Homeowners and businesses expect to improve safety by installing surveillance cameras, but a recently discovered flaw in many brands of security camera digital video recorders (DVRs) allows attackers to turn the tables. Nearly 20 brands of closed-circuit TV (CCTV) security cameras are affected by a vulnerability in the Ray Sharp DVR platform allowing unauthenticated access to device configuration settings, according to security firm Rapid7.
Expanding on a discovery by a security researcher with the handle someLuser, Rapid7 chief security officer H.D. Moore noted in a blog post that the vulnerabilities in DVR products allow a remote user to execute arbitrary system commands through a secondary flaw in the web interface, essentially providing remote, unauthorized access to security camera recording systems. This flaw could allow a hacker to gain control of camera systems and watch, copy, delete or alter video streams, as well as access other networked devices behind a firewall.
“The DVR gives you access to all their video, current and archived,” Moore told Forbes. “You could look at videos, pause and play, or just turn off the cameras and rob the store.”
While the criticality of many embedded software flaws of this type is limited due to firewalls and other network access controls, the Ray Sharp DVR platform supports the Universal Plug and Play (UPnP) protocol. This feature automatically exposes the device to the internet if it is connected to a router with UPnP enabled, which is a common default setting.
The result is that the device essentially undercuts an existing firewall. A Rapid7 report released shortly after the DVR flaw announcement noted several additional flaws in the UPnP protocol. Conducting a search within the critical.io database, Moore uncovered 58,000 unique IPs that were running a vulnerable DVR platform.
“It’s just a boneheaded decision on the part of [Ray Sharp],” Moore told Forbes. “Fifty-eight thousand homes and businesses are exposed because of the way these things cut holes in the firewall.”
Understanding the vulnerability
According to someLuser, the DVR device’s default UPnP configuration automatically maps certain ports onto a network router, including the activeX web application, which is used to view video streams remotely and configure the device, and port 9000, which is the actual communication channel the device uses. A remote attacker accessing the web application can tap into all the account information stored on the device in clear text.
In addition, querying port 9000 does not require any authentication, and the binary running port 9000, which is called “raysharpdvr,” is vulnerable to a command injection. This could allow a remote attacker to reconfigure the device and reboot it using an overflow bug, someLuser noted.
“This binary implements almost all of the device’s functionality, including everything from the web server to the CD-ROM writer based on cdrecord,” Moore wrote on the Rapid7 website. “In addition to being a terrible architecture, this may have inadvertent licensing implications.”
To prevent remote execution vulnerabilities in embedded software systems, manufacturers of DVR devices and other networked electronics can implement more security in the coding process. By using tools such as source code analysis, vendors can mitigate the risks of exposing security devices to threats of their own.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.