Smile! Your DVR may email your picture to China
You may look at the DVR as that box that records your TV shows and perhaps even allows you to skip the commercials. But there is more to it than just that. Users can also record video from their home surveillance cameras and replay the clips if something happens. A lot of that data is stored in the cloud -- with some systems it is completely yours with a hardware DVR needed.
In use as a home recording device the DVR is also known as CCTV, closed-circuit television. There are quite a number of them in use all over the world, many in homes and some in businesses. It seems like a good idea for security, but things aren't always what they seem.
Many of the boxes in question use the heading JAWS/1.0 and you can do a JAWS search yourself -- our test resulted in over 45,000 results.
That only begins the problems, though. Sophos points out that results are "full of coding details on how he [researcher Andrew Tierney] got a local root shell on the DVR and used it to uncover an unauthenticated, impossible to disable, remote root shell that an attacker could use to compromise and control the device from the comfort of their own laptop".
Things go downhill from there. Pen Test Partners purchased a cheap DVR from Amazon branded under the name MVPower, a company that no details seem to exist on – yes, there is an mvpower.us, but they don't make security cameras or DVRs.
But here is the really scary part. After diving deep into the firmware, the researchers found that "images were being captured from CCTV feeds and sent to the mysterious email address [email protected]". The emails contained a 320x180 still image, and the address was hosted in China and owned by someone named Frank Law.
The email address is still live, though it is now being flooded with the intro to Button Moon, an 80's UK children's TV show.
Pen Test Partners concludes "Putting one of these on your network leaves you open to serious risk. If you port forward to the web interface, you are allowing attackers to take full control of the device. This can then be used as a pivot and be used to attack the rest of your network from inside".