Hard-coded password exposes up to 46,000 video surveillance DVRs to hacking

Hackers can log into DVRs from RaySharp and six other vendors using a six-digit hard-coded root password

Up to 46,000 Internet-accessible digital video recorders (DVRs) that are used to monitor and record video streams from surveillance cameras in homes and businesses can easily be taken over by hackers.

According to security researchers from vulnerability intelligence firm Risk Based Security (RBS), all the devices share the same basic vulnerability: They accept a hard-coded, unchangeable password for the highest-privileged user in their software -- the root account.

Using hard-coded passwords and hidden support accounts was a common practice a decade ago, when security did not play a large role in product design and development. That mentality has changed in recent years and many vendors, including large networking and security appliance makers, are frequently issuing firmware updates to fix such basic flaws when they are discovered by internal and external security audits.

But then there are some vendors who never learn. That appears to be the case for Zhuhai RaySharp Technology, a Chinese manufacturer of video surveillance systems, including cameras and accompanying DVRs.

RaySharp DVR devices provide a Web-based interface through which users can view camera feeds, manage recording and system settings and use the pan-tilt-zoom (PTZ) controls of connected surveillance cameras. Gaining access to this management interface would provide an attacker with full control over the surveillance system.

The DVR's Web interface is powered by an embedded Web server which runs on a Linux-based OS -- the firmware. When analyzing the CGI scripts that handle user authentication for the Web interface, the RBS researchers found that they contained a routine to check if the user-supplied username was "root" and the password 519070.

"If these credentials are supplied, full access is granted to the web interface," the RBS researchers said a report scheduled to be published Wednesday.

RaySharp claims on its website that it ships over 60,000 DVRs globally every month, but what makes things worse is that it's not only RaySharp branded products that are affected.

The Chinese company also creates digital video recorders and firmware for other companies which then sell those devices around the world under their own brands. The RBS researchers confirmed that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender (a brand of Circus World Displays) and LOREX Technology, a division of FLIR Systems, contain the same hard-coded root password.

And those are only the confirmed ones. A separate CGI script in RaySharp-supplied firmware contains a list of 55 vendor names that supposedly use the firmware, so the number of companies with potentially affected products is much larger.

Using the Shodan search engine for Internet-connected devices, the RBS researchers found between 36,000 and 46,000 DVR devices that they believe are vulnerable to this issue and are directly exposed to Internet attacks. About half of them are located in the United States and most of the others in the U.K., Canada, Mexico and Argentina, the researchers said.

Because RBS did not have the resources to test all available models with all firmware versions from all potentially affected vendors, they've decided to make the information public so that users can easily test for themselves whether their DVR device is affected or not.

At the very least, a DVR that accepts root and 519070 as username and password should not be exposed directly to the Internet. If remote access is needed, this should be achieved by connecting into the local network first through a VPN. For good measure, the devices should not be available on internal network segments that allow untrusted computers either, such as public Wi-Fi.

Given previous incidents where people created websites that allowed users to watch video feeds from thousands of insecure cameras on the Internet, the likelihood of unauthorized access to these DVRs is high. In fact, this might have already occurred.

After discovering the hard-coded root password, the RBS researchers searched for it on the Internet and found a few user reports mentioning it as far back as 2010. Those reports claimed that the password worked for any username, but in RBS' tests it only worked for root.

In a 2010 post on a CCTV forum a user complained about the password existing in a DVR product from QSee, one of the 55 vendors listed in the RaySharp firmware. He didn't even need to reverse engineer the firmware to find it, as it was listed in the product's official documentation as a method of regaining access to the device if the user-configured password was lost or forgotten.

This suggests that in older RaySharp firmware the hard-coded string was intended as a sort of recovery key as part of a poorly designed password reset feature. Based on RBS' latest findings, it appears that the company decided to restrict it to the root account in newer versions, which doesn't make any difference from a security perspective and is just as bad.

And this is not the only basic security flaw found in RaySharp firmware over the years. In early 2013, a security researcher found an easy way to take control of DVR devices from an estimated 19 manufacturers that used RaySharp firmware by connecting to the devices over TCP port 9000.

RaySharp did not respond to a request for comment about the hard-coded root password discovered by RBS.

The security firm found the issue back in September and, due to the large number of potentially affected vendors and products, it decided to rely on the U.S. Computer Emergency Readiness Team (US-CERT) for coordination.

As far as RBS knows, Defender is the only vendor which informed US-CERT that it released a patched version of the firmware at the end of September. The RBS researchers confirmed that this firmware version no longer contains the CGI scripts that check for the hard-coded password.

A couple of other affected vendors, including Swann, hinted that they were working on their own patches, the RBS researchers said in their report, but overall the vendor response to this issue was inadequate.

"Consumers should be aware that when buying especially lower-end devices made in China, there is a significant risk of the devices having serious flaws that won't ever be addressed," said Carsten Eiram, chief research officer at RBS via email.

The researcher added that based on his years of experience with finding and reporting vulnerabilities, vendors from China and Taiwan are far behind companies from Europe or the U.S. when it comes to taking security seriously and responding to vulnerability reports.

"It remains a huge concern that researchers keep finding hardcoded credentials and similar basic vulnerabilities in devices like surveillance cameras and DVRs/NVRs," Eiram said. "We install cameras in our homes and businesses to feel safe and know what goes on. That trust and feeling of safety is violated when it turns out that these products are not really made with security in mind and as a result can be turned against us and compromise our privacy."

Join the CSO newsletter!

Error: Please check your email address.

More about CGIFLIR SystemsLinuxSwannSwann CommunicationsTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts