Digital Video Recorders (AKA Network Video Recorders), such as those from the likes of Hikvision, are used to record surveillance footage of office buildings and surrounding areas.
Hacked DVRs might be abused as a part of a botnet, a potential abuse that cybercrooks have already latched onto. For example, insecure Hikvision DVRs were abused in a (mostly ineffective) scam to mine Bitcoins back in April.
Security researchers at Rapid7 discovered that 150,000 of Hikvision DVRs devices could be accessed remotely. Rapid7 warns that DVRs exposed to the internet are routinely targeted for exploitation. "This is especially troubling given that a similar vulnerability (CVE-2013-4977) was reported last year, and the product still appears unpatched out of the box today," researchers at the firm behind the Metasploit penetration testing tool conclude.
A blog post (extract below) by Rapid7, the firm behind the Metasploit penetration testing tool, explains the vulnerabilities at play in greater depth.
[Hikvision] DS-7204 and other models in the same product series that allow a remote attacker to gain full control of the device. More specifically, three typical buffer overflow vulnerabilities were discovered in Hikvision's RTSP request handling code: CVE-2014-4878, CVE-2014-4879 and CVE-2014-4880. This blog post serves as disclosure of the technical details for those vulnerabilities. In addition, a remote code execution through a Metasploit exploit module has been published.No authentication (login) is required to exploit this vulnerability. The Metasploit module demonstrates how unpatched security bugs would enable hackers to gain control of a vulnerable device while sitting behind their keyboard, potentially thousands of miles away.
Rapid7 attempted to contact Hikvision several times since September but the company provided no response, prompting a decision to go public.