Recently, they turned to Shodan, the IoT search engine, to take a look at digital video recorders (DVRs): the IoT gadgets that get hooked up to ever-more ubiquitous CCTVs in order to capture surveillance footage.
The Pen Test Partners post about what they found, from Andrew Tierney, is full of coding details on how he got a local root shell on the DVR and used it to uncover an unauthenticated, impossible to disable, remote root shell that an attacker could use to compromise and control the device from the comfort of their own laptop.
And that’s not all they found.
The device was also has no Cross-Site Request Forgery (CSRF) protection, so attackers can trick users into clicking on links to carry out malicious actions; it has no lock-out, so attackers can guess as many passwords as they like; it sends communications without HTTPS that can be intercepted and tampered with; and there’s no firmware updates, so “you’re stuck with these issues,” Pen Test Partners said.
But weirdest of all, the thing is capturing still images from video feeds and emailing them to an address that appears to be hosted in China.
We already know how bad these DVRs can be: the US company Risk Based Security (RBS) recently looked into the firmware of a widespread brand of surveillance DVR and found that it has a hard-coded root password for the web interface, with which users manage the cameras, including remotely moving them and zooming in.
In other words, anyone can log into that particular model of DVR.
That’s extremely concerning from a privacy perspective, given that much of the footage coming from CCTVs streams from private premises, with all of it being captured by internet-enabled DVRs.
Pen Test Partners have yet more researchers who wanted to know: How safe are those DVRs?
The answer: not safe at all.
The DVR Tierney’s team bought off of Amazon was a random choice: they went with a cheap model manufactured by a company called MVPower that they couldn’t find any details on.
Buried deep in the device’s firmware code, Pen Test Partners found that images were being captured from CCTV feeds and sent to the mysterious email address firstname.lastname@example.org.
As a screenshot of a firmware code sample shows, that email’s subject is “Who are you?”
The email’s body contained a 320x180px snapshot of the CCTV feed.
The email address was hosted on a Chinese email provider, according to Softpedia.
Pen Test Partners discovered that the firmware was taken from the JUAN-Device GitHub repository, managed by someone named Frank Law.
Why is the DVR snapping photos and sending them to Frank Law?
Tierney says that Pen Test Partners doesn’t have a clue.
The researchers did find that somebody else had previously reported the issue on Frank Law’s GitHub page but Law has since pulled the repository it was made on.
As of last week – Tierney posted on Wednesday, 10 February 2016 – Frank Law’s email address was still live.
And as of that date, it was being sent the intro to “Button Moon,” frame by frame (for those outside the UK: Button Moon is a UK children’s program that was broadcast in the 1980s. It chronicles the adventures of Mr. Spoon, who lives with his family of kitchen implements on Junk Planet).
Tierney tells me it’s the only thing he could find kicking around that would do:
The only analog video source is from my test server, which happened to have my collection of 1980s children’s TV on it. So that got fed to the DVR, which is working [its] magic.
I asked him if it was still running, still gumming up Frank Law’s inbox with the adventures of Mr. Spoon, and how long it had run for.
No, he said, Pen Test Partners severed all ties after finding out how nasty the DVR is, which happened pretty fast:
It only ran for a very short period of testing, so not much! I stopped all internet access from the DVR when I realised it was so bad.