"Anrai"-branded DVR" er ... would that be ANRAN, by any chance?
Dangle a DVR online and it'll be cracked in two minutes
Criminals are constantly attempting to log into digital video recorders by using their default credentials, the SANS Institute has found. The organisation revisited recorders because their lack of security helped the Mirai botnet run riot in October 2016, thanks to its modus operandi of logging into devices using their default …
COMMENTS
-
-
Tuesday 29th August 2017 07:27 GMT Dan 55
Re: Let's think like the marketing department
More likely the order will come down to Software from above that there is no extra time or money for security but instead they have to work smarter, but money would be allocated to Marketing to mitigate the bad PR, and Marketing would come with a new spec on the spec sheet: 0-Pwnage in 120 seconds. It then becomes an industry standard metric and companies compete to get it down.
-
-
Tuesday 29th August 2017 07:58 GMT Chronos
Clueless users
This is one time you really can't level that charge against the consumers. Many of the shonky PoS have hard-coded passwords in their root ROMfs and you simply can't change it without unsquashing the filesystem, messing with crypt, recreating the bin and buggering about with arcane flash commands in u-boot - and that assumes you can get a bootloader prompt in the first place, not to mention knowing the flash layout.
IP cameras based on the ever-so-popular Hi3518E chipset had this right up to the January 2016 firmware release. Worse, the default password was the same across multiple manufacturers. The only solution was to block forwarding at the gateway with MAC filtering or stick them on their own isolated segment.
If you want a decent IP camera, a Pi Zero W with the Picam NoIR, a switchable IR cut filter, a ring of IR LEDs and a decent wide angle lens works nicely. If you need a NVR, use a Pi III with ZoneMinder. All of this shonky rubbish needs to die in a fire.
-
This post has been deleted by its author
-
-
-
Tuesday 29th August 2017 13:13 GMT David Roberts
Re: DVR?
DVR is a confusing TLA.
I assume in this case we are talking about a video recorder which is recording security camera footage for later review and also for remote access to the stored video from t'Internet.
Which would explain why it is visible to remote attackers.
I have some DVRs (one Tivo, two Humax) which record locally but as far as I can tell are not visible (at least to Shields Up) to the Internet. They have LAN connections to allow iPlayer, Netflix and the like to be accessed through the router.
-
Tuesday 29th August 2017 16:53 GMT Chemist
Re: DVR?
"which record locally but as far as I can tell are not visible (at least to Shields Up) to the Internet. They have LAN connections "
I'm a little concerned that a untrusted device with internet access could set-up a reverse tunnel from a remote machine.
I've been playing around with this as I'd like to routinely access a remote Pi of mine in Switzerland from home but have no control of the (remote) network it's attached to to allow crossing the firewall.
It all seems perfectly feasible and I can easily access my home network using ssh from Switzerland and then (remotely) connect back from home to login to the Swiss remote.
Can anyone comment on this type of mechanism in relation to giving internet access to untrusted devices?
-
Tuesday 29th August 2017 18:16 GMT Cynic_999
Re: DVR?
"
I've been playing around with this as I'd like to routinely access a remote Pi of mine in Switzerland from home but have no control of the (remote) network it's attached to to allow crossing the firewall.
"
What you need to do is to program Pi to connect to a server anywhere on the Internet (e.g. running on a PC in your house), perhaps on port 80 or 8080 which are unlikely to be blocked. Now that there is an established TCP/IP connection, you can send data back to the Pi on that connection. The application that opens the connection to the server would of course also have to be programmed to do something useful with that data, such as passing data to (& from) a command session or the Pi's SSH server.
-
Tuesday 29th August 2017 18:24 GMT Chemist
Re: DVR?
@Cynic
Thanks but I wasn't looking for advice for my experiments - I'm happy that I can do it . I may have expressed myself badly.
To put some code to it :
Remote pi : ssh -fN -R 7000:localhost:22 -p xxxxx user@home_ip_add
(where xxxxx is the port forward by the local router)
Local : ssh user@localhost -p 7000
will give a login prompt on Remote pi
I was looking for comments or experiences on untrusted devices doing this through a firewall
-
-
-
Wednesday 30th August 2017 12:24 GMT Chronos
Re: DVR?
I have some DVRs (one Tivo, two Humax) which record locally but as far as I can tell are not visible (at least to Shields Up) to the Internet.
Be very careful with that assumption. You're probably okay with your Tivo and Humax DVRs but most of these cheap CCTV DVR/NVR/IPCs, which is what we're discussing here as it was these which were targeted by Mirai, have a "cloud" feature built into the binary that processes the stream(s). Even if you disable the thing in the config, it'll still ping out to let the mothership know it's alive¹, which is why I said one of the mitigations was to block outgoing packets on MAC. Anything that can tunnel out through NAT/uPnP/firewall can tunnel back in again. ShieldsUp! won't detect stateful connections, only blatantly open ports.
¹Yes, I did verify this on the Hi3518E based cameras and a cheap, shonky Owsoo NVR, watching the resolver logs and sniffing the packets as they hit the brick wall of my router. Since most of this bilge is based on HiSilicon chippery, a safe course would be to err on the side of caution.
-
-
Tuesday 29th August 2017 17:52 GMT John Smith 19
Attacked once every 2 minutes
of every day of every week of every year.
Well that gives an idea of the sort of havoc enough compromised devices from the Internet of Turmoil will cause.
If you put an infinite number of code monkeys in a room they will type multiple insecure OS's long before one of them gets close to a sonnet of Shakespeare.