activities are now becoming responsible for compromising security of home and
video recorders or DVRs either employ hard coded passwords or don’t use a
single one, giving way for the attackers to breach security codes. Recently 46000 DVRs were found open to remote hijacking
through a hardcoded firmware username and password.
Risk-Based Security chief
researcher Carsten Eiram says most of the DVRs that records footage from
surveillance cameras are operating in the US.
“Based on searches using Shodan.io
, there are about 36,000 to 46,000 affected internet-connected devices,”
Eiram says. He added that the other countries active in the usage of these
cameras are UK, Canada, Mexico, and Argentina.
“While analysing cgiServerbinary, we noticed that the authentication
process specifically checked for the username ‘root’ and password ‘519070’
[which is] the same code found in RscgiServerbinary”, added Eiram.
Researchers have analysed that:
“The main ( ) function of the CGI
script calls a function to authenticate the user. Within this function, another
function is eventually called to handle the authentication and return the
result. The function retrieves the user-supplied credentials and calls a
function to check them. Within this function, part of the code specifically
checks if the supplied username is “root” and the password is “519070”. If
these credentials are supplied, full access is granted to the web interface.”
The vulnerability was first
reported to US-CERT on 9 September. But, the report was acknowledged on 21
It was also found that some DVRs
exposed to Shodan didn’t even require passwords and could be hacked to offer
hackers a remote root shell that cannot be removed.
Experts say that most devices
will be exposed since changing the password is a pain, requiring the DVRs to be
connected to a local TV with a user-supplied keyboard.