From our guest blogger and Metasploit community contributor Justin Cacak at Gotham Digital Science.
A new module for the Metasploit Framework, cctv_dvr_login, discovers and tests the security of standalone CCTV (Closed Circuit Television) video surveillance systems. Such systems are frequently deployed in retail stores, living communities, personal residences, and business environments as part of their physical security program. However, many of these systems are vulnerable to exploitation that can allow attackers remote access. Such remote access, enabled by default, can allow not only the ability to view real-time video, but control of the cameras (if supported), and provide access to archived footage.
Most owners of CCTV video surveillance systems may not even be fully aware of the device's remote access capabilities as monitoring may be conducted exclusively via the local video console. This further increases the likelihood of attackers gaining/persisting remote access, with no indication to the owner that their video surveillance system and archived footage may be accessed remotely.
Here at Gotham Digital Science, we often encounter video surveillance systems during penetration testing engagements – some of which may be exposed to the Internet, either intentionally or by accident. With any video surveillance system it is often interesting (and sometimes very important) to find out exactly what cameras are monitoring/recording within the environment. Furthermore, access to such systems can often be utilized to support physical security testing initiatives.
This module targets standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and a substantial number of other rebranded devices.
msf > use auxiliary/scanner/misc/cctv_dvr_loginmsf auxiliary(cctv_dvr_login) > set RHOSTS 10.10.1.14RHOSTS => 10.10.1.14msf auxiliary(cctv_dvr_login) > exploit [*] 10.10.1.14:5920 CCTV_DVR - [001/133] - Trying username:'admin' with password:'' [-] 10.10.1.14:5920 CCTV_DVR - [001/133] - Failed login as: 'admin' [*] 10.10.1.14:5920 CCTV_DVR - [002/133] - Trying username:'user' with password:'' [-] 10.10.1.14:5920 CCTV_DVR - [002/133] - Invalid user: 'user' [*] 10.10.1.14:5920 CCTV_DVR - [003/133] - Trying username:'admin' with password:'admin' [-] 10.10.1.14:5920 CCTV_DVR - [003/133] - Failed login as: 'admin' [*] 10.10.1.14:5920 CCTV_DVR - [004/133] - Trying username:'admin' with password:'1111' [ ] 10.10.1.14:5920 Successful login: 'admin' : '1111' [*] Confirmed IE ActiveX HTTP interface (CtrWeb.cab v1,1,3,1): http://10.10.1.14:80 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Using the obtained passwords, the attacker can view live and recorded footage and move the camera through a web-based application.
In conclusion, physically monitoring sensitive locations within an environment is an important aspect of a well-rounded information security program. However, at the same time such video surveillance devices can themselves be a risk and are often overlooked during security audits and vulnerability/penetration tests. This module exploits one of the common types of standalone CCTV video surveillance systems in use globally. It is likely that other manufacturers and CCTV devices are similarly vulnerable.
Companies who want to protect against this type of attack should change default vendor passwords, use strong passwords, filter access to only trusted hosts, and only expose the CCTV system to the Internet if absolutely necessary. In addition, security professionals can use the new Metasploit module to scan their network for vulnerable systems.
If you'd like to get the technical details about this new Metasploit module, check out the Gotham Digital Science Blog.
The new CCTV module is already available in the Metasploit Framework. Simply download Metasploit and update to the latest version using the command msfupdate. The module will be added to the commercial Metasploit editions as a part of the normal release cycle later this week.