Argentina’s Ezequiel Fernandez published details about his tool in a blog post last month. In it, he describes how an admin request short enough to fit in a single tweet can gain control of select DVRs.
First reported by Bleeping Computer, the appropriately named getDVR_Credentials exploit is a proof-of-concept for the CVE-2018-9995 vulnerability discovered last month. By using his exploit from the DVRs’ control panel, Fernandez was reportedly able to gain login credentials in clear text
Fernandez listed a bunch of DVR brands that are vulnerable to the attack, including TBK, Novo, CeNova, QSee, Punix, DVR 5 in 1, and Securus. As Bleeping Computer points out, many of these companies are selling a rebranded version of the TBK DVR4104 DVR.
There are believed to be tens of thousands of vulnerable devices. A screenshot of the service Fernandez used to determine where they are located shows more than 55,000 online devices primarily in Turkey, Malasia, India, Brazil, and Italy. Fernandez also posted screenshots of livestream images and device settings he gained access to.
So far, an attack using the method has not been detected, but Ankit Anubhav, a principal researcher at NewSky Security, told Bleeping Computer he doesn’t think that will remain the case for long. The proof-of-concept has been uploaded to Github, and bad actors now have a source for figuring out who to attack in Shodan, the search engine Fernandez used to help him find vulnerable DVRs connected to the internet. Fortunately, it appears DVR manufacturers can block requests to gain access to the devices using a simple scan, though it’s unclear whether the companies are aware of the issue.
Given how many vulnerable devices are in the wild and that the tools to conduct the attack have now been published, CVE-2018-9995 could become the most exploited vulnerability of the year.
We have reached out to TBK and will update this article if we hear back.