According to http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html, some DVRs manufactured by TVT (and we suspect other IP-enabled devices too) are susceptible to a RCE (Remote-Code-Execution) attack.
In computer security, arbitrary code execution is used to describe an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. Most of these vulnerabilities allow the execution of machine code and most exploits therefore inject and execute shellcode to give an attacker an easy way to manually run arbitrary commands. The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution. (https://en.wikipedia.org/wiki/Arbitrary_code_execution)
What are DVRs and what other devices could be affected?
DVRs stand for « Digital Video Recorder » – the device that’s used to record CCTV cameras. In the same family, we can find NVRs(Network Video Recorders, used to record IP Cameras), IP Cameras, IP SpeedDome Cameras etc. Of course, for the attack to be successful, the devices need to be connected to a LAN and exposed to the Internet and the HTTP(WEB) port must be available (either directly or port-forwarded).
What are the risks?
First of all, unauthorized access to your network. Secondly, the device can be used as a « gateway » to transfer files, data, credentials outside your network. Using this attack, someone can also soft-brick (or-soft destroy) the device, leaving it useless. And, of course, an advanced attacker can even rewrite the embedded firmware with a custom one or repurpose the device.
According to Kerner, devices manufactured by chinese company TVT are all affected (although we do not know, for now, if only some versions are affected). Some vendors relabel (OEM) these devices and, according to Kerner, these are the ones that resell them:
Ademco, ATS Alarmes technolgy and ststems, Area1Protection, Avio, Black Hawk Security, Capture, China security systems, Cocktail Service, Cpsecured, CP PLUS, Digital Eye’z no website, Diote Service & Consulting, DVR Kapta, ELVOX, ET Vision, Extra Eye 4 U, eyemotion, EDS, Fujitron, Full HD 1080p, Gazer, Goldeye, Goldmaster, Grizzly, HD IViewer, Hi-View, Ipcom, IPOX, IR, ISC Illinois Security Cameras, Inc., JFL Alarmes, Lince, LOT, Lux, Lynx Security, Magtec, Meriva Security, Multistar, Navaio, NoVus, Optivision, PARA Vision, Provision-ISR, Q-See, Questek, Retail Solution Inc, RIT Huston .com, ROD Security cameras, Satvision, Sav Technology, Skilleye, Smarteye, Superior Electrial Systems, TechShell, TechSon, Technomate, TecVoz, TeleEye, Tomura, truVue, TVT, Umbrella, United Video Security System, Inc, Universal IT Solutions, US IT Express, U-Spy Store, Ventetian, V-Gurad Security, Vid8, Vtek, Vision Line, Visar, Vodotech.com, Vook, Watchman, Xrplus, Yansi, Zetec, ZoomX
Again, we cannot stress enough the need for stronger security in the IoT World. Including pen-testing the devices, especially ones that have embedded firmware/closed source.