A security expert from Argentina has shed light on a new hacking tool called GetDvR that exploits the CVE-2018-9995 vulnerability against IoT devices. It is able to extract account credentials of DVR devices thereby accessing the devices and their video feeds.
The CVE-2018-9995 Vulnerability and GetDvR Infiltrate IoT Devices
The Argentinian expert Ezequiel Fernandez revealed that a proof-of-concept hacking tool called GetDvR can access IoT devices by exploiting a dangerous vulnerability. He was responsible for the actual discovery of the weakness and this tool serves as proof of it’s significance. The advisory for the vulnerability reads the following:
TBK DVR4104 and DVR4216 devices allow remote attackers to bypass authentication via a “Cookie: uid=admin” header, as demonstrated by a device.rsp?opt=user&cmd=list request that provides credentials within JSON data in a response.
This means that attackers can utilize the weakness detected in DVR devices using a crafted cookie header. As a result the device will respond with the device’s administrator credentials. This would potentially allow computer hackers to automate this procedure with a script. The initial report reveals that the CVE-2018-9995 vulnerability only affected devices manufactured by TBK. However in a later update the list was updated with other vendors, many of them were found to simply offer rebranded versions of the TBK devices. The revealed vendors that offer affected are the following:
- Novo
- CeNova
- QSee
- Pulnix
- XVR 5 in 1
- Securus
- Night OWL
- DVR Login
- HVR Login
- MDVR Login
An analysis reveals that at the moment thousands of devices are affected. The researchers used the specialist search engine Shodan to query the possible victims. The expert published screenshots showing how he managed to access the insecure videos. Not only he was able to access the settings but also the live video feeds.
So far malicious use of the GetDvR tool has not been detected. The security community has posted widely about the issue and it is expected that the hardware vendors will patch the devices. There is a probability of a mass attack that can follow, as in the last few years there has been a very large increase in the number of IoT bots. They use vulnerabilities like this one and automated scripts in order to infect as many targets as possible.
Of the main concerns surrounding GetDvR and the associated CVE-2018-9995 vulnerability is the fact that there are many “white label” and rebranded versions of DVR IoT equipment by TBK. Many brands and online sellers advertise the devices using different names and for some users it may be hard to update them.
At the moment system administrators can implement basic steps in order to defend the networks. The example code uses a mock user-agent using the misspelled identifiers “Morzilla” “Pinux x86_128”. If the hackers implement it in this way then a simple firewall rule can block the login attempts.