How to hack a DVR to pieces, according to Pen Test Partners

Security cameras aren't as secure as you might think in the most surveilled country in the world, according to Pen Test Partners.

Who's watching?
Who's watching?

Security cameras might not be as secure as you think. Pen Test Partners have shown just how easy it is to hack into a DVR, the machine that collates and records video feeds from CCTV cameras.

Many can be easily accessed over networks, allowing the home and small business users to access their security feeds remotely. Accessing the DVRs remotely requires the device to be ported forward, allowing external access to the DVR's web interface from the internet.

This may be a fatal mistake. Pen Test Partners wrote, “If you port forward to the web interface, you are allowing attackers to take full control of the device. This can then be used as a pivot and be used to attack the rest of your network from inside.”

Hundreds of thousands of DVRs are visible with a simple search, so the partners found a cheap DVR from vendor MVPower and decided to test it.

Andrew Tierney, a security consultant at Pen Test Partners, wrote in his blog post earlier this week that “after no more than a few hours of digging, we found the following issues”.

Among the plethora of vulnerabilities were how easy these DVRs were to find. A simple search on Shodan with the web server the DVRs use, showed 44,000 such DVRs connected to the internet.

An analysis of the authentication code revealed that the interface would accept any two strings as the username and password. 

By rebooting the DVR, interrupting the boot loader and changing the boot argument to single user mode, the wilful attacker can get a local root shell. Getting a remote root shell isn't much harder, Tierney's post mentions it “is undocumented and not possible to disable, built-in to the device. This is as bad as it gets.”

From that remote shell, an attacker can start a new “already logged in daemon”, telnet in and use the device.

Inexplicably, images from cameras linked to the DVR are sent to the email address lawishere@yeah.net, a serious breach of privacy, according to Tierney. That communication between the DVR and the email address is not encrypted and thus entirely interceptable.

It doesn't end there. There is no HTTPS on any of the communications the device makes, the device has no protection from brute force attacks and no CSRF protection.

The obvious use of these vulnerabilities is hijacking the camera feeds the DVRs collate, but this is ultimately of little value. SCMagazineUK.com spoke to Kennerly to ask what else someone could do once they've broken through the DVR's shabby protective shield.

Kennerly told SC that by port forwarding to the device, “you have essentially allowed someone to come onto your network and plug into it. If, like nearly all homes and small to mid sized businesses, the DVR is on the same network segment as all your other devices, there are a wide arrange of attacks that could be carried out”.

These include the infected DVR being able to access the motherlode: the router, an often vulnerable piece of equipment: “The attacker could change the DNS server - redirecting all users to malicious sites. They could even route all traffic through the DVR and intercept it using the firewall.”

One could also make a series of DVRs into a botnet to be used for spamming, port-scanning and DDoS attacks.

MVPower, the DVR Vendor did not respond to a request for comment in time for publication.