Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
China Crime Input Devices Privacy

Backdoor In MVPower DVR Firmware Sends CCTV Stills To an Email Address In China (softpedia.com) 60

An anonymous reader writes: An IoT security research company has discovered that a DVR model manufactured by MVPower includes a backdoor-like feature in its code that takes a screenshot of your CCTV feed and sends it to an email address hosted somewhere in China. The device's firmware is based on an open source project from GitHub that was pulled by its developer when someone confronted him about the backdoor.
This discussion has been archived. No new comments can be posted.

Backdoor In MVPower DVR Firmware Sends CCTV Stills To an Email Address In China

Comments Filter:
  • DUH. (Score:5, Informative)

    by Lumpy ( 12016 ) on Wednesday February 17, 2016 @09:07AM (#51526665) Homepage

    All of the China crap you need to ASSUME it is riddled with backdoors and other security problems and even sending your info elsewhere. The China ONVIF security cameras are FILLED with this kind of crap.

    • Yeah, I have one of those cameras - by default it makes your security camera into a public webcam.

      Now, I can do VLANs and put firewall rules in, but most people aren't even paranoid enough to think to look.

      Then again, they just want to buy cheap crap off eBay, not hire a pro who knows the ins and outs of the product field.

      For most cases of blaming cheap manufacturers, there's a cheap consumer who wants pro quality for rock-bottom pricing.

      • by Anonymous Coward

        Cough.... Is using search engines a dead lost skill?

        They could not find a reference to MVPOWER???
        How hard did they try?

        Did they not try looking up trademarks? There is that little (R) symbol ya know....

        Aukey E-Business Co. owns the trademark MVPower
        Anthea Lee is registered name
        Been active since 2013.

        Shosho II, Ernest is the lawyers name that registered
        Other company registered same people is Aglaia

        The parent companies name is Aukey E-Business Co., Ltd
        www.aukeys.com

        LongGang
        Huanan City
        Shenzhen, 518111
        China

      • by k6mfw ( 1182893 )

        Then again, they just want to buy cheap crap off eBay,

        There are some cheap VHS machines on ebay, and none of those send emails to China.

      • Yeah, I have one of those cameras - by default it makes your security camera into a public webcam.

        Now, I can do VLANs and put firewall rules in, but most people aren't even paranoid enough to think to look.

        Then again, they just want to buy cheap crap off eBay, not hire a pro who knows the ins and outs of the product field.

        For most cases of blaming cheap manufacturers, there's a cheap consumer who wants pro quality for rock-bottom pricing.

        “We’ve arranged a society on science and technology in which nobody understands anything about science and technology, and this combustible mixture of ignorance and power sooner or later is going to blow up in our faces. I mean, who is running the science and technology in a democracy if the people don’t know anything about it?” – Carl Sagan

        Modern technology might as well be magic to most people. They don't have the expertise, critical thinking skills, or self restraint to ma

    • Re:DUH. (Score:5, Insightful)

      by AmiMoJo ( 196126 ) <mojo AT world3 DOT net> on Wednesday February 17, 2016 @10:18AM (#51526995) Homepage

      Why single out the Chinese? Most American crap has a backdoor and multiple security holes too. At least the Chinese haven't started giving you the "Error 53" middle finger when you try to repair their crap.

      • Because every time this happens, you look on the back of the device and it says, "MADE IN CHINA". Seriously, people have to tell you these things?
        • by dave420 ( 699308 )

          So you don't understand how electronics work. Gotcha. Thanks for clearing that up for all of us.

      • At least the Chinese haven't started giving you the "Error 53" middle finger when you try to repair their crap.

        Sure, they just don't give you an error, so you think it's your fault, just as they don't put brand names on their most shit products so that you can't track down who made them to complain. That's improvement?

        • by AmiMoJo ( 196126 )

          Most products without branding are built for western companies to western specifications, so that they can have a western label slapped on them later. If you buy quality branded Chinese stuff it's pretty good. OnePlus, Xaomi, Yuin, Rigol, Siglent, Huwawei.... Just a few I can think of off the top of my head that have similar quality to western companies, but don't try to screw you so hard with DRM.

      • by Lumpy ( 12016 )

        News flash. your iPhone is MADE IN CHINA.

  • by Anonymous Coward

    The only good internet connected device is one which isn't connected to the internet.

    You people can keep your stupid fucking IoT garbage.

    There's no need for this shit other than idiots who want something shiny to use with their cellphone.

    Have fun getting pwn3ed, suckers.

    • It's OK for devices to be networked over WAN, but devices such as security cameras should *never* be accessible or able to access WAN directly. A few simple firewall rules and some site-to-site VPN piping would do the trick and wouldn't take long at all to set up. Just one of many possible ways of doing it right.

      By the way, I wouldn't count security cameras as IoT.

    • There's a lot more potential to IoT than cellphone control of personal gadgets. I would really like to see bridge beams that provide continuous real-time reports of the stress they are under with daily traffic. Engineers would use the data not just to warn of imminent failure, but in the long run to design better infrastructure. So what if China might be watching the data stream to design better bridges of their own?

      • by dj245 ( 732906 )

        There's a lot more potential to IoT than cellphone control of personal gadgets. I would really like to see bridge beams that provide continuous real-time reports of the stress they are under with daily traffic. Engineers would use the data not just to warn of imminent failure, but in the long run to design better infrastructure. So what if China might be watching the data stream to design better bridges of their own?

        That wouldn't be difficult to do. You would just need to epoxy strain gauges (very cheap devices) onto the locations of your choosing, collect that data with data aquisition devices, and store it for periodic pickup, or else transmit it over a network. Unfortunately, that wouldn't tell us much of interest. Most bridge failures are caused by a small part or parts of the bridge that have deteriorated or were built incorrectly from the beginning. Catastrophic and unexpected failures occur because nobody no

  • by The Eight-Bit Link ( 2447312 ) on Wednesday February 17, 2016 @09:15AM (#51526689)
    Whenever I use something that connects to my network that I ordered direct from China, as a rule-of-thumb I don't let anything to or from it cross my router. I have a specific access point for anything wireless, and ports on my managed switch for anything wired.
  • by Anonymous Coward

    All internet access for untrusted devices like this are blocked at my router firewall by their MAC address. Access denied, you assholes.

    • All internet access for untrusted devices like this are blocked at my router firewall by their MAC address.

      LOL, brilliant ... that'll show your IoT devices what for. Take away the Internet part, and they're just things.

      Might I suggest not connecting them to the network either? That'll keep them secure.

      Or, you know, just don't buy them.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        My network UPNP radios play music from my server only. They don't need internet access.

        My IP cameras record video to my server as well. They don't need internet access so they are blocked too.

        My managed network switch doesn't need internet access, so it is blocked.

        My network printer doesn't need internet.

        The IPMI on my server doesn't get internet access.

        My Windows machines are next.

      • by Anonymous Coward

        Don't be dull. It's perfectly rational to run a camera with a TCP/IP stack so it can send pictures to a server in your local network, but block it from sending anything anything elsewhere.

        The problem is and always has been "the Cloud", which is synonymous with free access for your government, your enemy's government, any enterprise large enough to have a cushy contract with either of the above, any private organisation with enough resources to break into the above, anyone with enough money to pay any of the

      • Over time I start to trust some applications, I keep an eye out for vulnerabilities though, but one of those applications is openvpn. I block all my IOT devices from accessing the Internet, and when I want access I VPN in. In some cases, I can put a web server in front of the IOT device, with cameras, I like ZoneMinder and others have said they like Blue Iris.

        I am looking at outside services, like Adafruit.IO and AWS IoT to show me some pretty graphs. Still assessing, but would hope there is a way I can

      • by dfn5 ( 524972 )

        LOL, brilliant ... that'll show your IoT devices what for. Take away the Internet part, and they're just things.

        No, it becomes an Intranet of things. Which conveniently still has the acronym IoT and is probably what the device was intended for in the first place.

      • That's perfect, since your router has a back door it will be easy for hackers to get that list of mac addresses so they can target all of your devices more quickly!

      • Might I suggest not connecting them to the network either? That'll keep them secure.

        Or, you know, just don't buy them.

        I agree. We should invest our money in trustworthy major companies such as Cisco and Juniper instead.

    • by hoggoth ( 414195 )

      Note to team: Add ability to sniff the LAN for good MAC addresses and spoof them when sending photos back to the mother country
      Thanks.

  • It looks like the source wasn't actually open, based on the guy requesting a copy of the sources...

    • by Anonymous Coward

      Found it:
      https://github.com/simonjiuan/ipc/blob/77d15510f24fdd8215756c36ddd8d0f3d525b53e/src/cgi_misc.c

  • Try google better (Score:4, Informative)

    by Anonymous Coward on Wednesday February 17, 2016 @09:40AM (#51526799)

    They could not find a reference to MVPOWER???
    How hard did they try?

    Did they not try looking up trademarks? There is that little (R) symbol ya know....

    Aukey E-Business Co. owns the trademark MVPower
    Anthea Lee is registered name
    Been active since 2013.

    Shosho II, Ernest is the lawyers name that registered
    Other company registered same people is Aglaia

    The parent companies name is Aukey E-Business Co., Ltd
    www.aukeys.com

    LongGang
    Huanan City
    Shenzhen, 518111
    China

  • by clonehappy ( 655530 ) on Wednesday February 17, 2016 @09:48AM (#51526837)

    For any cheap/no-name/questionable IoT device: 0.0.0.0

    There is no reason any of this crap needs to be able to communicate directly out to the open internet. If you need to access it from off-site, use a VPN. If have reason to believe the device may compromise other devices that DO have the ability to communicate outbound to the internet, then that device should be destroyed with fire and the manufacturer publicly shamed.

    When in doubt, don't give it a route.

    • Re:Default Gateway (Score:5, Informative)

      by Aqualung812 ( 959532 ) on Wednesday February 17, 2016 @11:19AM (#51527405)

      When in doubt, don't give it a route.

      I recall some of those Kronos time card devices I used years ago would learn the default gateway address on their own without being provided a route. They didn't even have a place to put in the default gateway.

      I have to assume these devices can find their way out, so I VLAN all IP cameras and don't allow them to access anything.

Real Programmers don't write in FORTRAN. FORTRAN is for pipe stress freaks and crystallography weenies. FORTRAN is for wimp engineers who wear white socks.

Working...