Own an MVPower DVR / NVR for CCTV - you've been pwned.

[drmike]

If you bought:


http://www.amazon.co.uk/Security-Real-time-Recorder-Detection-Surveillance/dp/B0162AQCO4/ref=sr_1_2?s=diy&ie=UTF8&qid=1455638899&sr=1-2&keywords=MVpower+8+channel


Or similar MVPower DVR / NVR for your security cameras / CCTV, your data has been shipped to China via email.


Unclear how many MVPower products are afflicted and how many rebadged products are out there with similar.


See: http://www.amazon.co.uk/MVPOWER/b/ref=bl_dp_s_web_5609397031?ie=UTF8&node=5609397031&field-lbr_brands_browse-bin=MVPOWER


The firmware was found to have hardcoded email address and to be emailing images from DVRs to China.


Complete writeup including some identification aspects here:
https://www.pentestpartners.com/blog/pwning-cctv-cameras/

 

[mpkossen]

Holy shit that's nasty.

 

[MannDude]

And people think I am paranoid about buying cheap Chinese electronics. It's not the first time they've been used in such a manner...


With that said, I do own a cheap Zmodo DVR for my POE IP camera system... but it's never once been connected to my router. For one, see above. For two, I just had no real interest in watching my home remotely.


I believe there was a similar instance with web cameras and generic Chinese made smart phones too. There have even been non-computing products that had data collection devices hidden in them as well. Screw that.

 

[Darwin]

 Sadly there are enough reasons today to not trust in any piece of hardware no matter where it was design or assembled.

 

[drmike]

And people think I am paranoid about buying cheap Chinese electronics. It's not the first time they've been used in such a manner...


With that said, I do own a cheap Zmodo DVR for my POE IP camera system... but it's never once been connected to my router. For one, see above. For two, I just had no real interest in watching my home remotely.


I believe there was a similar instance with web cameras and generic Chinese made smart phones too. There have even been non-computing products that had data collection devices hidden in them as well. Screw that.

I am right there with you.


It's all network connected tech that needs quarantined.


Really any new device on a network should have hard and strict rules about communication.   All network activity for some period of time should be logged and recorded and audited... Until all clear, nothing should be allowed on any network.


This Internet of Things (IoT) is a real problem.  Consumers are blissfully whatever about it and frankly manufacturers are both dirty and wreckless.   It isn't going to be good.

 

[jarland]

Wow. That'll make me think twice about what items I purchase for home security moving forward. Perhaps it's smarter to build my own. I've been looking at replacing my cameras and using a local DVR as a basically a large cache. I've gotten a bit obsessive with home security these days (let's just say...redundant internet, two cell networks as backups lol) 

 

[ChrisM]

The firmware was found to have hardcoded email address and to be emailing images from DVRs to China.

I wonder if that was intentional or it was set for testing purposes and was never removed?

And people think I am paranoid about buying cheap Chinese electronics. It's not the first time they've been used in such a manner...


With that said, I do own a cheap Zmodo DVR for my POE IP camera system... but it's never once been connected to my router. For one, see above. For two, I just had no real interest in watching my home remotely.


I believe there was a similar instance with web cameras and generic Chinese made smart phones too. There have even been non-computing products that had data collection devices hidden in them as well. Screw that.

I've used a couple zmodo systems for the cameras at my house in Michigan since they were cheap and both times they ended up crapping out on me. 


I recommend using Q-See now.