More than 30,000 passwords of DVR devices have been exposed in an IoT search engine named ZoomEye. The passwords were discovered by Ankit Anubhav, a Principal Researcher at NewSky Security which is currently specialized in protecting the devices which are connected to the internet.
The Dahua DVRs are running an old version of the firmware which is very vulnerable. The vulnerability is named as CVE-2013-6117 and it was originally identified by Jake Reynolds from Depth Security back in 2013 .
The attacker can start a Raw TCP connection on a Dahua DVR on port 37777 to send a special payload and when the Dahua devices receive the payload it will respond with DDNS credentials which are used for accessing the device and all the data in the plaintext format. The vulnerability has been known to the security researchers since 2013 and it has been patched but most of the Dahua device users have failed to update the firmware which resulted in this exposure.
The passwords of Dahua DVRs are indexed online by ZoomEye.
“The matter of fact is that a hacker doesn’t need to exploit this vulnerability because as ZoomEye scans port 37777, it passes these special bytes and cache the output in plaintext, so a hacker just needs to go to ZoomEye, create a free account, and scrap results to get the credentials,” Anubhav told News.
The NewSky researchers advised that they have learned the trick from a post published by an author named BrickerBot IoT malware who went on a mission of bricking all the unsecured devices in an attempt of making them go offline instead of adding them into his Botnets.
“Fresh devices keep on being added on ZoomEye, so even if Janitor [the BrickerBot author] bricked some in past, this issue still persists as ZoomEye currently lists recently added devices,” Anubhav stated.
Take your time to comment on this article.
Latest posts by Harikrishna Mekala (see all)
- A Serious Security Flaw Found in LibSSH - October 19, 2018
- Flaws in Branch.io Affected Over 685 Million Users - October 17, 2018
- Microsoft Store Has Been Hosting an Ad Clicker Disguised as a Google Photos App - October 16, 2018