Security researchers have found multiple vulnerabilities in digital video recorder (DVR) devices typically used in surveillance systems, which could allow remote attackers to gain complete control.
Security firm Rapid7 said in a Wednesday blog post that it found three serious buffer overflow flaws in Hikvision models including the DS-7204: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880.
All three vulnerabilities allow the attacker “to execute arbitrary code without authentication.”
Rapid7 focused on Hikvision because it’s a particularly popular brand with around 150,000 devices remotely accessible, according to security researcher Mark Schloesser.
This could be because it has a feature which allows users to view the surveillance video stream remotely via an iPhone app, he speculated.
Each flaw works slightly differently but the end result is the same: buffer overflow allowing the attacker to remotely control the device.
This could allow a hacker to carry out covert surveillance of a specific site prior to a burglary, for example, and/or DoS the device completely to take it out of action.
Schloesser continued:
“The device under test was a Hikvision-DS-7204-HVI-SV digital video recorder device with firmware V2.2.10 build 131009 (Oct 2013). Other devices in the same model range are affected too. However, we do not have an exhaustive list of firmware versions and models…
Hikvision provided no response to these issues after several attempts to contact them. In order to mitigate these exposures, until a patch is released, Hikvision DVR devices and similar products should not be exposed to internet without the usual additional protective measures, such as an authenticated proxy, VPN-only access, et cetera.”
As if that wasn’t enough, the devices also come with a default administrative account ‘admin’ with a password of ‘12345’, Schloesser said.
Internet-connected devices have come under increasing scrutiny from the security community of late.
Websense said in its 2015 Security Predictions report this week that at least one major data breach would stem from an unsecured IoT device next year.
It also emerged this week that hundreds of UK webcams and CCTVs have been hacked and their feeds uploaded onto a Russian website thanks to poor in-built security.