Security researchers at Pen Test Partners have uncovered a spate of severe security issues in a CCTV-based product, including weak encryption, root access vulnerabilities and, strangely, a firmware backdoor that is hardcoded to capture and send screenshots to the developer's email account. The model in question, the 'MVPower 8-Channel Security DVR', is easily available to buy on Amazon for less than £40 ($57.20), yet what seems like an affordable purchase quickly turns into a perfect showcase for how the internet of things (IoT) remains still plagued by security flaws.
Indeed, this is only one small example of a much wider problem.
Chosen at random by the researchers, the Digital Video Recorder (DVR) model can be used alongside a CCTV system to record video feeds. Yet according to Andrew Tierney, security consultant at Pen Test Partners, the system is host to a litany of issues.
"DVRs take video feeds from multiple cameras and store them onto a drive," he explained in a blog post. "As well as displaying images on a screen, most of them can be accessed over a network, allowing users to connect using either a web browser or a custom client.
"Of course, business and home owners want to access their DVRs remotely to keep an eye on things. The DVRs get opened up to the Internet using port-forwarding, and because of this, we can find hundreds of thousands of them quickly and easily on Shodan. So, we decided to pick up a cheap DVR and see just how bad it could be. And it couldn't really be any worse."
Upon in-depth analysis, the research team found a slew of problems including poor default credentials, being listed on the open internet, a lack of firmware updates and a severe lack of Https-based encryption. As highlighted by Softpedia, the researchers managed to access basically every internal piece of code within the device and were able to force the device to start as root. Eventually, the team even opened a web shell that allowed them to run commands on the DVR. Furthermore, the lack of strong encryption fully exposes users to man-in-the-middle (MitM) style attacks – frequently used by hackers to intercept web traffic.
The plot thickens
However, as the team outlined, the strangest finding was the revelation that the model was sending screen captures of DVR content to a hardcoded email address - firstname.lastname@example.org – hosted on an extension used in China. "The email address is still live [...] sending images from a DVR like this is a serious breach of privacy," noted Tierney.
Both the developer, listed on an old archived GitHub page as Frank Law, and the model brand continue to be illusive, revealed Pen Test Partners. "We can't find any detail on the name MVPower," admitted Tierney. "The firmware suggests commonality with Juantech, but none of their firmware's are compatible. You are stuck with these issues."
However, the subject of the installed backdoor appears to have been raised by a separate security researcher back in 2015 on an old GitHub account of Mr Law, who still appears to be developing CCTV-based products.
"I have a CCTV device running your firmware and wish to request the source code for the device," the user wrote last year. "I note that the device has a backdoor vulnerability in the web frontend in file /root/dvr_app and appears to email you pictures from the CCTV and must remove both as a matter of urgency. I await your earliest reply."
No reply was ever received.