back to article If you haven't updated your ThroughTek DVR since 2018 do so now, warns Mandiant as critical vuln surfaces

A critical vulnerability affecting tens of millions of digital video recorders powering baby monitors and CCTV systems across the world has been uncovered by Mandiant, which claims the vuln allows for unauthorised viewing of live camera footage. The vuln exists in Chinese IoT vendor ThroughTek's Kalay communication protocol, …

  1. Mike 137 Silver badge

    "...open a remote management mobile app while on a poorly secured coffee shop Wi-Fi network"

    Why would anyone with even half a brain choose to manage their security CCTV from a coffee shop?

    I'm a firm believer in hard wired security systems, as they're in general invisible to the outside world and therefore harder to attack..

    1. Gene Cash Silver badge

      Re: "...open a remote management mobile app while on a poorly secured coffee shop Wi-Fi network"

      Perhaps they got a call someone's breaking into their shop/house/storage, and want to check on it before calling the cops?

      1. Pascal Monett Silver badge

        If you really want security, you have a proper system installed that has video capability managed by a company that has clearance to call the cops themselves.

        It saves on time and peace of mind, and it's not that expensive.

        1. Anonymous Coward
          Anonymous Coward

          I'd rather use a video security platform in my house where some nefarious person "might" be able to tap into the streams, rather than one where I know they definitely can by virtue of working at said security company... Not to mention, you pay for the latter?

    2. FlamingDeath Silver badge

      Re: "...open a remote management mobile app while on a poorly secured coffee shop Wi-Fi network"

      Coffee shop:

      Nothing wrong with that, so long as they know what they're doing, such manually specifying the DNS servers they're going to use, and sending data via an encrypted tunnel (VPN, SSH, etc), preferably on a service which has 2FA built into the authentication

      (DVR / Cameras)

      I suspect these (L)users just plug the device in and voila UPNP enabled router opens ports up, included also is an API horrorshow? as part of the registration?

      I've read about some of these ill-thought out API systems, dude buys camera, registers it, then sends it back for refund, they dont want it anymore for whatever reason. consumers rights etc. Another dude buys the same camera that was returned, the previous owner can now see inside the new owners home via their "account", but the new owner has no idea, its also registered to his account. In other words the software engineers didnt bother to think about this very highly likely scenario

      Literally the most stupid people are allowed to design IoT products, and more

      Wired systems:

      Definitely and where possible also with 802.1x wired authentication

  2. IGotOut Silver badge

    So...

    it's been patched since 2018 and somehow it's gained a "new" vuln.

    1. Annihilator Silver badge

      Re: So...

      Yeah this is a bit misleading. From the looks of it, the protocol was flawed and patched 3 years ago, but manufacturers of DVRs who use the protocol have been using an old version of it. Why it's been reported now, I can't tell.

  3. Piro Silver badge

    Doesn't match the thumbnail

    Which is an Reolink Argus 2, with the solar panel.

    That camera doesn't even support recording to a DVR, iirc.

  4. Anonymous Coward
    Anonymous Coward

    Squirrel Mail

    Old DVR's? Give me a break. Might be better if Web.com, for example, retired their Squirrel Mail servers, which have been compromised by miscreants for about a year. Squirrel Mail doesn't support SSL/TLS or STARTTLS so it's easy for account info to get stolen in transit and the domains to get used to send spam & other credentials to get stolen. They've been promising to migrate the domains still on Squirrel Mail over to Cloud OX since forever.

  5. Doctor Syntax Silver badge

    The better null hypothesis for IoT devices would be to assume it's vulnerable and wait for a new item that it isn't.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022