Everything is session-based. We force the customer to use secure passwords, and to change them frequently. We use uPNP to open that single port, but that's when the customer runs the setup wizard, and we explain what we are going to do, and request customer authorization.

It's easy to do the right thing, and if the manufacturer does the right thing, you don't need any additional security (for example, you don't really need to firewall the damn DVR). Sadly, most manufacturers don't do the right thing. They don't even bother providing upgrades. And the customers don't usually care, even when you offer a better solution, most will go with the generic chinese crap just because it's a few dollars cheaper. That's why more secure and functional solutions such as ours are usually only found in corporations (95% of our customer base).

This issue is not restricted to DVRs, China doesn't give a fuck, and people in general only care about the price tag. That's a deadly combination for the technology used by 90% of the population.

Re:well ...

[adolf]

Step number one on any home routers I setup is to disable upnp because malicious software also likes to punch holes.

UPNP can trivially allow incoming ports on the firewall. And so what? You allow outbound connections, don't you?

There is very little difference between malicious programs being able to create its own outbound connections and being able to accept inbound connections: In either case, the malicious software is able to communicate and can accomplish whatever nefarious task its creators envision.

Why would I trust a program to create connections but not enough accept them?

In practice, I leave UPNP turned on. If I were paranoid enough to disable it, I'd also be sufficiently paranoid to never, ever execute any code that I'd not written or reviewed myself, with a firewall that denies everything by default in both directions...and I just don't have time for that.

UPNP makes things work better: From BT to software updates to gaming on a PS3, UPNP helps keep the clusterfuck of NAT from being absolutely horrible.

So the score, so far, for UPNP seems to be this:

Problems that UPNP solves for me: Several.
Problems that UPNP creates for me: None.

Meanwhile, TFA is more about the fact that some hardware devices that may never see a software upgrade have one or more security holes which can be exploited over the network...which is interesting and all, but really has nothing to do with UPNP: If such devices were secure and trustworthy to begin with, there would never be a reason to firewall them at all, let along worry about UPNP.