Hard-coded password exposes up to 46,000 video surveillance DVRs to hacking

Hackers can log into DVRs from RaySharp and six other vendors using a six-digit hard-coded root password

Up to 46,000 Internet-accessible digital video recorders (DVRs) that are used to monitor and record video streams from surveillance cameras in homes and businesses can easily be taken over by hackers.

According to security researchers from vulnerability intelligence firm Risk Based Security (RBS), all the devices share the same basic vulnerability: They accept a hard-coded, unchangeable password for the highest-privileged user in their software -- the root account.

Using hard-coded passwords and hidden support accounts was a common practice a decade ago, when security did not play a large role in product design and development. That mentality has changed in recent years and many vendors, including large networking and security appliance makers, are frequently issuing firmware updates to fix such basic flaws when they are discovered by internal and external security audits.

But then there are some vendors who never learn. That appears to be the case for Zhuhai RaySharp Technology, a Chinese manufacturer of video surveillance systems, including cameras and accompanying DVRs.

RaySharp DVR devices provide a Web-based interface through which users can view camera feeds, manage recording and system settings and use the pan-tilt-zoom (PTZ) controls of connected surveillance cameras. Gaining access to this management interface would provide an attacker with full control over the surveillance system.

The DVR's Web interface is powered by an embedded Web server which runs on a Linux-based OS -- the firmware. When analyzing the CGI scripts that handle user authentication for the Web interface, the RBS researchers found that they contained a routine to check if the user-supplied username was "root" and the password 519070.

"If these credentials are supplied, full access is granted to the web interface," the RBS researchers said a report scheduled to be published Wednesday.

RaySharp claims on its website that it ships over 60,000 DVRs globally every month, but what makes things worse is that it's not only RaySharp branded products that are affected.

The Chinese company also creates digital video recorders and firmware for other companies which then sell those devices around the world under their own brands. The RBS researchers confirmed that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender (a brand of Circus World Displays) and LOREX Technology, a division of FLIR Systems, contain the same hard-coded root password.

And those are only the confirmed ones. A separate CGI script in RaySharp-supplied firmware contains a list of 55 vendor names that supposedly use the firmware, so the number of companies with potentially affected products is much larger.

Using the Shodan search engine for Internet-connected devices, the RBS researchers found between 36,000 and 46,000 DVR devices that they believe are vulnerable to this issue and are directly exposed to Internet attacks. About half of them are located in the United States and most of the others in the U.K., Canada, Mexico and Argentina, the researchers said.

Because RBS did not have the resources to test all available models with all firmware versions from all potentially affected vendors, they've decided to make the information public so that users can easily test for themselves whether their DVR device is affected or not.

At the very least, a DVR that accepts root and 519070 as username and password should not be exposed directly to the Internet. If remote access is needed, this should be achieved by connecting into the local network first through a VPN. For good measure, the devices should not be available on internal network segments that allow untrusted computers either, such as public Wi-Fi.

Given previous incidents where people created websites that allowed users to watch video feeds from thousands of insecure cameras on the Internet, the likelihood of unauthorized access to these DVRs is high. In fact, this might have already occurred.

After discovering the hard-coded root password, the RBS researchers searched for it on the Internet and found a few user reports mentioning it as far back as 2010. Those reports claimed that the password worked for any username, but in RBS' tests it only worked for root.

In a 2010 post on a CCTV forum a user complained about the password existing in a DVR product from QSee, one of the 55 vendors listed in the RaySharp firmware. He didn't even need to reverse engineer the firmware to find it, as it was listed in the product's official documentation as a method of regaining access to the device if the user-configured password was lost or forgotten.

This suggests that in older RaySharp firmware the hard-coded string was intended as a sort of recovery key as part of a poorly designed password reset feature. Based on RBS' latest findings, it appears that the company decided to restrict it to the root account in newer versions, which doesn't make any difference from a security perspective and is just as bad.

And this is not the only basic security flaw found in RaySharp firmware over the years. In early 2013, a security researcher found an easy way to take control of DVR devices from an estimated 19 manufacturers that used RaySharp firmware by connecting to the devices over TCP port 9000.

RaySharp did not respond to a request for comment about the hard-coded root password discovered by RBS.

The security firm found the issue back in September and, due to the large number of potentially affected vendors and products, it decided to rely on the U.S. Computer Emergency Readiness Team (US-CERT) for coordination.

As far as RBS knows, Defender is the only vendor which informed US-CERT that it released a patched version of the firmware at the end of September. The RBS researchers confirmed that this firmware version no longer contains the CGI scripts that check for the hard-coded password.

A couple of other affected vendors, including Swann, hinted that they were working on their own patches, the RBS researchers said in their report, but overall the vendor response to this issue was inadequate.

"Consumers should be aware that when buying especially lower-end devices made in China, there is a significant risk of the devices having serious flaws that won't ever be addressed," said Carsten Eiram, chief research officer at RBS via email.

The researcher added that based on his years of experience with finding and reporting vulnerabilities, vendors from China and Taiwan are far behind companies from Europe or the U.S. when it comes to taking security seriously and responding to vulnerability reports.

"It remains a huge concern that researchers keep finding hardcoded credentials and similar basic vulnerabilities in devices like surveillance cameras and DVRs/NVRs," Eiram said. "We install cameras in our homes and businesses to feel safe and know what goes on. That trust and feeling of safety is violated when it turns out that these products are not really made with security in mind and as a result can be turned against us and compromise our privacy."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?