Next level: updating devices with malware-infected firmware?

A new article that appeared on motherboard.vice.com (Hacker Claims To Push Malicious Firmware Update to 3.2 Million Home Routers ) talks about a new type of attack: devices that are being abused via their update mechanism to host a malware-infected (let’s call it malware for now) firmware.

Impossible? Not really. Of course, some of the problems that might appear are: How do you pair the device with the ”right” firmware? How do you rebuild the malware-infected firmware?

But the most important question: doesn’t the device (or the manufacturer) use a rather strong security mechanism to certify that the firmware is indeed legit? If it does, maybe it’s time to update it. If not… well, trouble ahead!

Anyway, it’s not really a case of ”trash the device”, rather a case of painfully (and costly) ways to identify and disinfect it.

But… does this look like the dawn of ransomware-vulnerable-devices? Yes, sure it does. Just wait for it… or better not, and be prepared.

TVT DVRs vulnerable to RCE

According to http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html, some DVRs manufactured by TVT (and we suspect other IP-enabled devices too) are susceptible to a RCE (Remote-Code-Execution) attack.

In computer security, arbitrary code execution is used to describe an attacker’s ability to execute any commands of the attacker’s choice on a target machine or in a target process. It is commonly used in arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. Most of these vulnerabilities allow the execution of machine code and most exploits therefore inject and execute shellcode to give an attacker an easy way to manually run arbitrary commands. The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution. (https://en.wikipedia.org/wiki/Arbitrary_code_execution)

What are DVRs and what other devices could be affected?

DVRs stand for ”Digital Video Recorder” – the device that’s used to record CCTV cameras. In the same family, we can find NVRs(Network Video Recorders, used to record IP Cameras), IP Cameras, IP SpeedDome Cameras etc. Of course, for the attack to be successful, the devices need to be connected to a LAN and exposed to the Internet and the HTTP(WEB) port must be available (either directly or port-forwarded).

What are the risks?

First of all, unauthorized access to your network. Secondly, the device can be used as a ”gateway” to transfer files, data, credentials outside your network. Using this attack, someone can also soft-brick (or-soft destroy) the device, leaving it useless. And, of course, an advanced attacker can even rewrite the embedded firmware with a custom one or repurpose the device.

Vendors/Manufacturers affected?

According to Kerner, devices manufactured by chinese company TVT are all affected (although we do not know, for now, if only some versions are affected). Some vendors relabel (OEM) these devices and, according to Kerner, these are the ones that resell them:
Ademco, ATS Alarmes technolgy and ststems, Area1Protection, Avio, Black Hawk Security, Capture, China security systems, Cocktail Service, Cpsecured, CP PLUS, Digital Eye’z no website, Diote Service & Consulting, DVR Kapta, ELVOX, ET Vision, Extra Eye 4 U, eyemotion, EDS, Fujitron, Full HD 1080p, Gazer, Goldeye, Goldmaster, Grizzly, HD IViewer, Hi-View, Ipcom, IPOX, IR, ISC Illinois Security Cameras, Inc., JFL Alarmes, Lince, LOT, Lux, Lynx Security, Magtec, Meriva Security, Multistar, Navaio, NoVus, Optivision, PARA Vision, Provision-ISR, Q-See, Questek, Retail Solution Inc, RIT Huston .com, ROD Security cameras, Satvision, Sav Technology, Skilleye, Smarteye, Superior Electrial Systems, TechShell, TechSon, Technomate, TecVoz, TeleEye, Tomura, truVue, TVT, Umbrella, United Video Security System, Inc, Universal IT Solutions, US IT Express, U-Spy Store, Ventetian, V-Gurad Security, Vid8, Vtek, Vision Line, Visar, Vodotech.com, Vook, Watchman, Xrplus, Yansi, Zetec, ZoomX


Again, we cannot stress enough the need for stronger security in the IoT World. Including pen-testing the devices, especially ones that have embedded firmware/closed source.

Web Application Firewall (WAF)

What is a waf?

A web application firewall (WAF) is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked.

Any example?

ModSecurity is an open source web application firewall (WAF) module that is cross platform capable. Known as the “Swiss Army Knife” of WAFs, it enables web application defenders to gain visibility into HTTP(S) traffic and provides a power rules language and API to implement advanced protections.

More on this here: http://www.darknet.org.uk/2015/11/modsecurity-open-source-web-application-firewall/