back to article Dangle a DVR online and it'll be cracked in two minutes

Criminals are constantly attempting to log into digital video recorders by using their default credentials, the SANS Institute has found. The organisation revisited recorders because their lack of security helped the Mirai botnet run riot in October 2016, thanks to its modus operandi of logging into devices using their default …

  1. Threlkeld

    "Anrai"-branded DVR" er ... would that be ANRAN, by any chance?

    1. Threlkeld

      ... or possibly 'ANRAIN'. The original source is equivocal about the name. He says he bought the item off eBay a year ago.

      I'm sure that by now it will have been much improved.

      Whatever it's called.

      1. Mark 85

        I'm sure that by now it will have been much improved.

        Why would you think that? "Improvements" cost money and the corporate bottom line is everything these days.

  2. redpawn

    Let's think like the marketing department

    Two minutes is a metric but load of clock cycles. These devices could be advertised in mean clock cycles before pwnage or MCCBP. The large number would impress buyers and keep sales up.

    1. Dan 55 Silver badge
      Devil

      Re: Let's think like the marketing department

      More likely the order will come down to Software from above that there is no extra time or money for security but instead they have to work smarter, but money would be allocated to Marketing to mitigate the bad PR, and Marketing would come with a new spec on the spec sheet: 0-Pwnage in 120 seconds. It then becomes an industry standard metric and companies compete to get it down.

    2. TitterYeNot
      Coat

      Re: Let's think like the marketing department

      "Two minutes is a metric but load of clock cycles"

      In official units, two-minutes-before-pwnage is approximately 3.2 TalkTalks, or around 0.027 μHardings...

  3. Chronos

    Clueless users

    This is one time you really can't level that charge against the consumers. Many of the shonky PoS have hard-coded passwords in their root ROMfs and you simply can't change it without unsquashing the filesystem, messing with crypt, recreating the bin and buggering about with arcane flash commands in u-boot - and that assumes you can get a bootloader prompt in the first place, not to mention knowing the flash layout.

    IP cameras based on the ever-so-popular Hi3518E chipset had this right up to the January 2016 firmware release. Worse, the default password was the same across multiple manufacturers. The only solution was to block forwarding at the gateway with MAC filtering or stick them on their own isolated segment.

    If you want a decent IP camera, a Pi Zero W with the Picam NoIR, a switchable IR cut filter, a ring of IR LEDs and a decent wide angle lens works nicely. If you need a NVR, use a Pi III with ZoneMinder. All of this shonky rubbish needs to die in a fire.

    1. This post has been deleted by its author

      1. Chronos
        Thumb Up

        Re: Clueless users

        Thanks for that, Symon. I didn't even know that existed but it looks very useful.

  4. Richard Tobin

    DVR?

    Since when did "DVR" come to mean "ip camera"?

    1. Jamie Jones Silver badge

      Re: DVR?

      wah? do they? I thought this was all about things that record the tv to hard disk...

    2. David Roberts

      Re: DVR?

      DVR is a confusing TLA.

      I assume in this case we are talking about a video recorder which is recording security camera footage for later review and also for remote access to the stored video from t'Internet.

      Which would explain why it is visible to remote attackers.

      I have some DVRs (one Tivo, two Humax) which record locally but as far as I can tell are not visible (at least to Shields Up) to the Internet. They have LAN connections to allow iPlayer, Netflix and the like to be accessed through the router.

      1. Chemist

        Re: DVR?

        "which record locally but as far as I can tell are not visible (at least to Shields Up) to the Internet. They have LAN connections "

        I'm a little concerned that a untrusted device with internet access could set-up a reverse tunnel from a remote machine.

        I've been playing around with this as I'd like to routinely access a remote Pi of mine in Switzerland from home but have no control of the (remote) network it's attached to to allow crossing the firewall.

        It all seems perfectly feasible and I can easily access my home network using ssh from Switzerland and then (remotely) connect back from home to login to the Swiss remote.

        Can anyone comment on this type of mechanism in relation to giving internet access to untrusted devices?

        1. Cynic_999

          Re: DVR?

          "

          I've been playing around with this as I'd like to routinely access a remote Pi of mine in Switzerland from home but have no control of the (remote) network it's attached to to allow crossing the firewall.

          "

          What you need to do is to program Pi to connect to a server anywhere on the Internet (e.g. running on a PC in your house), perhaps on port 80 or 8080 which are unlikely to be blocked. Now that there is an established TCP/IP connection, you can send data back to the Pi on that connection. The application that opens the connection to the server would of course also have to be programmed to do something useful with that data, such as passing data to (& from) a command session or the Pi's SSH server.

          1. Chemist

            Re: DVR?

            @Cynic

            Thanks but I wasn't looking for advice for my experiments - I'm happy that I can do it . I may have expressed myself badly.

            To put some code to it :

            Remote pi : ssh -fN -R 7000:localhost:22 -p xxxxx user@home_ip_add

            (where xxxxx is the port forward by the local router)

            Local : ssh user@localhost -p 7000

            will give a login prompt on Remote pi

            I was looking for comments or experiences on untrusted devices doing this through a firewall

      2. Chronos
        Devil

        Re: DVR?

        I have some DVRs (one Tivo, two Humax) which record locally but as far as I can tell are not visible (at least to Shields Up) to the Internet.

        Be very careful with that assumption. You're probably okay with your Tivo and Humax DVRs but most of these cheap CCTV DVR/NVR/IPCs, which is what we're discussing here as it was these which were targeted by Mirai, have a "cloud" feature built into the binary that processes the stream(s). Even if you disable the thing in the config, it'll still ping out to let the mothership know it's alive¹, which is why I said one of the mitigations was to block outgoing packets on MAC. Anything that can tunnel out through NAT/uPnP/firewall can tunnel back in again. ShieldsUp! won't detect stateful connections, only blatantly open ports.

        ¹Yes, I did verify this on the Hi3518E based cameras and a cheap, shonky Owsoo NVR, watching the resolver logs and sniffing the packets as they hit the brick wall of my router. Since most of this bilge is based on HiSilicon chippery, a safe course would be to err on the side of caution.

  5. John Smith 19 Gold badge
    WTF?

    Attacked once every 2 minutes

    of every day of every week of every year.

    Well that gives an idea of the sort of havoc enough compromised devices from the Internet of Turmoil will cause.

    If you put an infinite number of code monkeys in a room they will type multiple insecure OS's long before one of them gets close to a sonnet of Shakespeare.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like