Supply Chain Wreck: CCTV Firmware Vulnerable

cctv camera
Software running closed circuit cameras from scores of vendors is vulnerable to remote attack and compromise, according to an RSA researcher.

In-brief: The software used by tens of thousands of digital video recorders used with closed circuit cameras (CCTVs) is vulnerable to being remotely hacked, a researcher has discovered. 

The software used by tens of thousands of digital video recorders (DVRs) used with closed circuit cameras (CCTVs) is vulnerable to being remotely hacked, a researcher has discovered.

Rotem Kerner, a security researcher at the firm RSA, disclosed the vulnerability in firmware by the China-based company TVT in a blog post on March 22. According to Kerner, the firmware is used by over 70 different vendors including Q-See, a brand sold by Digital Peripheral Solutions, an Anaheim, California based company that sells closed circuit cameras at large retailers like BestBuy and Costco.

Kerner ended up investigating the CCTV devices as part of research he did in 2014 on point of sale malware known as the BackOff Trojan. After noticing that the criminals were targeting closed circuit cameras to get a foothold on retailers networks, Kerner decided to dig deeper: studying the distribution of compromised CCTV devices across the Internet and investigating how, exactly, cyber criminals were compromising the devices.

His research, using data culled from a command and control server, led him to a population of over 1,000 similar, infected machines, DVR devices sporting HTTP servers that were listening on port 81/82 and port 8000 and identifying as “Cross Web Server.”

After obtaining and reverse engineering the firmware used by the devices, Kerner determined that the firmware was developed by TVT Digital Technology Co, Shenzhen, China based firm. More important: the same firmware had apparently been “white labeled” by more than 70 networked CCTV vendors. “They may have different logo, or slightly different plastics, but they share the same vulnerable software,” Kerner wrote.

The vulnerabilities include a remotely exploitable hole that would give an attacker “root” access to the affected device, Kerner said. After contacting the vendor but not receiving any response, Kerner decided to publish information about the security holes as well as a proof of concept exploit for it.

Kerner’s discovery underscores what is becoming a more pressing problem for organizations: software supply chain risks. With “white labeling” of software like that by TVT common, vulnerabilities can spread far and wide, with few options for remediation.

“I’d say too many cooks are stirring the same rotten pot,” Kerner wrote. “This makes it really hard to mitigate the problem and leaving a lot of potential vulnerable end users (and) businesses. ”

This isn’t the first example of serious security vulnerabilities in widely deployed software. In 2014, researchers from Check Point discovered flaws in implementations of TR-069 Automatic Configuration Server software used by a wide range of routers used in homes and small businesses. Manufacturers of the routers were not implementing TR-069 ACS software in a secure manner. TR-069 is a broadband standard for doing WAN (wide area network) management of devices for customer premises equipment. Companies use it to remotely manage home routers at customers.