RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and even gain root privileges on the affected devices.

His investigation started after the researcher revisited an older security report about the Backoff PoS malware campaign in which crooks hacked surveillance cameras to verify that the target they wanted to infect was a retailer.

These DVRs have been abused since 2014

Wanting to know how exactly had this happened, Mr. Kerner dug up some of the data from the Backoff campaign C&C server logs and took a look at the hacked devices, which in most cases proved to be the DVRs (devices that aggregated and recorded the data received from the actual surveillance cameras).

The researcher discovered that some the hacked devices found in the Backoff PoS malware campaign from December 2014 were using an HTTP server that was identifying itself as "Cross Web Server."

A quick Shodan search showed Mr. Kerner that, today, 30,000 similar devices are still accessible via the Internet. He tracked down one of the DVRs as being sold by an Israeli company, which also offered the device's firmware on its website.

While this helped speed up his research, Mr. Kerner received a second present when he discovered that the firmware binaries were also left in debug mode, which meant that the code contained symbols, function names, and code comments to help his investigation.

Attackers can gain root on all vulnerable DVRs via a Web-based attack

In the firmware, the researcher discovered a remote code execution (RCE) vulnerability that allowed him to run shell commands by accessing a specially crafted URL, accessible via the DVR's built-in server.

In his tests, Mr. Kerner was able to get root access on the DVR. Taking into account that many of these devices are accessible via the Internet, a clever attacker could very easily scan to discover all vulnerable devices, create an automated exploit to run on all DVRs, and take control of them, creating their very own CCTV-based botnet.

Mr. Kerner's investigation continued after his initial discovery, and he amassed a list of 70 vulnerable DVR vendors. Eventually, the researcher caught on to the fact that all vendors were just mere resellers of a white label product.

These companies were just buying non-branded DVRs, complete with (vulnerable) firmware, slapping their logo on top, often tweaking the firmware, and then reselling the products.

Firmware's origin point was a company in China

The origin point for all these products was a Chinese company called TVT. The researcher revealed the issue to TVT, but the company chose to ignore him, so the researcher did the only thing left, by publicly disclosing the flaw and hoping that network administrators would secure these vulnerable devices behind a firewall.

Securing the device behind a firewall would ensure that script kiddies aren't able to reach them but doesn't necessarily mean that a determined attacker can't use other vulnerable equipment on the private network to reach them.

Mr. Kerner was kind enough to provide a list of vulnerable vendors but said he couldn't precisely identify each vendor's vulnerable models. A proof-of-concept exploit is available on GitHub, so network administrators can test their own DVR equipment if they find it on the list.