IoT security experts from Pen Test Partners have confirmed the presence of a backdoor in the firmware used by some DVR devices commonly deployed with CCTV surveillance systems.
Security researchers from Pen Test Partners have a regular habit of picking up random IoT equipment and testing it for security vulnerabilities.
In their most recent round of tests, the team decided to expand the scope of their research into CCTV systems. Since they’ve spent quite some time breaking down IP cameras, the researchers decided that this time around they would test DVRs (Digital Video Recorders), which are also part of standard CCTV setups.
MVPower DVR laced with security issues
For their experiment, the team picked up a random, cheap device off Amazon, choosing aDVR manufactured by MVPower.
The team immediately went to work on the device and only after a quick battery of tests discovered a large number of security and privacy issues.
The researchers managed to bypass the device’s Web-based login system by manually setting a random username and password in their browser’s cookie, were able to force the device to start as root, and eventually opened a Web shell that allowed them to run commands on the DVR.
They’ve also managed to install a reverse shell for easier access to the device’s terminal, discovered that the device had no CSRF protection, no brute-force attack protection, and found out that the lack of HTTPS communications for the Web admin panel exposed its users to MitM attacks.
MVPower DVRs are sending CCTV feed snapshots to a hard-coded email address
But that was only the beginning. Buried deep in the firmware’s code, the team discovered a backdoor functionality that was taking snapshots of the first camera and sending it to an email address hosted on a Chinese email provider.
The email address is “email@example.com,” the email’s subject was “Who are you?” and the email’s body contained a 320x180px snapshot of the CCTV feed.
After digging around for more clues, Pen Test Partners discovered that the firmware was taken from the JUAN-Device GitHub repo, managed by someone named Frank Law.
The GitHub repo was taken offline last August after British developer Gregory Fentonconfronted Mr. Law about this issue.
Let the conspiracy theory begin
Pen Test Partners says that the email address is still active. A quick Shodan search shows that there are currently around 44,000 devices available online that have the same server header like the one broadcasted by the MVPower DVR.
Besides their Amazon store, neither Pen Test Partners nor Softpedia has managed to find any online presence for MVPower.
“We can’t find any detail on the name MVPower,” Andrew Tierney of Pen Test Partners noted. “The firmware suggests commonality with Juantech, but none of their firmwares [sic] are compatible.”
Since the company is so hard to get hold of, you can forget about receiving any firmware updates for any of the above-listed security issues.
As a coincidence, we’ve noticed that both Juantech and the Yeah.net email provider are registered in China’s Guangdong province (near Hong Kong).
Frank Law confronted about the backdoor’s presence in the firmware