The latest in a string of DVR and IP camera vulnerabilities was posted last week by a blogger using the pseudonym “someLuser” and affects an OEM design from RaySharp whose products are reportedly sold under a number of brand names, including Swann, Lorex, KGuard, Zmodo, Hi-View, Soyo, and others. These are often sold direct-to-consumer in kit form, bundled with several cameras and remote viewing software.
In the post, the blogger provided example scripts to demonstrate several exploitable weaknesses in the DVRs, including:
- Unauthenticated access to the device configuration files
- Ability to view usernames and passwords in clear text
- Ability to execute system commands as root (after obtaining the passwords)
The security researchers at Rapid7 (who help maintain and distribute the Metasploit framework) attempted to determine the number and location of systems exposed to the Internet by searching for the devices’ web interface signatures. This effort identified over 58,000 unique IPs in over 150 countries running these vulnerable platforms – 19,000 of which were located in the U.S. (A chart of the geographic distribution can be seen here)
As discussed previously, embedded systems are often found to have similar vulnerabilities, but are usually hidden by a firewall, limiting the ability of a hacker to locate or attack them. Since DVRs are routinely placed in DMZs or otherwise exposed to the Internet, their vulnerabilities are much easier to exploit. For devices inside the firewall that also communicate on a private LAN/WAN, the risks posed by insecure devices is potentially significant.
As of this writing, there are no known patches or updates that address the problem. Concerned users should consider removing the devices from their network, or disabling access via the Internet.