Backdoor In MVPower DVR Firmware Sends CCTV Stills To an Email Address In China (softpedia.com) 60
An anonymous reader writes: An IoT security research company has discovered that a DVR model manufactured by MVPower includes a backdoor-like feature in its code that takes a screenshot of your CCTV feed and sends it to an email address hosted somewhere in China. The device's firmware is based on an open source project from GitHub that was pulled by its developer when someone confronted him about the backdoor.
DUH. (Score:5, Informative)
All of the China crap you need to ASSUME it is riddled with backdoors and other security problems and even sending your info elsewhere. The China ONVIF security cameras are FILLED with this kind of crap.
Re: (Score:2)
American companies seem to not care about security either.
Interesting contrast to the other story about American govts want backdoors to iPhones, all those who searched for ISIS on Google, etc.
Re: (Score:1)
All of the China crap you need to ASSUME it is riddled with backdoors and other security problems and even sending your info elsewhere. The China ONVIF security cameras are FILLED with this kind of crap.
Is that you Donald?
Is that you Mao?
Re: DUH. (Score:2)
Yeah, I have one of those cameras - by default it makes your security camera into a public webcam.
Now, I can do VLANs and put firewall rules in, but most people aren't even paranoid enough to think to look.
Then again, they just want to buy cheap crap off eBay, not hire a pro who knows the ins and outs of the product field.
For most cases of blaming cheap manufacturers, there's a cheap consumer who wants pro quality for rock-bottom pricing.
Re: (Score:1)
Re: (Score:1)
Cough.... Is using search engines a dead lost skill?
They could not find a reference to MVPOWER???
How hard did they try?
Did they not try looking up trademarks? There is that little (R) symbol ya know....
Aukey E-Business Co. owns the trademark MVPower
Anthea Lee is registered name
Been active since 2013.
Shosho II, Ernest is the lawyers name that registered
Other company registered same people is Aglaia
The parent companies name is Aukey E-Business Co., Ltd
www.aukeys.com
LongGang
Huanan City
Shenzhen, 518111
China
Re: (Score:2)
Then again, they just want to buy cheap crap off eBay,
There are some cheap VHS machines on ebay, and none of those send emails to China.
Re: (Score:3)
Yeah, I have one of those cameras - by default it makes your security camera into a public webcam.
Now, I can do VLANs and put firewall rules in, but most people aren't even paranoid enough to think to look.
Then again, they just want to buy cheap crap off eBay, not hire a pro who knows the ins and outs of the product field.
For most cases of blaming cheap manufacturers, there's a cheap consumer who wants pro quality for rock-bottom pricing.
“We’ve arranged a society on science and technology in which nobody understands anything about science and technology, and this combustible mixture of ignorance and power sooner or later is going to blow up in our faces. I mean, who is running the science and technology in a democracy if the people don’t know anything about it?” – Carl Sagan
Modern technology might as well be magic to most people. They don't have the expertise, critical thinking skills, or self restraint to ma
Re:DUH. (Score:5, Insightful)
Why single out the Chinese? Most American crap has a backdoor and multiple security holes too. At least the Chinese haven't started giving you the "Error 53" middle finger when you try to repair their crap.
Re: (Score:2)
Re: (Score:3)
So you don't understand how electronics work. Gotcha. Thanks for clearing that up for all of us.
Re: (Score:2)
At least the Chinese haven't started giving you the "Error 53" middle finger when you try to repair their crap.
Sure, they just don't give you an error, so you think it's your fault, just as they don't put brand names on their most shit products so that you can't track down who made them to complain. That's improvement?
Re: (Score:2)
Most products without branding are built for western companies to western specifications, so that they can have a western label slapped on them later. If you buy quality branded Chinese stuff it's pretty good. OnePlus, Xaomi, Yuin, Rigol, Siglent, Huwawei.... Just a few I can think of off the top of my head that have similar quality to western companies, but don't try to screw you so hard with DRM.
Re: (Score:2)
News flash. your iPhone is MADE IN CHINA.
Internet of Turds ... (Score:1)
The only good internet connected device is one which isn't connected to the internet.
You people can keep your stupid fucking IoT garbage.
There's no need for this shit other than idiots who want something shiny to use with their cellphone.
Have fun getting pwn3ed, suckers.
Re: (Score:2)
It's OK for devices to be networked over WAN, but devices such as security cameras should *never* be accessible or able to access WAN directly. A few simple firewall rules and some site-to-site VPN piping would do the trick and wouldn't take long at all to set up. Just one of many possible ways of doing it right.
By the way, I wouldn't count security cameras as IoT.
Re: (Score:2)
There's a lot more potential to IoT than cellphone control of personal gadgets. I would really like to see bridge beams that provide continuous real-time reports of the stress they are under with daily traffic. Engineers would use the data not just to warn of imminent failure, but in the long run to design better infrastructure. So what if China might be watching the data stream to design better bridges of their own?
Re: (Score:2)
There's a lot more potential to IoT than cellphone control of personal gadgets. I would really like to see bridge beams that provide continuous real-time reports of the stress they are under with daily traffic. Engineers would use the data not just to warn of imminent failure, but in the long run to design better infrastructure. So what if China might be watching the data stream to design better bridges of their own?
That wouldn't be difficult to do. You would just need to epoxy strain gauges (very cheap devices) onto the locations of your choosing, collect that data with data aquisition devices, and store it for periodic pickup, or else transmit it over a network. Unfortunately, that wouldn't tell us much of interest. Most bridge failures are caused by a small part or parts of the bridge that have deteriorated or were built incorrectly from the beginning. Catastrophic and unexpected failures occur because nobody no
Firewalls for the Great Wall (Score:5, Informative)
This is why (Score:1)
All internet access for untrusted devices like this are blocked at my router firewall by their MAC address. Access denied, you assholes.
Re: (Score:2)
LOL, brilliant ... that'll show your IoT devices what for. Take away the Internet part, and they're just things.
Might I suggest not connecting them to the network either? That'll keep them secure.
Or, you know, just don't buy them.
Re: (Score:2, Insightful)
My network UPNP radios play music from my server only. They don't need internet access.
My IP cameras record video to my server as well. They don't need internet access so they are blocked too.
My managed network switch doesn't need internet access, so it is blocked.
My network printer doesn't need internet.
The IPMI on my server doesn't get internet access.
My Windows machines are next.
Re: (Score:1)
Don't be dull. It's perfectly rational to run a camera with a TCP/IP stack so it can send pictures to a server in your local network, but block it from sending anything anything elsewhere.
The problem is and always has been "the Cloud", which is synonymous with free access for your government, your enemy's government, any enterprise large enough to have a cushy contract with either of the above, any private organisation with enough resources to break into the above, anyone with enough money to pay any of the
Re: (Score:1)
Over time I start to trust some applications, I keep an eye out for vulnerabilities though, but one of those applications is openvpn. I block all my IOT devices from accessing the Internet, and when I want access I VPN in. In some cases, I can put a web server in front of the IOT device, with cameras, I like ZoneMinder and others have said they like Blue Iris.
I am looking at outside services, like Adafruit.IO and AWS IoT to show me some pretty graphs. Still assessing, but would hope there is a way I can
Re: (Score:3)
No, it becomes an Intranet of things. Which conveniently still has the acronym IoT and is probably what the device was intended for in the first place.
Re: (Score:2)
That's perfect, since your router has a back door it will be easy for hackers to get that list of mac addresses so they can target all of your devices more quickly!
Re: (Score:1)
Might I suggest not connecting them to the network either? That'll keep them secure.
Or, you know, just don't buy them.
I agree. We should invest our money in trustworthy major companies such as Cisco and Juniper instead.
Re: (Score:2)
Note to team: Add ability to sniff the LAN for good MAC addresses and spoof them when sending photos back to the mother country
Thanks.
Open source? (Score:2)
It looks like the source wasn't actually open, based on the guy requesting a copy of the sources...
Re: (Score:1)
Found it:
https://github.com/simonjiuan/ipc/blob/77d15510f24fdd8215756c36ddd8d0f3d525b53e/src/cgi_misc.c
Re: (Score:1)
Re: (Score:2)
Try google better (Score:4, Informative)
They could not find a reference to MVPOWER???
How hard did they try?
Did they not try looking up trademarks? There is that little (R) symbol ya know....
Aukey E-Business Co. owns the trademark MVPower
Anthea Lee is registered name
Been active since 2013.
Shosho II, Ernest is the lawyers name that registered
Other company registered same people is Aglaia
The parent companies name is Aukey E-Business Co., Ltd
www.aukeys.com
LongGang
Huanan City
Shenzhen, 518111
China
Default Gateway (Score:3)
For any cheap/no-name/questionable IoT device: 0.0.0.0
There is no reason any of this crap needs to be able to communicate directly out to the open internet. If you need to access it from off-site, use a VPN. If have reason to believe the device may compromise other devices that DO have the ability to communicate outbound to the internet, then that device should be destroyed with fire and the manufacturer publicly shamed.
When in doubt, don't give it a route.
Re:Default Gateway (Score:5, Informative)
When in doubt, don't give it a route.
I recall some of those Kronos time card devices I used years ago would learn the default gateway address on their own without being provided a route. They didn't even have a place to put in the default gateway.
I have to assume these devices can find their way out, so I VLAN all IP cameras and don't allow them to access anything.
Re: (Score:2)
. Note I fully support the "we stand on the shoulders of giants." And that's the thing, it's stand on their shoulders, not "steal" everything they have with no understanding of it whatsoever.
Sounds like "on the shoulders of giants" meaning not re-invent a software language that already exists but still have to work and study to know how to use it, how to write and implement it, get a good feeling on what works/what doesn't work. It ain't easy learning this stuff (and I sometimes wonder how those "giants" ever figured out this stuff), as opposed to "oh, just copy/paste/download/run-this-stuff and it's real easy and cheap."
Re: (Score:2)
Re: (Score:1)
Actually it sounds like 2 separate issues:
1. I note that the device has a backdoor vulnerability in the web frontend (/shell?) in file /root/dvr_app and
2. appears to email you pictures from the CCTV (target=lawishere@yeah.net&subject=Who are you?&content=%s&snapshot=yes&vin=0&size=320x180)