- How to stream Jaguars vs. Bengals in Week 7 1 Year Ago
- How to stream Texans vs. Colts in Week 7 Today 3:00 AM
- Man dragged for recording, posting video of neighbor being ‘killed’ instead of helping Saturday 4:14 PM
- How to stream Saints vs. Bears in Week 7 Saturday 3:25 PM
- How to stream Seahawks vs. Ravens in Week 7 Saturday 3:25 PM
- Are TikTok teens throwing up gang signs in their videos? Saturday 2:45 PM
- Anti-impeachment protesters believe ‘deep state’ tried to sabotage rally Saturday 12:51 PM
- How to stream 49ers vs. Redskins in Week 7 Saturday 12:00 PM
- How to stream Cardinals vs. Giants in Week 7 Saturday 12:00 PM
- How to stream Packers vs. Raiders in Week 7 Saturday 12:00 PM
- How to stream Vikings vs. Lions in Week 7 Saturday 12:00 PM
- How to stream Rams vs. Falcons in Week 7 Saturday 12:00 PM
- Billie Eilish fans think they figured out who stole her ring Saturday 11:32 AM
- ‘Give me candy’: Hailey Bieber mocked for defense of celebrating Halloween as a Christian Saturday 10:28 AM
- Aaron Paul predicted Jesse Pinkman’s fate on Reddit years ago Saturday 8:53 AM
Argentina’s Ezequiel Fernandez published details about his tool in a blog post last month. In it, he describes how an admin request short enough to fit in a single tweet can gain control of select DVRs.
First reported by Bleeping Computer, the appropriately named getDVR_Credentials exploit is a proof-of-concept for the CVE-2018-9995 vulnerability discovered last month. By using his exploit from the DVRs’ control panel, Fernandez was reportedly able to gain login credentials in clear text
Fernandez listed a bunch of DVR brands that are vulnerable to the attack, including TBK, Novo, CeNova, QSee, Punix, DVR 5 in 1, and Securus. As Bleeping Computer points out, many of these companies are selling a rebranded version of the TBK DVR4104 DVR.
There are believed to be tens of thousands of vulnerable devices. A screenshot of the service Fernandez used to determine where they are located shows more than 55,000 online devices primarily in Turkey, Malasia, India, Brazil, and Italy. Fernandez also posted screenshots of livestream images and device settings he gained access to.
So far, an attack using the method has not been detected, but Ankit Anubhav, a principal researcher at NewSky Security, told Bleeping Computer he doesn’t think that will remain the case for long. The proof-of-concept has been uploaded to Github, and bad actors now have a source for figuring out who to attack in Shodan, the search engine Fernandez used to help him find vulnerable DVRs connected to the internet. Fortunately, it appears DVR manufacturers can block requests to gain access to the devices using a simple scan, though it’s unclear whether the companies are aware of the issue.
Given how many vulnerable devices are in the wild and that the tools to conduct the attack have now been published, CVE-2018-9995 could become the most exploited vulnerability of the year.
We have reached out to TBK and will update this article if we hear back.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.