Connect with us

Hi, what are you looking for?


Identity & Access

Surveillance Video Recorders Exposed by Hardcoded Passwords

Tens of thousands of digital video recorders (DVRs) used to store footage captured by surveillance cameras can be easily accessed by remote hackers because their web interface is either protected by a hardcoded password or no password at all.

Tens of thousands of digital video recorders (DVRs) used to store footage captured by surveillance cameras can be easily accessed by remote hackers because their web interface is either protected by a hardcoded password or no password at all.

A report published on Wednesday by Risk Based Security (RBS) revealed that the firmware of DVRs manufactured by China-based Zhuhai RaySharp, which reportedly exports 60,000 units every month, includes a web interface that allows users to manage the devices, view recorded video, and control surveillance cameras.RaySharp DVRs vulnerable to hacker attacks

The problem is that the web interface can be accessed using credentials that are hardcoded in the firmware, which enables unauthorized third parties to easily gain control of the device. Researchers found that the devices could be accessed with the username “root” and the password “519070,” although older reports suggest that in some cases other usernames work as well in combination with the aforementioned password.

A search conducted by Risk Based Security using Shodan revealed that there are between 36,000 and 46,000 DVRs accessible from the Internet, roughly half of which located in the United States. Internet-connected devices were also discovered in the UK, Canada, Mexico, Argentina and other countries.

Experts have pointed out that RaySharp products are not the only ones affected by this vulnerability (CVE-2015-8286) as other vendors from the US and Europe use the Chinese company’s firmware for their devices, including Lorex, Defender, Swann, KGuard Security, König and COP USA.

RBS reported the flaw to US-CERT in September 2015 and US-CERT notified all affected vendors by late October, but only few released patches so far. RaySharp acknowledged receiving the report, but it has yet to release a fix. Swann said it was working on its own patches and Defender claimed it released a firmware update that addressed the issue in late September.

In 2013, researchers reported finding a vulnerability in RaySharp DVRs and other devices based on the RaySharp firmware. The security hole, whose existence was again mentioned last year, allows an attacker to bypass authentication and compromise the products. RBS analyzed the firmware of these devices to see if it can find an even easier way to hack them — and apparently it succeeded.

Researchers at Pen Test Partners have also analyzed DVR security. For their tests, they purchased an MVpower device, which appears to have even weaker security than the products analyzed by RBS. Experts have found 44,000 devices accessible on the Internet and it might be possible to easily access many of their administration interfaces with the username “admin” and a blank password.

Pen Test Partners also reported finding web authentication bypass issues, security bugs that allow attackers to obtain local and remote shell access, the lack of CSRF protection and HTTPS, and no mechanism for updating the firmware. Experts also discovered code designed to capture screenshots from one of the cameras connected to the device and send them to a specified email address.

Advertisement. Scroll to continue reading.

DVRs are not the only types of devices left exposed by default passwords. Researchers warned last week about the dangers of running VoIP phones using the default configuration and default passwords.

Related: Multiple Vulnerabilities Found in Hikvision DVR Devices

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.