back to article Hungarian bug-hunters spot 130,000 vulnerable Avtech vid systems on Shodan

It shouldn't surprise anyone that closed circuit television (CCTV) rigs are becoming the world's favourite botnet hosts: pretty much any time a security researcher looks at a camera, it turns out to be a buggy mess. According to this advisory, Avtech's IP cameras and video recorders offer the world the usual list of possible …

  1. Ole Juul

    Would love to see

    Avtech's IP cameras and video recorders offer the world the usual list of possible exploits

    What's the chance of those same devices being used to DDoS Avtech?

  2. allthecoolshortnamesweretaken

    Technically, shouldn't we stop calling them "closed circuit" cameras, as they obviously are not?

    1. Fraggle850

      Suggested new terminology

      Insecurity Cameras?

    2. chivo243 Silver badge

      open season?

    3. Alan Brown Silver badge

      "shouldn't we stop calling them "closed circuit" cameras"

      Much of the world has called this stuff "surveillance cameras" or "video survellance" for decades.

      "CCTV" is a particularly british term.

      When I was a nipper one SF story I read had a world full of cameras where covert survellance _wasn't_ the issue, because every publicly placed camera was required to be publicly accessable. The scenario was that if you were wondering if the streets ahead were safe you could dial up the cameras along the way to see who was hanging around nearby.

      It's going to be interesting to see how Avtech handle this. Judging by what I can see on Aliexpress there are a lot more knock-off devices on the market than genuine ones.

  3. Andrew Jones 2

    This doesn't surprise me - I own an AvTech 16 channel DVR, while trying to find a way to programmatically do stuff with it (show a quad screen camera view that swaps to the next 4 cameras every 4 seconds provided a) no-one is logged in for PC viewing and b) no motion has recently been detected, and if motion has been detected change to the camera(s) that have detected motion in full screen) a quick look at the the responses of the CGI scripts that are being asked for in the web interface show just how much information is on display, and a quick peruse of the API to see how you can change params via web requests to the CGI scripts. Perhaps even more strangely is that you can set some parameters to do with things like Auto Gain Control and such via CGI get requests - even though there is no where at all in the web interface to configure these parameters.

    Still, the unit cost £160 minus HDD and has performed it's job reliably since 2012. It is not exposed to the internet so I don't need to worry about that, but thanks to this article I think I will block access to it's local address from the public cafe network.

  4. SImon Hobson Bronze badge

    Hang on lads, I've got an idea ...

    Clearly the manufacturers of this crap don't care - if they cared the slightest they would have avoided at least the most obvious of those.

    So, given that the information captured by these devices is most definitely considered "personal information", how about a complaint to the Information Commissioner - either by someone sho has bought one and "found out" that their information is being made insecure by the equipment design, or by someone who thinks their image may be on one of these devices. If the IC is prepared to play along, it might be able to get a ruling that has the effect of making the use of one of these devices illegal - and once the distributors are made aware, of course, whoever bought the test case device will want their money back won't they ;-), then they'll probably drop them.

    OK, this won't stop sales completely - there's a lot of world outside of the EU, and a lot of personal/indirect imports. But perhaps having their product effectively declared illegal in part of the world might just get someone to think about it.


    Something needs to be done. Clearly "name and shame" doesn't work when the offenders have no shame.

    As I see it, the only other way anything will happen is if the big ISPs take users off-line when they are detected to be part of a botnet. Perhaps getting a "You are harbouring a criminal" portal page instead of FarceBork will get end users interested in the problem. But I can't see the ISPs being interested - there's no money in it for them.

  5. Robert Helpmann??

    Get off my (internet) lawn!

    ...users are advised to change their admin passwords and take the devices off the Internet.

    This is the best general advice anyone can offer for any IoT device. What we really need is an Internet Without Things™.

  6. Anonymous Coward
    Anonymous Coward

    So what about SWANN CCTV devices? Are they sweet and innocent?

  7. All names Taken


    Shock! Horror! Shock and Horror!

    Does that mean Mission Impossible and 007 dreamlike stuff of instant onscreen, realtime video from video cam(eos?) on a worldwide basis in public/private spaces is not really an event and just a, well, fantasy?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon