My apologizes if this is a re-post but has everyone heard about the vulnerabilities in Ray Sharp DVRs as well as rebranded DVR products by Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000?
http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html
https://community.rapid7.com/commun...sharp-cctv-dvr-password-retrieval-remote-root
Basically, if you use one of these devices, you probably ought not port-forward TCP 9000 from the internet unless you are restricting access by source. Changing this port might add a bit of security through obscurity but you'd still be totally vulnerable. Possible attacks include accessing clear-text admin passwords, creepy unauthorized access with said account, as well as using the DVR as a pivot point for attacking other internal network resources, e.g. your laptop, iPhone, PC, and whatever else. There's already a Metasploit aux/scanner module to discover vulnerable systems and dump the admin password.
As far as I know neither Ray Sharp nor the rebranders have responded to this. I wouldn't be surprised if they never do. I've always wondered how many inadvertent (vulnerabilities) and purposeful (backdoors) security issues there are in these ubiquitous, cheap, poorly-developed DVRs. I've had avtech and dahua DVRs myself. Although it's hard to beat the value of these cheap devices, it's just a matter of time before more and more of these severe remote vulnerabilities are found as they become more prevalent. Let's just hope that the good guys (researchers) find them before those who would use them for their own nefarious purposes.
Jake
