I would love to see a documentary / an interview of the developer (team?) behind these Chinese crappy products. Are they really that incompetent or is it just totally different culture?
I mean, after all they are capable of bundling the all FOSS together, writing some code by their own, and even shipping a working product, but they don't realize that running commands as root from query string is horrible idea? That's hard to buy.
I knew a guy who spent an internship after his first year of university at some such place in China. He said he told them the PSU design was no good (dangerously ungood), proposed part substitutions were invalid, but nobody cared.
It's just ~~desire~~ mandate to "ship it cheap", and no desire or care at all. He didn't go back.
I use a bunch of cheap ip cameras of various brands: foscam, crenova, etc. They all have telnet backdoors, which is actually pretty convenient for me.
I keep mine on a separate lan which can't connect to the internet or the other more-trusted lan. The average grandpa connecting these things to the internet is screwed though.
Good find. Wow, that repo is a class act. Binaries checked in and everything. Clearly looks like this and the OP's DVR share lineage.
From what I can tell, the e-mail address etc. are defaults used in CGI_send_email, which is only invoked as the handler for the /email endpoint. Looking at the order of endpoints defined in https://github.com/simonjiuan/ipc/blob/master/src/ipcam_netw... it seems that /email was probably left out in the DVR's code, so it's possible this function is simply never invoked, and we're just left with the WTF that not only did the original author (Mr. Law) think that an e-mail service needed a default "To", but that he thought it should be him, and that he left it in the final product.
I surely hope that somebody can figure out how to make firmware images for these, and use this code as a base to fix these flaws. A kind DD-DVR project, if you would.
They don't say whether they actually caught the DVR in the act of e-mailing frames. A simple Wireshark trace could reveal the difference between malintent and some dumb vestigial debugging code.
Actually, from a brief scan of a related codebase, it's likely that it doesn't send e-mails. The title of the article is therefore at a minimum unsubstantiated.
Very interesting talk at Blackhat about the numerous security vulnerabilities CCTV cameras have such as hard coded master passwords in firmware: https://www.youtube.com/watch?v=LaI0xjeefpg
I have one of those. Root password is "juantech". Did not know about the shell, how useful! The telnet daemon crashed quickly on mine last time I played with it.
... :-/
Fortunately, I disconnected it from the network a long time ago. Works well standalone, the UI is ok.
Neo: Who are you?
The Architect: I am the Frank Law, the architect. I created the Matrix. I've been waiting for you.
---
Someone please go arrest this voyeur before he deletes the evidence.
If he was some low level engineer i would perceive this as unintentional. That's not the case. Unless the title "chief software engineer" means something else in China... https://www.linkedin.com/in/frank-law-2b14b790
From my sleuthing experience, deleting things [the github repository] usually means some kind of wrongdoing; not necessarily related to the erased.
The Amazon link presented in the article has no reviews of this product that explain what it does. If anyone decides to buy one to play with, it'd be good to leave a warning to others about this sort of behavior. The product does not appear to be available in the US for whatever reason.
I'm thinking about what we can do about the flood of hideously insecure embedded devices. I wonder if there are industry standard, consumer-visible product security certifications?
In 2001 I wrote a 10,000 word series of articles for the physical security industry on emerging computer-based threats. Apparently they didn't read them.
[+] [-] theshowmustgo|10 years ago|reply
And on Google Playstore https://play.google.com/store/apps/details?id=com.juanvision...
Do they also contain backdoors? Domain and email used: www.dvr163.com [email protected] Screenshots in the app come from this site: http://www.juancctv.com/jishu.asp
[+] [-] Yaggo|10 years ago|reply
I mean, after all they are capable of bundling the all FOSS together, writing some code by their own, and even shipping a working product, but they don't realize that running commands as root from query string is horrible idea? That's hard to buy.
[+] [-] OJFord|10 years ago|reply
It's just ~~desire~~ mandate to "ship it cheap", and no desire or care at all. He didn't go back.
[+] [-] dmm|10 years ago|reply
I keep mine on a separate lan which can't connect to the internet or the other more-trusted lan. The average grandpa connecting these things to the internet is screwed though.
[+] [-] witty_username|10 years ago|reply
[+] [-] ttctciyf|10 years ago|reply
This code seems related - it has the cow ascii art and the email-sending functionality and email address mentioned in the article: https://github.com/simonjiuan/ipc/blob/master/src/cgi_misc.c - I wonder what else is in there!
[+] [-] colanderman|10 years ago|reply
From what I can tell, the e-mail address etc. are defaults used in CGI_send_email, which is only invoked as the handler for the /email endpoint. Looking at the order of endpoints defined in https://github.com/simonjiuan/ipc/blob/master/src/ipcam_netw... it seems that /email was probably left out in the DVR's code, so it's possible this function is simply never invoked, and we're just left with the WTF that not only did the original author (Mr. Law) think that an e-mail service needed a default "To", but that he thought it should be him, and that he left it in the final product.
[+] [-] davenull|10 years ago|reply
[+] [-] PinguTS|10 years ago|reply
And according to that source, you can change that target email address via a request parameter.
[+] [-] Phil_Latio|10 years ago|reply
[+] [-] colanderman|10 years ago|reply
Actually, from a brief scan of a related codebase, it's likely that it doesn't send e-mails. The title of the article is therefore at a minimum unsubstantiated.
[+] [-] cybergibbons|10 years ago|reply
My device sends an email at boot to the email address, and it has also been triggered at other times - I am not sure why.
It looks like there are a number of variants of the device out there.
The repo mentioned in another comment has a MakeFile for another device, and has been forked 9 times. It could be used anywhere.
The article will be updated, but I'll have to get a trace another time.
[+] [-] sdk77|10 years ago|reply
That image isn't so curious. Try 'apt-get moo' on any debian based box.
[+] [-] cybergibbons|10 years ago|reply
[+] [-] devhxinc|10 years ago|reply
[+] [-] _yy|10 years ago|reply
... :-/
Fortunately, I disconnected it from the network a long time ago. Works well standalone, the UI is ok.
[+] [-] cybergibbons|10 years ago|reply
openssl passwd -salt a0 juantech a0hDjN2cjQ1hI
I've bruteforced all alphanumeric for the descrypt hash, and not found anything. Trying the whole space now, but it will be weeks.
I think mine was regularly rebooting, but I've put it away so need to check.
[+] [-] rrauenza|10 years ago|reply
[+] [-] joenathan|10 years ago|reply
[+] [-] cornchips|10 years ago|reply
---
Someone please go arrest this voyeur before he deletes the evidence.
If he was some low level engineer i would perceive this as unintentional. That's not the case. Unless the title "chief software engineer" means something else in China... https://www.linkedin.com/in/frank-law-2b14b790
From my sleuthing experience, deleting things [the github repository] usually means some kind of wrongdoing; not necessarily related to the erased.
It is my belief this was intentional.
[+] [-] matthewbauer|10 years ago|reply
[+] [-] jacquesm|10 years ago|reply
[+] [-] Natsu|10 years ago|reply
http://www.amazon.co.uk/dp/B0162AQCO4
(Link has been shortened to use only the ASIN.)
[+] [-] cybergibbons|10 years ago|reply
I submitted a review but it has yet to be approved.
It has been approved but the exploit link and link to the blog post are not in it.
https://www.amazon.co.uk/review/R20SLCJIPN9UDB/ref=pe_157228...
[+] [-] est|10 years ago|reply
yeah.com is early free hosting and email provider in China.
maybe the same person with an avatar http://tieba.baidu.com/home/main?un=lawishere
maybe his blog http://blog.csdn.net/lawishere
lots of C/C++, mpeg, streaming stuff.
[+] [-] leavjenn|10 years ago|reply
On Google Play, https://play.google.com/store/apps/developer?id=Frank+Law
The developer email is the same.
By the nicknames combine(lawishere and Frank Law), this maybe his Github page, https://github.com/lawishere
[+] [-] plasma|10 years ago|reply
[+] [-] caf|10 years ago|reply
[+] [-] cybergibbons|10 years ago|reply
Part of the problem though is that there is not a full toolchain. You could replace the DVR app, but the OS is still going to be crap.
I had a very quick go at updating the firmware with Juantech and it failed. There is some check in place to prevent this.
[+] [-] ausjke|10 years ago|reply
[+] [-] bjackman|10 years ago|reply
[+] [-] ya|10 years ago|reply
[+] [-] cybergibbons|10 years ago|reply
I didn't look into that as the other stuff meant it was game over.
[+] [-] contingencies|10 years ago|reply
[+] [-] ausjke|10 years ago|reply
[+] [-] hoodoof|10 years ago|reply
"Backdoor in DVR firmware sends CCTV camera snapshots to email address in China"
OR
"Backdoor in DVR firmware sends CCTV camera snapshots to email address"
Notice the difference?