- The new ‘Cats’ trailer is here to make you want to claw your eyes out Thursday 7:59 PM
- Bella Thorne claims Tana Mongeau ‘broke girl code’ in a series of messy tweets Thursday 7:00 PM
- Redditors keep this data engineer’s plants alive for him Thursday 5:20 PM
- Professor writes article defending ‘Asian romantic preference’—and no one is here for it Thursday 4:57 PM
- Ditch Pornhub and support adult content creators instead Thursday 4:46 PM
- Fans grieve Kyoto Animation Studio fire with #PrayforKyoAni Thursday 4:18 PM
- Netflix’s ‘Secret Obsession’ isn’t just terrible—it’s boring as hell Thursday 3:30 PM
- Instagram expands experiment of hiding likes to 6 more countries Thursday 3:20 PM
- Man asks woman to stop speaking Spanish on a plane—and bystanders start speaking Spanish Thursday 12:55 PM
- Schumer calls on FBI, FTC to investigate FaceApp Thursday 12:41 PM
- Netflix loses subscribers—but hopes some tentpole shows can save it Thursday 12:10 PM
- Man utterly roasted for saying women can’t ask for equality in revealing clothing Thursday 12:07 PM
- Instagram struggles to remove photos of Bianca Devins’ dead body Thursday 11:14 AM
- ‘Storm Area 51’ creator says its gotten so big he’s worried about the FBI Thursday 10:49 AM
- Everyone loves Q baby, the baby who apparently supports QAnon Thursday 9:53 AM
Maksim Kabakou/Shutterstock (Licensed)
Tens of thousands of devices are vulnerable.
Argentina’s Ezequiel Fernandez published details about his tool in a blog post last month. In it, he describes how an admin request short enough to fit in a single tweet can gain control of select DVRs.
First reported by Bleeping Computer, the appropriately named getDVR_Credentials exploit is a proof-of-concept for the CVE-2018-9995 vulnerability discovered last month. By using his exploit from the DVRs’ control panel, Fernandez was reportedly able to gain login credentials in clear text
Fernandez listed a bunch of DVR brands that are vulnerable to the attack, including TBK, Novo, CeNova, QSee, Punix, DVR 5 in 1, and Securus. As Bleeping Computer points out, many of these companies are selling a rebranded version of the TBK DVR4104 DVR.
There are believed to be tens of thousands of vulnerable devices. A screenshot of the service Fernandez used to determine where they are located shows more than 55,000 online devices primarily in Turkey, Malasia, India, Brazil, and Italy. Fernandez also posted screenshots of livestream images and device settings he gained access to.
So far, an attack using the method has not been detected, but Ankit Anubhav, a principal researcher at NewSky Security, told Bleeping Computer he doesn’t think that will remain the case for long. The proof-of-concept has been uploaded to Github, and bad actors now have a source for figuring out who to attack in Shodan, the search engine Fernandez used to help him find vulnerable DVRs connected to the internet. Fortunately, it appears DVR manufacturers can block requests to gain access to the devices using a simple scan, though it’s unclear whether the companies are aware of the issue.
Given how many vulnerable devices are in the wild and that the tools to conduct the attack have now been published, CVE-2018-9995 could become the most exploited vulnerability of the year.
We have reached out to TBK and will update this article if we hear back.
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.