In-brief: In just the last week, remotely exploitable security holes cropped up in hundreds of models of IP enabled security cameras and recorders as well as a popular line of network attached storage (NAS) devices. The culprit? Shoddy firmware and lax oversight by vendors. When will it end??
If the drum beat of Internet of Things security warnings seemed to grow even steadier in your ears this week, you weren’t imagining things. From digital video recorders (DVRs) to cameras to network attached storage (NAS) devices, Internet connected “stuff” all wound up in the hackers’ cross hairs in the last week.
Among the incidents worth noting:
The Chinese firm Dahua issued an emergency patch for eleven models of video recorders and IP cameras to remove a back door account that gave remote attackers full control of vulnerable devices without the need to authenticate to the device. The flaw was first disclosed on the Full Disclosure mailing list on March 6. “This is like a damn Hollywood hack, click on one button and you are in…” wrote the researcher who discovered the hole, and who uses the name “Bashis.”
Reports suggest that the impact of the flaw affects more than the 11 Dahua devices that the company has identified, though there has been no change to the list of affected devices since March 6th. In a letter to customers, the company said that it is conducting “exhaustive tests” and developing “a series of firmware patches” to address the security hole.
Dahua is notable because its devices were the backbone of the so-called Mirai botnet that was responsible for launching some of the largest denial of service attacks on record.
And Dahua is just the beginning. Security researcher Pierre Kim published a warning about a common vulnerability affecting more than 1,200 different models of IP camera, from vendors including D-Link, Foscam and Polaroid, among many (many) others. Among the problems Kim found were a backdoor account on the camera and a flaw in an embedded web server (which many cameras use to serve administrative interfaces) that allows an attacker to steal credentials for FTP accounts and SMTP (or email) accounts. How many devices are affected by this flaw? At last count: around 205,000.
But wait…there’s more. The folks over at the video surveillance specialty blog IPVM noted that Hikvision cameras were the targets of “widespread hacking” in the last month by attackers taking advantage of the default device password (“12345,” of course). The company said in a press release that it knows of attacks targeting NVRs and DVRs, especially those deployed prior to June, 2015, which did not require the user to reset the default administrator user name and password.
Alas, cameras and DVRs (or NVRs) aren’t the only vulnerable devices floating out there. This week also brought news that network attached storage (NAS) devices made by Western Digital Corp. had a critical flaw that exposed data on the devices to attack. A dozen models of Western Digital drives in the company’s My Cloud line of hardware contained flaws that could allow a remote adversary to skip having to authenticate to a device and insert commands or upload files that would given them control over the device.
The flaw, which was disclosed by the firm SEC Consult Vulnerability Lab (SCVL) was described in a post to the Full Disclosure mailing list. Among the problems: common flaws such as command injection vulnerabilities, a stack-based buffer overflow bug and a cross-site request forgery flaw, the blog Threatpost reported.