Vulnerabilities of CCTV systems allow hackers to create massive botnets
According to a statement from US-CERT, in the firmware of digital video products (DVR) AVer Information EH6108H+ found serious vulnerabilities that could allow attackers to easily get to them with remote access and even to form botnets.
Security researchers have found three critical vulnerabilities. The first (CVE-2016-6535) is the presence of two hidden accounts to connect remotely. Each of them has root-rights, the password to access code written in the firmware — as a result, accounts cannot be disabled or removed from the system. As a result, an attacker who knows the IP specific camera can easily connect to it by Telnet.
In addition, attackers can gain access to the admin panel and all without administrator passwords through an error in the authentication system (CVE-2016-6536). To access the control panel, the hacker just need to go to the address [IP-device]/setup and choose the option “handle” — then the administrative page opens without a password. To access it, an attacker can change the device settings and even change the passwords for all users of the system.
The third vulnerability (CVE-2016-6537) leads to the disclosure of confidential information — the problem occurs because of an error in the mechanism of processing user credentials.
How to be protected
According to a statement from US-CERT, at the moment there are no patches to fix discovered vulnerabilities. Manufacturer of AVer firmware on its website describes it as “no longer supported” (discontinued).
The only effective way to prevent the attack using these holes is to limit access to devices through a firewall or network hardware setup.
The extent of the problem
The presence of simple-to-use vulnerabilities and “backdoors” in DVR devices is not news. Previously, Positive Technologies experts have found critical vulnerabilities and the so-called “master passwords” that allow attackers to easily get access to these devices, hundreds of thousands of which are available from the Internet. For example, problems have been found in video surveillance systems Samsung, as well as popular firmware DVR-systems used by many vendors.
Also, not so long ago it became known that the worm BASHLITE were infected more than 1 million DVR devices — attackers formed them into botnets for DDoS attacks.
Also earlier this year, researchers from the company Sucuri found the botnet of 25,000 Internet connected devices for video surveillance. In addition, the botnet to conduct DDoS attacks, consisting of infected Webcams was found by specialists from the Security Engineering and Response Team of the company Arbor (ASERT).
It is important to understand that the attackers often do not need to apply a much effort to detect gaps in the protection of surveillance systems, because, as a rule, they contain the vulnerabilities which are very primitive.
The situation is aggravated by the fact that the manufacturers of DVR-system often not themselves fully create firmware for their devices, and use third-party development. Such firmware can be distributed in various dubious ways, potentially, they may contain a hidden undocumented logic, about which manufacturers of the final DVR cannot know nothing at all.
For example, our experts discovered vulnerabilities present in the popular firmware, which was used in its own way and complements many of the DVR manufacturers. Accordingly, vulnerabilities in these firmwares endanger a lot of different devices from different manufacturers.
However, many manufacturers do not pay enough attention to release updates and develop mechanisms to centrally deploy them on end-devices or user notifications. In the case of using firmware third party, the remediation process becomes more complicated: in such cases, the manufacturer of the DVR cannot fully control the firmware and not be able to change it.
For example, with one of the producers of such a popular and vulnerable firmware, we have not been able to establish contact, so they can correct any problems found. More detailed information was provided in the report at the forum Positive Hack Days III:
Vulnerabilities and hacking DVR devices are a serious threat to private companies. With access to the CCTV system, the attacker can use them as a springboard for further attacks invisible within the network of the company (APT). The typical remedies that are used in companies are often unable to detect such penetration (e.g., the classic antivirus approach is powerless here).
In fact, in the corporate network appears malicious device – a minicomputer, inside of which an attacker could install their software. Backdoor in such devices can be very long and imperceptible to exist.
What to do
In order to protect themselves, experts Positive Technologies advise to isolate access to digital video systems from the Internet (for example, the settings of the router and/or firewall). It is desirable for devices from the internal network to limit access to the DVR and give access to only those addresses, which it definitely needed (e.g., administrators only). And similarly to limit the network access of the DVR, giving him access only to the desired locations. It is best to place these devices in a separate isolated network.
In general, with the development of “Internet of things” opportunities for the creation of such botnets increase significantly, many new gadgets are developed and delivered to market without any regard for safety (on the contrary: connection schemes to the Internet are simplified as much as possible). In this situation, we can advise private individuals and companies to be more selective in the purchase of equipment and to carry out the security analysis of new devices.
Identifying botnets and investigating incidents is also more complicated when the infected are not personal computers, and many automated systems, the behavior of which no one is watching.
This text is a translation of the article “Уязвимости систем видеонаблюдения позволяют хакерам создавать масштабные ботнеты” published by @ptsecurity on habrahabr.ru.
About the CleanTalk service
CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).