Blog: How-Tos

Pwning CCTV cameras: Update

Andrew Tierney 23 Feb 2016

Since our Pwning CCTV cameras post there is plenty to update you with.

Three DVR research stories

First let’s look at the main three separate DVR stories doing the rounds at the moment:

  1. Risk Based Security have disclosed that RaySharp DVRs have hardcoded credentials for the web interface. Across all devices, the login root/519070 will work, and cannot be disabled. It just so happens that 519070 is the postal code of their office in China. It’s highly likely you can get a shell once you have access to the web interface, using similar methods to the Rapid7 issue.
  2. Rapid7 disclosed issues with RaySharp’s custom protocol that runs on port 9000, allowing for remote code execution and obtaining a remote shell. This is a more involved and technically complex exploit, but it has since become available as a Metasploit module, reducing it to advanced script kiddy level.
  3. Our work on the MVPower DVR, the core of which is an unauthenticated root shell

RaySharp DVRs are extremely common. Risk Based Security identified over 50 different labels they are sold under, including some big names like Swann (though, it is important to note that not all DVRs sold under these brand are RaySharp).

The end results of the three hacks are similar – you can gain remote root access to the DVR. Along the way, you gain access to the CCTV.

The difference really is our outlook on the risk.

Someone viewing your CCTV is a downer, but the chance of it being leveraged in any form of harmful attack is low. The media likes to sensationalise the leak of CCTV images on the Internet, but 99% of cameras are looking at driveways, shop storerooms, and alleyways – it’s just not interesting. The chance of a hacker using the CCTV images as part of any burglary is incredibly low as well.

But letting someone onto your network as root is far more harmful. They can scan your networking, perform ARP spoofing and act as a man-in-the-middle, reconfigure your router to use a malicious DNS server, snarf all of your files from your NAS, or be harnessed into a botnet to send spam or perform DDoS attacks. There is no need for them to physically locate you and break in. It can all be automated and deployed across hundreds of DVRs. It’s a big difference.

Home and small business networks do not have the segregation or protections in place to stop this happening.

Our attack is so easy to carry out that a user simply visiting a malicious website could take control of a DVR on the local network. I’ve developed a proof-of-concept for this, but it is not being released due to the danger of it being used.

And now an update to our post:

  1. The number of MVPower DVRs has been fluctuating a lot on Shodan. This could be natural variation as Shodan scans, people could be securing them, or attackers taking them offline as they own them…
  2. An additional GitHub repo of similar code to the original (now offline) Frank Law repo was found at https://github.com/simonjiuan/ipc/ by a HackerNews commenter. This has also gone offline now. Before it went offline, we could see it had been forked (i.e. copied) 9 times – where else is this code used? I have since forked another version of it here https://github.com/cybergibbons/ipc. It is suspicious that these repos are being taken offline.
  3. Someone anonymously contacted me via reddit with the root password of the DVR – 8 characters, complexity required. What’s interesting is that the password is relatively good – symbols, numbers, letters – but they have used the descrypt hash algorithm. This hash algorithm is very poor – it can be brute-forced quickly and has a maximum password length of 8 characters. It only takes weeks to brute-force all passwords.