Hard-Coded Password Exposes Video Surveillance DVRs To Hacking

itwbennett writes: Security researchers from vulnerability intelligence firm Risk Based Security (RBS) have found that DVRs from RaySharp and six other vendors have a basic vulnerability: They accept a hard-coded, unchangeable password for the root account. "RaySharp DVR devices provide a Web-based interface through which users can view camera feeds, manage recording and system settings and use the pan-tilt-zoom (PTZ) controls of connected surveillance cameras. Gaining access to this management interface would provide an attacker with full control over the surveillance system," writes Lucian Constantin. RaySharp claims on its website that it ships over 60,000 DVRs globally every month, but the Chinese company also creates digital video recorders and firmware for other companies. The RBS researchers confirmed that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender (a brand of Circus World Displays) and LOREX Technology, a division of FLIR Systems, contain the same hard-coded root password.

Re:

[Killall -9 Bash]

+1 insightful.

Seriously, everything has a manufacturer back door. Most of the time you don't know about it, but its there. Usually they're smart enough to not give it out, making you instead ship it back to them for a password reset (what, you thought they pressed the invisible RESET PASSWORD button you couldn't find on the circuit board??).

The security breach here is the manufacturer releasing this info, and it getting posted on the web.

Re:

[Dutch Gun]

Apparently, Apple is the only company in the world that doesn't have some idiotic hard-coded master password embedded in their firmware.

Or... that's what they want us to think...

Re:

[Nikademus]

You mean like root:alpine ?

Re:

[Jeremi]

(what, you thought they pressed the invisible RESET PASSWORD button you couldn't find on the circuit board??).

At the risk of asking a stupidly obvious question, why not just have a "reset to factory defaults" button somewhere on the device? That's what all the routers seem to have these days, and assuming that you can keep the device physically out of the wrong hands, that seems like a reasonable solution to the inevitable "I don't remember my password anymore" problems.

Re:

[KGIII]

Please tell me that you don't actually believe that to be true? I mean, "everything?" Seriously? Do you have a rather shiny hat or something?

Tired Of COPS & Barney Miller Reruns Anyways

[zenlessyank]

Watching folks cut their lawn and the cars go by seems a little more entertaining.

Let me guess....

[DidgetMaster]

Username = Admin, Password = Admin

Re:

[DidgetMaster]

Well, if its at least case sensitive that will slow the hackers down...a few microseconds

'Cause they prolly use 'em

[Impy the Impiuos Imp]

Thanks for exposing this!

Sigh.

So much for another fappening.

What do you expect?

[bobbied]

You get what you pay for. If you go for the cheap solution, you get the cheap solution, always. Or to quote the article....

"Consumers should be aware that when buying especially lower-end devices made in China, there is a significant risk of the devices having serious flaws that won't ever be addressed," said Carsten Eiram, chief research officer at RBS

Besides, if you REALLY are security minded, who puts this kind of device just out in the wild for all to see and use? At least put it behind a VPN, where you can hope to control access to it. If nothing else, use a protected proxy connection.... Don't just put the HTTP/HTTPS port from some cheap device you own on the internet unless you really don't care who access it..

Re:

[arth1]

My local franchise haircut place has free wifi. After visiting once, I saw an unrecognized IP come up on GMail as recently logging in my account. Had no idea who it was, checked ARIN, allocated to Time Warner. So my next instinct was to try the IP in my browser. Up pops a camera/recorder interface. A quick trip to google to find the default password, sure enough, it's a viewport to all the security cams in the haircut place. At least now I can check if there's any line or waiting before I go over there.

From this, we can conclude that you're not Richard Stallman. This is Useful Information.

Re:

[trevc]

So the camera at the haircut place logged into your email account?

This kind of stuff is sold as plug and play, security is an afterthought if it's considered at all. The people who deploy these setups don't know or don't care either. They assume if they're paying hundreds of dollars for something it must be good.

My local franchise haircut place has free wifi. After visiting once, I saw an unrecognized IP come up on GMail as recently logging in my account. Had no idea who it was, checked ARIN, allocated to Time Warner. So my next instinct was to try the IP in my browser. Up pops a camera/recorder interface. A quick trip to google to find the default password, sure enough, it's a viewport to all the security cams in the haircut place. At least now I can check if there's any line or waiting before I go over there.

Re:

[aaarrrgggh]

Well said. Also, a lot of the people doing this themselves don't want the network person involved-- they don't want to tell anyone else the password... you know, so it is secure. We are guilty of having one of the Costco Lorex Specials that is also likely vulnerable. I have meant to do a firewall black hole on these but haven't gotten around to it yet. I can see the firewall is blocking traffic from it already, but I don't have everything locked down yet...

Those pesky port 443 remote access keep-Alice's

Re:

[aaarrrgggh]

Damn auto correct... Not Alice's... alives!!

Re:

[nnull]

The vast majority of security companies who consider themselves "Professional" install these crappy systems and not only that, they request the client to open the port on their firewall to access it from the outside. These are the equivalent of contractors who continuously cut corners and when caught by inspectors, claim they've been doing this for many years without issues, so the inspector is in the wrong. When I tell the owners that their system is out in the open and most likely already compromised, the

IoT Everywhere! Get with the future!

[GerryGilmore]

While there are certainly some benefits to be found in some of the IoT stuff, but - again - another case of people relying on providers who rely on suppliers who always shop on price and...tada! Lowest-common-denominator. Be very, very careful out there! Forget Big Brother, it's Big Everyone!

Re:

[nnull]

The thing is, even if you buy the more expensive gear, they would still install it so and so that it would get compromised regardless. The people installing these things have no clue what they're doing. IoT stuff is perfectly fine if the system is designed to keep it secure.

Atleast it wasn't user/admin and admin/password

[Anonymous Coward]

From the article...

At the very least, a DVR that accepts root and 519070 as username and password should not be exposed directly to the Internet.

So
Username root
password 519070

sweet free live drama :)

Qsee is Bad too

[kamaaina]

If you have a Q-SEE QC444 DVR, you can telnet as root and hit enter and you have CLI

Then add your own account to /mnt/mtd/Config/passwd and you will have a username and password to log in to the box.

The banner when you log in says "Welcome to HiLinux." so there may be other DVRs that use this version that are vulnerable too.

Re:

[Bert64]

A ton of vendors use the same software, just nominally rebranded... But often the passwords differ by vendor among other things.

Given that these devices are all basically the same, and the default firmware is complete crap both from a security and usability perspective perhaps we could develop an open source replacement?

Re:

[Bert64]

All these vendors are basically running the same software with minor rebranding, and its linux based, shouldn't be all that difficult to build a replacement...

Re:

[nnull]

A lot of the more expensive stuff is rebranded Chinese made cheap stuff.

Off-line

[NotInHere]

Told my parents to keep their surveillance cams offline and not connected to the internet. TFA is yet another confirmation that this was a good idea.

Law Enforcement Backdoor

[ImprovOmega]

It's totally cool. Just like the FBI wants a backdoor for iPhones they can use this backdoor for surveillance systems! I'm sure nothing bad will ever happen from having this backdoor in place!

"König, Swann, COP-USA

[dasgoober]

- ALL MADE IN TAIWAN!!!"