I received an email from a reader of my post on IP camera vulnerabilities who reported that a popular brand of DVR was susceptible to a simple authentication bypass attack. He provided proof of concept code and information about the products affected – including an easy method of locating systems connected to the Internet. After reviewing the information, it does appear that sending a specially crafted request to the device via a browser bypasses the remote access login screen, and results in the DVR serving current images from all connected cameras.
I have inquired about whether the company involved is aware of the problem, and will update this post with specifics once I feel it is appropriate to do so.
UPDATE 12-28-2012: Inquiries to the company whose products appear to be affected, Rifatron, were not acknowledged, so I am posting the manufacturer name for the benefit of those who may have purchased these systems. Note that the units may have been sold under other brand names as well.
Without manufacturer assistance – or a large sample to test – I can not state which specific products/versions are affected. The safest course of action, if you have one of these DVRs exposed on the internet, would be to disconnect it (or move it behind a good firewall) until the manufacturer responds. The hack, which I have chosen not to post, involves a simple URL string, so even a novice can exploit it. Additionally, by searching for the existence of a specific path/file on Google or your favorite search engine, it is possible to identify and differentiate these devices – making it trivially simple to hone in on active units.