Hard-coded password exposes up to 46,000 video surveillance DVRs to hacking

17.02.2016
Up to 46,000 Internet-accessible digital video recorders (DVRs) that are used to monitor and record video streams from surveillance cameras in homes and businesses can easily be taken over by hackers.

According to security researchers from vulnerability intelligence firm Risk Based Security (RBS), all the devices share the same basic vulnerability: They accept a hard-coded, unchangeable password for the highest-privileged user in their software -- the root account.

Using hard-coded passwords and hidden support accounts was a common practice a decade ago, when security did not play a large role in product design and development. That mentality has changed in recent years and many vendors, including large networking and security appliance makers, are frequently issuing firmware updates to fix such basic flaws when they are discovered by internal and external security audits.

But then there are some vendors who never learn. That appears to be the case for Zhuhai RaySharp Technology, a Chinese manufacturer of video surveillance systems, including cameras and accompanying DVRs.

RaySharp DVR devices provide a Web-based interface through which users can view camera feeds, manage recording and system settings and use the pan-tilt-zoom (PTZ) controls of connected surveillance cameras. Gaining access to this management interface would provide an attacker with full control over the surveillance system.

The DVR's Web interface is powered by an embedded Web server which runs on a Linux-based OS -- the firmware. When analyzing the CGI scripts that handle user authentication for the Web interface, the RBS researchers found that they contained a routine to check if the user-supplied username was "root" and the password 519070.

"If these credentials are supplied, full access is granted to the web interface," the RBS researchers said a report scheduled to be published Wednesday.

RaySharp claims on its website that it ships over 60,000 DVRs globally every month, but what makes things worse is that it's not only RaySharp branded products that are affected.

The Chinese company also creates digital video recorders and firmware for other companies which then sell those devices around the world under their own brands. The RBS researchers confirmed that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender (a brand of Circus World Displays) and LOREX Technology, a division of FLIR Systems, contain the same hard-coded root password.

And those are only the confirmed ones. A separate CGI script in RaySharp-supplied firmware contains a list of 55 vendor names that supposedly use the firmware, so the number of companies with potentially affected products is much larger.

Using the Shodan search engine for Internet-connected devices, the RBS researchers found between 36,000 and 46,000 DVR devices that they believe are vulnerable to this issue and are directly exposed to Internet attacks. About half of them are located in the United States and most of the others in the U.K., Canada, Mexico and Argentina, the researchers said.

Because RBS did not have the resources to test all available models with all firmware versions from all potentially affected vendors, they've decided to make the information public so that users can easily test for themselves whether their DVR device is affected or not.

At the very least, a DVR that accepts root and 519070 as username and password should not be exposed directly to the Internet. If remote access is needed, this should be achieved by connecting into the local network first through a VPN. For good measure, the devices should not be available on internal network segments that allow untrusted computers either, such as public Wi-Fi.

Given previous incidents where people created websites that allowed users to watch video feeds from thousands of insecure cameras on the Internet, the likelihood of unauthorized access to these DVRs is high. In fact, this might have already occurred.

After discovering the hard-coded root password, the RBS researchers searched for it on the Internet and found a few user reports mentioning it as far back as 2010. Those reports claimed that the password worked for any username, but in RBS' tests it only worked for root.

In a 2010 post on a CCTV forum a user complained about the password existing in a DVR product from QSee, one of the 55 vendors listed in the RaySharp firmware. He didn't even need to reverse engineer the firmware to find it, as it was listed in the product's official documentation as a method of regaining access to the device if the user-configured password was lost or forgotten.

This suggests that in older RaySharp firmware the hard-coded string was intended as a sort of recovery key as part of a poorly designed password reset feature. Based on RBS' latest findings, it appears that the company decided to restrict it to the root account in newer versions, which doesn't make any difference from a security perspective and is just as bad.

And this is not the only basic security flaw found in RaySharp firmware over the years. In early 2013, a security researcher found an easy way to take control of DVR devices from an estimated 19 manufacturers that used RaySharp firmware by connecting to the devices over TCP port 9000.

RaySharp did not respond to a request for comment about the hard-coded root password discovered by RBS.

The security firm found the issue back in September and, due to the large number of potentially affected vendors and products, it decided to rely on the U.S. Computer Emergency Readiness Team (US-CERT) for coordination.

As far as RBS knows, Defender is the only vendor which informed US-CERT that it released a patched version of the firmware at the end of September. The RBS researchers confirmed that this firmware version no longer contains the CGI scripts that check for the hard-coded password.

A couple of other affected vendors, including Swann, hinted that they were working on their own patches, the RBS researchers said in their report, but overall the vendor response to this issue was inadequate.

"Consumers should be aware that when buying especially lower-end devices made in China, there is a significant risk of the devices having serious flaws that won't ever be addressed," said Carsten Eiram, chief research officer at RBS via email.

The researcher added that based on his years of experience with finding and reporting vulnerabilities, vendors from China and Taiwan are far behind companies from Europe or the U.S. when it comes to taking security seriously and responding to vulnerability reports.

"It remains a huge concern that researchers keep finding hardcoded credentials and similar basic vulnerabilities in devices like surveillance cameras and DVRs/NVRs," Eiram said. "We install cameras in our homes and businesses to feel safe and know what goes on. That trust and feeling of safety is violated when it turns out that these products are not really made with security in mind and as a result can be turned against us and compromise our privacy."

Lucian Constantin