Have you ever had the feeling someone is watching you? Well, if you have an Internet-connected surveillance camera in your home or office, it’s quite possible someone is. Security researcher discovered it’s not that hard to hack a video surveillance system or more specifically the network video recorder it is attached to.
Inspired by one of videos by Bharat Jogi, I decided to try it out and it worked well! Interesting!
In it, he explored how and why these systems are insecure, and demonstrated the ability to hack into certain models of D-Link NVRs.
Who’s Watching You?
The session left me wondering about the relative security of my own home video surveillance system. It’s nice that I’m able to view my living room from virtually anywhere in the world using an iPhone app, but how many hackers are watching my living room as well?
That’s essentially the crux of the issue. These Internet-connected surveillance cameras are marketed as a security tool. They are used by businesses and homeowners to monitor the premises, or by parents to keep an eye on a child’s bedroom. Some companies focus them on sensitive areas or items of value as a means of protecting them or monitoring for suspicious activity.
Research uncovered flaws in D-Link DNR-322L and DNR-326 NVR devices that expose the surveillance system to denial-of-service, information disclosure, and other critical flaws all without requiring authentication. The cameras and NVRs are typically connected to the Internet by design, and these critical vulnerabilities enable an attacker to hack into the system remotely from anywhere in the world.
There are number of attacks possible in such surveillance cams. An attacker can add a new user to the device with a simple, unauthenticated request, or even reset the password for the device’s administrator account.
The ability to add a new user allows the attacker to view the live stream of video from the cameras, or access recorded video on the NVR without having to crack or reset the passwords of any existing accounts. It enables the attacker to stay hidden longer, since resetting a password would be a red flag when the legitimate user discovers he or she is no longer able to log in.
I also found ways to get the NVR to spill sensitive information like the IP addresses associated with individual cameras, and the credentials to access them, as well as the login credentials for any attached FTP servers. As if that’s not enough, I discovered you can also remotely upload new shell script to the device, enabling an attacker to upload malicious programs.
Finally, attackers can create a denial-of-service that takes the system offline temporarily by forcing it to reboot. To take it offline even longer, an attacker could even reset the device to its factory default settings.
What Does It All Mean?
Aside from the “creepy factor” of knowing that a stranger could be hacked in to your video surveillance system and watching you or your family right now, there are some potentially more serious concerns.
A thief could hack into the NVR at a home or office and use it to scope out the premises, and figure out where valuable items are located without even stepping foot in the building. The thief could then use these vulnerabilities to hack into the system and disable cameras or reboot the system so it is offline and does not capture any activity while he or she infiltrates the premises to rob you.
For a business, it might be possible for an attacker to conduct cyber espionage and steal intellectual property. If the cameras have a view of ongoing research and development or intellectual property, it could be viewable by an attacker with access to the NVR.
Probably Not Limited to D-Link
D-Link NAS device might have similar flaws, but he had not yet done the research to confirm that. Regardless of whether or not the D-Link NAS is affected, it’s safe to assume that these two specific models of NVR from D-Link are not the only ones at risk.
Regardless of which video surveillance or NVR system you choose, you should be conscious of the fact that if you can access the video feed over the Internet from anywhere in the world on your mobile device, an attacker may very well be able to do the same.