Monthly Archives: January 2013

Hackers squeeze through DVR hole, break into CCTV cameras

Miscreants can copy, delete streams and even control the device

The digital video recorders of several CCTV video cameras are vulnerable to attacks that create a means for hackers to watch, copy or delete video streams, according to security researchers.

The researchers added that unless systems are properly firewalled, security flaws in the the firmware of the DVR platform also create a jumping-off point for attacks aimed at networks supporting these devices. The hackable CCTV devices from an estimated 19 manufacturers all use allegedly vulnerable firmware from the Guangdong, China-based firm Ray Sharp.

The issue was first exposed last week by a hacker using the handle someLuser, who discovered that commands sent to a Swann DVR of port 9000 were accepted without any authentication. The vulnerability created a straightforward means to hack into the DVR’s web-based control panel. To make matters worse, the DVRs support Universal Plug And Play, making control panels externally visible on the net. Many home and small office routers enable UPnP by default. This has the effect of exposing tens of thousands of vulnerable DVRs to the net.

And to cap everything off, the Ray Sharp DVR platform stores clear-text usernames and passwords.

The litany of security problems allowed someLuser to develop a script to lift passwords which, once obtained, gives hackers control of vulnerable devices via built-in telnet servers thanks to wide open open control panel problem.

HD Moore, CTO of security tools firm Rapid7 founder of Metasploit, has collaborated with someLuser over the last week to validate his research.

“In addition to Ray Sharp, the exposures seem to affect rebranded DVR products by Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000,” Moore explained in a blog post. “The vulnerabilities allow for unauthenticated access to the device configuration, which includes the clear-text usernames and passwords that, once obtained, can be used to execute arbitrary system commands root through a secondary flaw in the web interface. someLuser’s blog post includes a script for obtaining the clear-text passwords as well as a standalone exploit that yields a remote root shell on any vulnerable device.

“In short – this provides remote, unauthorised access to security camera recording systems,” Moore concludes in a blog post that does a good job of summarising the issue.

Scans suggest 58,000 hackable video boxes across 150 countries are vulnerable to attack. The majority of exposed systems are in the US, India and Italy, said the researchers. Fixing the problem would seem to involve pushing out a firmware update.

A Metasploit module has been added that can be used to scan for vulnerable devices.

We’ve put out a query to Ray Sharp asking for comment on the alleged firmware flaws. We’ll update this story as and when we hear more.

Retrieved from The Register

UPnP flaws expose tens of millions of networked devices to remote attacks

Researchers from Rapid7 found severe vulnerabilities in UPnP libraries used in thousands of network-enabled products

By Lucian Constantin

Tens of millions of network-enabled devices including routers, printers, media servers, IP cameras, smart TVs, and more can be attacked over the Internet because of dangerous flaws in their implementation of the UPnP (Universal Plug and Play) protocol standard, security researchers from Rapid7 said Tuesday in a research paper.

UPnP allows networked devices to discover each other and automatically establish working configurations that enable data sharing, media streaming, media playback control, and other services. In one common scenario a file-sharing application running on a computer can tell a router via UPnP to open a specific port and map it to the computer’s local network address in order to open its file-sharing service to Internet users.

UPnP is intended to be used primarily inside local networks. However, security researchers from Rapid7 found over 80 million unique public IP (Internet Protocol) addresses that responded to UPnP discovery requests over the Internet, during scans performed last year from June to November.

Furthermore, they found that 20 percent, or 17 million, of those IP addresses corresponded to devices that were exposing the UPnP SOAP (Simple Object Access Protocol) service to the Internet. This service can allow attackers to target systems behind the firewall and exposes sensitive information about them, the Rapid7 researchers said.

Based on the UPnP discovery responses the researchers were able to fingerprint unique devices and discover what UPnP library they were using. They found that over a quarter of them had UPnP implemented through a library called the Portable UPnP SDK.

Eight remotely exploitable vulnerabilities have been identified in the Portable UPnP SDK, including two that can be used for remote code execution, the researchers said.

“The vulnerabilities we identified in the Portable UPnP SDK have been fixed as of version 1.6.18 (released today), but it will take a long time before each of the application and device vendors incorporate this patch into their products,” HD Moore, chief security officer at Rapid7, said Tuesday in a blog post.

Over 23 million IP addresses from those identified during the scans corresponded to devices that can be compromised through the Portable UPnP SDK vulnerabilities by sending a single specifically crafted UDP packet to them, according to Moore.

Additional vulnerabilities, including ones that can be used in denial of service and remote code execution attacks, also exist in a UPnP library called MiniUPnP. Even though these vulnerabilities have been addressed in MiniUPnP versions released in 2008 and 2009, 14 percent of the Internet-exposed UPnP devices were using the vulnerable MiniUPnP 1.0 version, the Rapid7 researchers said.

Other issues have been identified in the latest version of MiniUPnP, 1.4, but they won’t be publicly disclosed until the library’s developer releases a patch to address them, they said.

“All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP,” Moore said. “This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the Internet, a serious vulnerability in and of itself.”

Rapid7 published three separate lists of products vulnerable to Portable UPnP SDK flaws, MiniUPnP flaws, and which expose the UPnP SOAP service to the Internet.

Belkin, Cisco, Netgear, D-Link and Asus, which all have vulnerable  devices according to lists published by Rapid7, did not immediately  respond to requests for comment sent Tuesday.

Moore believes that in most cases networked devices that are no longer being sold will not be updated and will remain exposed to remote attacks indefinitely unless their owners manually disable the UPnP functionality or replace them.

“These findings prove that too many vendors still haven’t learned the basics of designing devices that default to a secure and robust configuration,” said Thomas Kristensen, chief security officer at vulnerability research and management firm Secunia. “Devices that are intended for direct Internet connections should not run any services on their public interfaces by default, particularly not services like UPnP, which are solely intended for local ‘trusted’ networks.”

Kristensen believes that many of the vulnerable devices are likely to remain unpatched until they are replaced, even if their manufacturers release firmware updates.

Many PC users don’t even update PC software that they frequently use and are familiar with, he said. The task of finding the Web interface of a vulnerable networked device, obtaining the firmware update and going through the whole update process will likely be too intimidating for many users, he said.

The Rapid7 research paper includes security recommendations for Internet service providers, businesses and home users.

ISPs were advised to push configuration updates or firmware updates to subscriber devices in order to disable UPnP capabilities or to replace those devices with others that are configured in a secure manner and don’t expose UPnP to the Internet.

“Home and mobile PC users should ensure that the UPnP function on their home routers and mobile broadband devices has been disabled,” the researchers said.

In addition to making sure that no external-facing device exposes UPnP to the Internet, companies were advised to perform a careful review of the potential security impact of all UPnP-capable devices found on their networks — networked printers, IP cameras, storage systems, etcetera — and consider segmenting them from the internal network until a firmware update is available from the manufacturer.

Rapid7 released a free tool called ScanNow for Universal Plug and Play, as well as a module for the Metasploit penetration testing framework, that can be used to detect vulnerable UPnP services running inside a network.

Retrieved from InfoWorld


USB Storage Drive Loaded With Malware Shuts Down Power Plant

NEWS ANALYSIS: In a Stuxnet-like incident, malware introduced from a USB storage drive invades power plant control systems and engineering workstations.

The U.S. Computer Emergency Readiness Team reports that a U.S.-based power generating facility was shut down after a contract employee introduced malware into the turbine control systems and into engineering workstations. The contractor routinely used his USB drive to perform updates on control systems as well as workstations in the power plant.

US-CERT, which is part of the U.S. Department of Homeland Security, declined to identify which power plant was affected, and did not say whether the facility was operating on nuclear or conventional power. Industrial control systems frequently use Windows-based computers to run their specialized software, but they rarely run antivirus software because these computers aren’t connected to outside networks. However, using a USB drive to perform updates is common on these systems.

ICS-CERT, which is the division of US-CERT responsible for industrial control systems, reported the malware infection in its Monthly Monitor, which actually covered October through December. The Monitor report described the incident, saying that when the USB memory drive began to exhibit performance issues, the contractor asked the facility IT staff to check it. The check revealed two different types of malware; one type was designed to perform identity theft, and the other a type of sophisticated type of malware that ICS-CERT did not identify.

ICS-CERT also found that the engineering workstations did not have backups and did not have antivirus software. US-CERT was able to clean the workstations of the malware, and it was able to remove malware from the turbine control systems that were affected. The other workstations and other systems at the power plant weren’t affected. Following the finding of malware, U.S.-CERT issued a number of recommendations.

The first recommendation was something that should be one of those “Duh” moments. The workstations should have had antivirus software installed and they should have had backups and hot spares in place since they were critical to running the power plant and as a result were part of the critical infrastructure.

While the turbine control systems couldn’t run antivirus software, the USB drive could and should have been checked before use. All the drive contained were configuration files, and replacing those should not have been a big deal if the USB memory drive had required replacement. So we have another “Duh” moment.

While the folks at US-CERT didn’t mention anything about the power-plant IT staff being disciplined, or at least tied to a mast and flogged, that seems like the appropriate means of instilling the lesson. After Stuxnet, the idea that malware can travel on USB drives is no secret. In fact, it’s a favorite vector for distributing malware to computers that aren’t on the Internet. How could the managers in this power company’s operations center not have known this?

Of course the chances are, they did know, but were either too set in their ways to change anything or too complacent to make the effort. Or it could have been both. Inertia and complacency are the enemies of good management in every realm and it’s no different in IT management.

But the means of dealing with the problem aren’t a secret. US-CERT has published a paper on the risks of using USB drives and the means of staying safe when using them aren’t rocket science. USB drive safety is part of the US-CERT’s Defense in Depth approach to the security of industrial control systems. It’s critical for companies that are part of the US critical infrastructure to be familiar with it.

But let’s say your company isn’t part of the critical infrastructure. Let’s say your company is just an average company with an average IT department. That likely means that your company has an average level of complacency, which probably means nobody in your IT department has scanned a USB drive for malware since the technology was invented.

Considering that you already have the anti-malware software on your computers (you DO have antimalware software, don’t you?) it costs nothing to scan a USB drive and takes only seconds. This is a zero-cost safety solution for your company that only requires one thing–that you go to the trouble to do it. In fact, I just scanned a 32 GB USB drive while I was writing this paragraph. Running the scan took less time.

So why don’t companies insist that such a simple protection become routine? Part of the answer is complacency. Part of the answer is a lack of requirements that it be accomplished, which may be inertia. But the reason for either is a lack of incentive to do things properly.

In the case of the power plant malware infection, the ICS-CERT said that the contractor was not aware that the malware was on the USB drive. But they don’t answer the obvious question, which is why not? The power plant is part of the U.S. critical infrastructure and malware in that infrastructure is a critical problem.

Maybe it’s time to hold IT staffers accountable for this kind of “Duh” moment. There’s probably some kind of politically correct rule about flogging at the mast, but maybe termination for cause, and a requirement to reimburse the company for the total cost of the cleanup would get some attention. But I still think the cat o’ nine tails has a certain charm.

Retrieved from eWeek