Thousands of web access surveillance cameras have detected a root user with a fixed password.

Surveillance System LH110 Lorex 8 channel Eco Series

Security specialists from Risk Based Security (RBS) have discovered vulnerabilities in security cameras that the Chinese manufacturer Zhuhai RaySharp Technology makes for various electronics retailers.

Firmware products manufactured in RaySharp, represents a Linux-system with CGI-scripts that form the web interface. Through the interface, if you have access details, you can get to view the images, adjust the recording parameters and system settings, turn the camera around - in general, get complete control over the video surveillance system.

Studying CGI scripts, the researchers found in one of them an amazing piece - checking that the username matches root, and the password - from 519070. It turned out that when entering this data, the user gets full control over all system resources.
')
RaySharp itself claims that it supplies about 60,000 of these devices to customers every month. Among the brands ordering them are König, Swann Communications, COP-USA, KGUARD Security, Defender, LOREX Technology and others.

The researchers found that, at least in some of the devices sold under these trademarks, you can use the specified username and password to gain access. Moreover, another CGI script lists as many as 55 brands for which, apparently, the manufacturer also manufactures its own cameras.

Using the search engine Shodan , a favorite of hackers and security experts, that find devices connected to the Internet, RBS employees discovered thousands of devices that they thought were vulnerable due to this security hole. The search engine shows that the number of search results is in the range from 36 to 46 thousand devices. Approximately half of them are located in the United States, most of the remaining - in Canada, Mexico and Argentina.

The decision to publish the results of the study was made so that the users of the devices mentioned could themselves check for the presence of a vulnerability, since RBS does not have the resources to comprehensively check all available cameras.

RBS recommends that the camera, which accepts login and root / 519070 password as access details, does not have direct access to the Internet or communicate with public Wi-Fi networks, and remote access must be performed via VPN and local network.

It does not look too surprising that, as it turned out, some device users warned about this vulnerability back in 2010. In the user forum of video surveillance systems, user Liber8or wrote that while setting up his freshly purchased QSee system, QR414-411-3 found in the instructions for use a “glaring” hint about changing the password. It was said that in case the password is forgotten, you can enter the password 519070 and get access to the system. The QSee brand is included in the list of 55 brands listed in the CGI firmware script.

RaySharp products have already found vulnerabilities in the firmware - in 2013, one of the enthusiasts described a relatively simple way to gain access to the surveillance systems of this manufacturer.

RBS discovered this vulnerability as early as September and brought it to the attention of the US Computer Emergency Readiness Team (Computer Emergency Response Team) - a group of computer security experts involved in the collection of information about incidents, their classification and neutralization. The information was distributed to vendors, but so far only Defender have announced the release of a patch that eliminates this vulnerability, and a couple of brands have reported that they are working on a patch.

In general, security experts advise to remember that buying devices from the lowest price segment, users may not count on their serious security, and Chinese manufacturers are not seen in particular zeal for fixing problems with the firmware of their devices.