According to a researcher at RSA, the software running on closed circuit camera used by over 70 different vendors may be vulnerable to “root” access to the affected device. In this case the new attack vector compromises the Digital Video Recorder boxes, the part of the camera that stores the images for later viewing.
In a blog, Rotem Kerner said he started with the output of Command and Control data, a population of over 1,000 infected DVR devices all sporting HTTP servers that were listening on ports 81, 82, and 8000, identifying themselves as “Cross Web Server”. He initially traced these back to an Israeli company selling CCTVs, but soon discovered the same component was present in CCTVs produced by 70 vendors.
“They may have different logo, or slightly different plastics, but they share the same vulnerable software,” Kerner wrote. “This is basically what they call “white labeling.” Probably China’s most common business model. Eventually I’ve located the real manufacturer, a company called TVT.”
The problem is common, especially in the Internet of Things. Companies buy existing components to get their products to market without checking the quality of the product. “I’d say too many cooks are stirring the same rotten pot,” Kerner wrote. “This makes it really hard to mitigate the problem and leaving a lot of potential vulnerable end users (and) businesses. ”
The exploit is serious. With it, one could get onto the internal network running the surveillance camera. Kerner notes the irony here: “When the old fashion thieves used to physically break into stores, on their way to the cashier they had to try and avoid or neutralize any surveillance equipment. The digital thieves are entering the store through them. Truly Hollywood material.”
For mitigation, Kerner wrote ” Since there are many vendors who redistribute this hardware-software it is hard to rely on vendors patch to arrive at your doorstep. I believe there are few more vulnerabilities being exploited in the wild against these machines and therefore your best shot would probably be to deny any connection from an unknown IP address to the DVR services.”