Surveillance cameras sold by more than 70 vendors worldwide were found to be vulnerable to Remote Code Execution (RCE) because of shared firmware code, a researcher has discovered.
The affected products come from vendors that resell almost identical products, all of which include vulnerable software apparently built by Chinese manufacturer TVT.
Security researcher Rotem Kerner analyzed the firmware of surveillance cameras and discovered a new attack vector that can compromise DVR boxes, the main component of CCTV systems.
Because of a “white labeling” business model, where vendors place their logo on a product built by another manufacturer, and due to improper security verification of software packages, nearly identical products from tens of vendors expose users to the same security flaws.
In this specific case, Kerner discovered that the firmware used in vulnerable products from an Israeli company selling CCTV systems was susceptible to RCE because of a vulnerable implementation of the HTTP server.
The security flaw relies in the server checking if the directory of a given language exists and on it executing an extraction command if it does not exist. Next, the researcher was able to create an exploit for the vulnerability, and has already published it online.
According to the researcher, tens of thousands of products using the same HTTP server implementation, appear in Shodan search results, suggesting that all of them are vulnerable. However, the exact number of vulnerable products could be much higher, and the impact of this security flaw should not be underestimated, the researcher suggests.
Kerner also explains that he tried contacting the original manufacturer TVT, but that he received no response from the company thus far. The researcher published a list of vendors selling TVT products under their own brand and advises users to deny any connection from an unknown IP address to the DVR services, especially since the same systems might be affected by exploits for other vulnerabilities as well.
While this scenario is not new, it once again reveals the importance of performing security checks on any software packed inside embedded devices, especially when outsourcing production. In fact, Eurecom and Ruhr-University Bochum researchers revealed in November last year that insufficient security checks make embedded device firmware images susceptible to multiple security flaws. After analyzing thousands of firmware images from tens of different vendors, the researchers discovered hundreds of vulnerabilities in the Web interfaces of corresponding IoT devices. While cross-site scripting (XSS) and file manipulation were the most prevalent security flaws, the analyzed firmware images were also susceptible to command injection, file inclusion, file disclosure, SQL injection, and RCE.
Firmware images have been long said to be as vulnerable to attacks as any other piece of software, and VirusTotal in January announced that it now offers support for scanning these packages for malware. In November 2015, a study by IT security consultancy SEC Consult revealed that millions of Internet-of-Things (IoT) devices use the same cryptographic secrets, making them vulnerable to various types of malicious attacks.