One of the alarming news that have rocked the video surveillance industry in the last few weeks is the revelation that over 50 million network devices and almost 20 brands of security DVR can be hacked easily.
These include rebranded DVR systems from Swann, Lorex, URMET, KGuard, Defender, DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000 all of which use same DVR firmware provided by a Chinese company named Ray Sharp.
Digital Video Recorders (DVR) are the major part of video surveillance system or to put it mildly, they are the brains while the attached cameras are the eyes.
DVRs make it possible to easily record, store and playback several hours of video footage.
The problem now is that, most DVRs in the market now have been found to have major design flaw in their software making it possible for smart hacker to break into the DVR and begin to watch the videos on your security DVR if you have one.
The hacker can remotely gain control of your video security equipment to watch, copy, delete or alter video streams as he wishes.
According to studies conducted by SomeLuser, a security researcher who posted the results on his blog. He found that the DVR firmware from the Chinese company [Ray Sharp] didn’t encrypt usernames or passwords, which would make it easy to potentially access and manipulate CCTV feeds over the Internet.
they (Swann and other DVRs) expose their video streams as some RTSP channel that you could simply play using VLC (video player)…. The vulnerabilities allow for unauthenticated access to the device configuration, which includes readable usernames and passwords that, once obtained, can be used to execute arbitrary system commands root through a secondary flaw in the web interface…. This blog post pretty much outlines everything you would ever need to pull video from the device outside of their web UI.
Bojan Markovic, security systems integrator and blogger however pointed out that less emphasis should be placed on cheap DVR systems as they are mostly video players which allow video images to be recorded, stored and played.
He however cautioned that main problem with DVR systems (as pointed out in the research) is the loophole that can allow any hacker to inject (own) malicious codes into the client computer and gain access into the DVR.
This practically means if such DVR is connected to the internet (as most today’s DVRs are), then any hacker can break into the DVR, hijack the system and then hop around from one computer to another on your local area network.
This is particular disastrous for companies using DVR business security systems as they have much more valuable business and financial information on their network.
This should also be a concern for schools, homes and major establishments. Interestingly, I wrote an article not long ago on how video surveillance systems installed in school can be a thorn in the flesh if not properly monitored.
Hunter Becomes Hunted – Watchers Now Getting Watched
This is not a simple problem if we actually look at the tremendous security loophole such knowledge creates if skillful criminals get wind of it.
For example, criminals may not need to physically roam around your premise to know your itinerary. They can easily break into your system, watch your video streams real-time to know when you’re home and when you’re not.
They have easy access to break into your home as your DVR systems open the windows of opportunities for them. Now, with this knowledge, does this mean we cannot use video security systems again?
DVR Insecurity Detected. Now, What’s Next?
No doubt many people who have thought of investing in DVR security camera systems would be getting cold feet now because of this news. However, there are 3 points I think we can take away from this story:
Wake Up Call For DVR Security Systems Manufacturers
Since the vulnerabilities news went viral, it is expected that most DVR manufacturers will beginning to step up their quality control. News also has it that Ray Sharp will soon begin to roll out security updates for the existing DVRs while the security loopholes would be blocked in new systems before they are rolled out.
Insecurity Doesn’t Mean Easy Access
Most people would argue that as impressive as DVR security systems are, they are not suppose to be your only protection. You shouldn’t rely solely on your DVR for absolute protection.
There’s still a need to take necessary precautions to secure those DVRs from unauthorized physical access. You can still see your home, receive instant alert notification which can help you tell 911 immediately like this woman did.
Hacking is Really Hard!
No need to get so hyped and ditch your DVR. Hacking is hard. It’s not an easy skill to acquire. Ask the researcher who found this out.
He would tell you how many years it has taken him to acquire this skill and how much effort it took him to figure out the insecurity.
Researchers often fail one thousand and one time before they stumble on a single workable solution to a problem. This is not a 1+1 skill.
One thing that should also put your mind at ease is that it’s not so easy to intercept your transmitted signal as most manufacturers use high bits encryption algorithm to secure your transmission. What you actually need to secure is the physical access to the system.
Note that the researcher had PHYSICAL access to the system. He did not do the hack online. He had to open up the system, look inside the board, spent several hours to inspect, see and experiment.