Backbytes: Insecure security systems

Can we interest you in an Internet of Things home security system?

So, you've bought and installed one of those cheap CCTV systems that come bundled with an equally cheap digital video recorder (DVR) in order to check-out who's sniffing around your back gate while you're out at work. But have you stopped to consider who else might be checking out your CCTV images at the same time?

Back in 2013, a security researcher showed how insecure many of them were when he had a nose around a Swann-branded CCTV system (the kind you could purchase in Maplin) and found that the DVR firmware, made by Guangdong-based Ray Sharp, was critically insecure - and shared by at least 18 other brands of CCTV systems.

Security company Rapid7 took up the baton and found a whole load more problems, including the use of a January 2009 version of OpenSSL known to be rife with security problems.

"The vulnerabilities allow for unauthenticated access to the device configuration, which includes the clear-text user names and passwords that, once obtained, can be used to execute arbitrary system commands root through a secondary flaw in the web interface," the company warned.

It continued: "A vulnerable DVR that is protected by the corporate firewall is not much of a risk for most organisations. In this case, however, the situation is substantially worse.

"The Ray Sharp DVR platform supports the Universal Plug and Play (UPnP) protocol and automatically exposes the device to the internet if a UPnP-compatible router is responsible for network address translation (NAT) on the network. Many home and small office routers enable UPnP by default. This has the effect of exposing tens of thousands of vulnerable DVRs to the internet."

So what's changed since then? Well, clearly not a lot.

In fact, you could say it's got even worse, with one of the biggest-ever distributed denial of service attacks, perpetrated this summer, being traced back to... you guessed it, compromised CCTV systems.

Indeed, earlier this year security researchers found a remote-code execution vulnerability in DVRs from more than 70 different vendors along with hard-coded passwords. Given the lackadaisical attitude to security in these devices, there's no doubt a whole load more other insecurities just waiting to be found and exploited.

And there's not a lot their owners can do, either: the systems, which all run security brutalised iterations of Linux, are rarely, if ever, patched by their manufacturers and will probably stay connected, compromised and DDoSing with abandon for years with the blissful ignorance of their owners.

Now, can we interest you in a ‘smart home' kit that can control your boiler, lighting and even your front door lock?