Over 55,000 security camera DVRs are vulnerable to an exploit so simple it fits in a tweet

Originally published at: https://boingboing.net/2018/05/08/morzilla.html


Fernandez has released a proof-of-concept exploit for the vulnerability…

Scramble black security team Echo! Maximum threat - extreme prejudice! Go! Go! Go!


Insecure Of Things indeed.


I know I’m just a communist weirdo, but why on earth can’t we make the companies that sell these Internet of Shit devices liable for the security holes in them?

Yes, I know, lots of them are sold by fly in the night Chinese companies who can and do close up shop every time things get inconvenient for their owners, only to reopen under a new name with allegedly new owners the next day. But at least some of these devices are sold under the label of real companies that can’t close down at the drop of a hat.

If every unpatched security flaw meant, say, a $10 fine per device sold, I think the internet of things would contain a lot less shit awfully fast.


so simple it fits in a tweet

Convenient & simple, I like that.


Roger That!

1 Like

Any suggestions anywhere on mitigation strategies? I discovered that my work has one of the affected devices.

A wire cutter should do the trick.


First thing that should be done with all routers is disable UPNP right way.


I mean, dont get me wrong it is serious for the owners of those devices, but … I dont know, I expect my vulnerabilities to be difficult to understand stuff coming from the complexities of programming.

This is more like selling cars that have no lock whatsoever. This is not an software error, this is deliveratelly selling something with no security whatsoever.

Mitigation strategy? Don’t let anything from the internet communicate with the DVR! How often do you need the internet to communicate with a DVR in the first place? And if you do need access to the DVR from across the internet, then VPN into the corporate network to access it.

Most of the routers I deal with don’t ship with uPnP enabled; you have to enable it (or push a button) to turn it on. I’ll grant that it’s a total pain in the ass to turn on, at least for an Edgerouter, but uPnP is dangerous enough that it shouldn’t be turned on unless you know what you’re getting into.

Thank you - making sure it is airgapped/disconnected from the Internet now. Realized that we have a workaround for connecting it to the internet - we have a (theoretically more secure) system with a different security camera pointing to the output monitor. :rofl:


But, but, something-something Free Market! /s

1 Like

And if you know what your are doing you can just deal with that stuff manually and you know what is actually published.

Aside from the basic “the US Chamber of Commerce says that’s class warfare!” response; I imagine that implentation would get messy fast because the measures that really matter would be fairly easy(and extremely tempting) to game with limited improvement in actual security.

Even the fairly detailed scoring system has a fair amount of wiggle room; and getting honesty out of the tech side when legal sees exposure would be tricky. On the mitigation side, there would be a great deal of pressure to define the metrics toward things that are easy and away from ones that are useful(“it’s a consumer system, best effort, and we published an advisory on our buried legalese nobody reads page telling consumers to turn it off until an update was available within 15 minutes of being advised of the issue! That’s impeccable response!”)

There would also be a strong incentive to shove the “cause” of the vulnerability onto the user(consider the example of “eco mode” in TVs, it exists primarily to demonstrate a suitably impressive adherence to energy standards and to be turned off the moment the user gets home and switches the image quality to “don’t suck”; but it was totally energy star+++ when they bought it…):

Something trivial and petty like, say, turning off uPnP for testing; but having it turn on again during setup unless the user chooses double-secret-nerd-mode rather than EZ-config; or disabling basically all the features until they press the “network setup” button(no remote vulnerabilities exist before the user screws this up!) and choose EZ-config to enable the features they actually purchased the device for. If an additional arm’s length is needed, an ‘app store’ that makes it easy and seemingly a good idea to add the dangerous features from a 3rd party is always an option.

I’m sure there are additional shoddy tricks I’m not yet thinking of.

I really want that Doraemon stool.

It seems this guy has a toy train set on his table? It looks like he is controlling it with his phone but that is surely just a coincidence right?

I guess what I’m asking is, does anybody recognize this?

The baby bed/container in the corner makes it very plausible that he has a small kid, pointing towards the toy train set hypothesis.

1 Like

This topic was automatically closed after 5 days. New replies are no longer allowed.