atechdad make it so

Research finds 400k Security Camera DVRs with Hardcoded Credentials

I’ve been tinkering with passive research using public scans which are freely available via Project Sonar. I was curious to search and look for any devices which may have username and passwords hardcoded so I decided to search for a few instances where the username and passwords appear hardcoded to admin. I thought that surely there couldn’t be many– so I kicked off the scan…

curl -s https://scans.io/data/rapid7/sonar.http/20141209-http.gz |   zcat |   bin/dap json + select ip data + transform data=base64decode + include data='$(\"password\").value = \"admin\"' + include data='$(\"username\").value = \"admin\"'+ decode_http_reply data + select ip + lines  >> ips.txt

..and waited.  The above command streams the huge scan database and inspects it live so I don’t have to download the entire thing. I know it’s lazy, but the VPS I was running this from only has a 20GB hd.

A few hours passed and the command completed. So I checked the file….
Too many IPs to cat. How many are we talking?

atechdad@server:~$ cat ips.txt | wc -l
467807

Er. Can’t be right. Let’s check one of the records.

Something called NETSurveillance in the title. That’s odd. How many of these are there?

curl -s https://scans.io/data/rapid7/sonar.http/20141209-http.gz |   zcat |   bin/dap json + select ip data + transform data=base64decode + include data='$(\"password\").value = \"admin\"' + include data='$(\"username\").value = \"admin\"'+ decode_http_reply data + select data + lines |grep -i surveillance

Ok. Lots.

So what is this thing?

It seems most of these are security camera / DVRs of assorted brands which source from China. The most common appears to be branded by the identifier, NetSurveillance. An example of one is H.264 8 Cam DVR-9108VH

It appears that a good many of these devices are configured with admin:admin.

I hope that at over 400,000 devices, there are many false positives. Also, why aren’t these things behind a firewall? A cheap consumer router would be better than nothing.

Anyway, so that’s yet another thing you can do with the info from scans.io.