Risk-Based Security chief researcher Carsten Eiram says most of the DVRs that records footage from surveillance cameras are operating in the US.
“Based on searches using Shodan.io, there are about 36,000 to 46,000 affected internet-Âconnected devices,” Eiram says. He added that the other countries active in the usage of these cameras are UK, Canada, Mexico, and Argentina.
“While analysing cgiServerbinary, we noticed that the authentication process specifically checked for the username ‘root’ and password ‘519070’ [which is] the same code found in RscgiServerbinaryâ€ť, added Eiram.
Researchers have analysed that:
â€śThe main ( ) function of the CGI script calls a function to authenticate the user. Within this function, another function is eventually called to handle the authentication and return the result. The function retrieves the userÂ-supplied credentials and calls a function to check them. Within this function, part of the code specifically checks if the supplied username is â€śrootâ€ť and the password is â€ś519070â€ť. If these credentials are supplied, full access is granted to the web interface.â€ť
The vulnerability was first reported to US-CERT on 9 September. But, the report was acknowledged on 21 December.
It was also found that some DVRs exposed to Shodan didnâ€™t even require passwords and could be hacked to offer hackers a remote root shell that cannot be removed.
Experts say that most devices will be exposed since changing the password is a pain, requiring the DVRs to be connected to a local TV with a user-supplied keyboard.