IoT security experts from Pen Test Partners have confirmed the presence of a backdoor in the firmware used by some DVR devices commonly deployed with CCTV surveillance systems.

Security researchers from Pen Test Partners have a regular habit of picking up random IoT equipment and testing it for security vulnerabilities.

In their most recent round of tests, the team decided to expand the scope of their research into CCTV systems. Since they've spent quite some time breaking down IP cameras, the researchers decided that this time around they would test DVRs (Digital Video Recorders), which are also part of standard CCTV setups.

MVPower DVR laced with security issues

For their experiment, the team picked up a random, cheap device off Amazon, choosing a DVR manufactured by MVPower.

The team immediately went to work on the device and only after a quick battery of tests discovered a large number of security and privacy issues.

The researchers managed to bypass the device's Web-based login system by manually setting a random username and password in their browser's cookie, were able to force the device to start as root, and eventually opened a Web shell that allowed them to run commands on the DVR.

They've also managed to install a reverse shell for easier access to the device's terminal, discovered that the device had no CSRF protection, no brute-force attack protection, and found out that the lack of HTTPS communications for the Web admin panel exposed its users to MitM attacks.

MVPower DVRs are sending CCTV feed snapshots to a hard-coded email address

But that was only the beginning. Buried deep in the firmware's code, the team discovered a backdoor functionality that was taking snapshots of the first camera and sending it to an email address hosted on a Chinese email provider.

The email address is "lawishere@yeah.net," the email's subject was "Who are you?" and the email's body contained a 320x180px snapshot of the CCTV feed.

After digging around for more clues, Pen Test Partners discovered that the firmware was taken from the JUAN-Device GitHub repo, managed by someone named Frank Law.

The GitHub repo was taken offline last August after British developer Gregory Fenton confronted Mr. Law about this issue.

Let the conspiracy theory begin

Pen Test Partners says that the email address is still active. A quick Shodan search shows that there are currently around 44,000 devices available online that have the same server header like the one broadcasted by the MVPower DVR.

Besides their Amazon store, neither Pen Test Partners nor Softpedia has managed to find any online presence for MVPower.

"We can’t find any detail on the name MVPower," Andrew Tierney of Pen Test Partners noted. "The firmware suggests commonality with Juantech, but none of their firmwares [sic] are compatible."

Since the company is so hard to get hold of, you can forget about receiving any firmware updates for any of the above-listed security issues.

As a coincidence, we've noticed that both Juantech and the Yeah.net email provider are registered in China's Guangdong province (near Hong Kong).

UPDATE: Someone under the name Frank Law is also the author of two CCTV apps on the iTunes App Store and the Google Play store, which lead back to the dvr163.com website.

Additionally, some of the debug code found in the DVR's firmware (which prints a cow's shape in ASCII characters and asked users if they mooed today) seems to have been taken from here (this link was also taken down, archived here).

Some users suggested to us that this might have been an accidental oversight on the part of the developers, and that the emailing function was actually a debug feature which the developers forgot to remove.

It is strange that GitHub repositories keep getting taken down whenever the community points out that the emailing functionality still exists in the firmware's code. Instead of fixing the firmware, the developers behind this repos prefer to take them down, and restart anew. Here's another repo where the emailing functionality is also included. Emails are still sent to the same address. We have reached out to the developer via email for his take on the whole story.

UPDATE 2: Pen Test Partners have continued their attempts at contacting Juantech, and after the Chinese manufacturer answer, have recently announced that the company, maker of the MVPower brand, will be issuing new firmware that removes the shell functionality entirely, the hidden emailing feature, and has also changed the root password.