by RSS Gavin Chow  |  Mar 24, 2017  |  Filed in: Security Research

Digital Video Recorders / Network Video Recorders (DVR/NVR)

Back in 2015, our telemetry detected a relatively small number of IPS signature hits on known vulnerabilities targeting DVR/NVR devices (~ 749 hits). In 2016, however, we saw this number increase alarmingly to around 1.5 million hits. By using a size comparison chart again, we can see the huge increase more clearly when we compare both years, as shown below:

DVR/NVR IPS Signature Hits Comparison 2015/2016

The question, of course, is what contributed to this huge increase in detected hits? Once again, let’s look at the data to analyze the DVR/NVR IPS triggers in more detail for both years:

Top 3 DVR/NVR IPS Signature Hits 2015

In 2015, the “Samsung.DVR.Web.Viewer.Information.Disclosure” signature triggered the most hits (~ 66%) in the DVR/NVR category. This was related to the discovery and disclosure of an information disclosure vulnerability in Samsung Web Viewer for Samsung DVR devices. This vulnerability allows remote attackers to access sensitive information from affected systems through a specially crafted HTTP request. As of this date, there is still no publicly known fix for this issue.

In 2016, several new DVR/NVR IPS signatures were released tied to newly discovered DVR/NVR vulnerabilities. As a result, the number of hits increased significantly compared to 2015. Out of all these DVR/NVR hits, one new vulnerability stood out from the rest. “Multiple.CCTV.DVR.Vendors.Remote.Code.Execution” triggered the most hits in the DVR/NVR category, accounting for more than 99% of all attacks detected. This is a serious vulnerability that when successfully exploited allows remote code execution on the affected DVR/NVR device.

The large number of hits detected may be traced back to a public disclosure detailing this vulnerability released by an Israeli security researcher back in March 2016. And once again, no known fixes are yet available for this vulnerability. The researcher also claimed that this vulnerability affects a wide array of different DVR/NVR brands, as they all seem to share the same vulnerable code base due to white labeling. This problem with the white labeling of IoT code has been seen in other devices as well, and helps explain why attacks targeting this vulnerability were so prevalent in 2016, and why we predict that they are likely to continue throughout 2017.

Another alarming fact - three other remote code execution signatures showed up in 2016 against DVR/NVR devices that contributed to the volume of hits recorded in our telemetry:

This highlights an important point - some DVR/NVR manufacturers are still not mature enough to adequately handle product security yet. The challenge is that consumers still have no good way to determine if a product they are purchasing is adequately protected.

Now let’s look back at how widespread the “Multiple.CCTV.DVR.Vendors.Remote.Code.Execution” vulnerability was in 2016 from a global and regional perspective:

Multiple.CCTV.DVR.Vendors.Remote.Code.Execution – Top 10 Countries 2016 (Global)

Multiple.CCTV.DVR.Vendors.Remote.Code.Execution  – Top 10 Countries 2016 (Global)

Multiple.CCTV.DVR.Vendors.Remote.Code.Execution – Top 10 Countries 2016 (APAC)

Multiple.CCTV.DVR.Vendors.Remote.Code.Execution  – Top 10 Countries 2016 (APAC)

Multiple.CCTV.DVR.Vendors.Remote.Code.Execution – Top 10 Countries 2016 (EMEA)

Multiple.CCTV.DVR.Vendors.Remote.Code.Execution  – Top 10 Countries 2016 (EMEA)

Multiple.CCTV.DVR.Vendors.Remote.Code.Execution – Top 10 Countries 2016 (Americas)

Multiple.CCTV.DVR.Vendors.Remote.Code.Execution  – Top 10 Countries 2016 (Americas)

Summary

It is important to note that DVR/NVRs are often used together with IP cameras for storing video feeds captured in digital format. And like most IoT devices, not only are they almost always on, they are seldom checked for security updates. When white labeled IoT code is combined with DVR/NVR vendors with minimal security experience or maturity in their products, it’s just a matter of time before a determined threat actor manages to find a vulnerability and exploit these devices. This is what is clearly seen in our 2016 telemetry numbers, where we documented a huge jump in DVR/NVR IPS hits, primarily targeting the new Multiple.CCTV.DVR.Vendors.Remote.Code.Execution vulnerability, as well as the three other new remote code execution issues in different DVR/NVR products listed above.

As long as no fixes are available, and end users remain unaware of these threats, we expect to see attacks continue to target the Multiple.CCTV.DVR.Vendors.Remote.Code.Execution vulnerability and similar issues into 2017 and beyond.

Challenges like these highlight why it is critical to purchase an NVR solution from a company with network security awareness running through its veins. Fortinet, for example, understands the security challenges presented by connected DVR/NVR deployments. Which is why our FortiRecorder solutions are specially designed to act as a shield between IP cameras and the public internet, and are continuously updated to address known vulnerabilities.

by RSS Gavin Chow  |  Mar 24, 2017  |  Filed in: Security Research