With the latest hype around the Mirai botnet commandering things exactly like such a security DVR, I decided to get in touch with the local distributor and ask them if any issues had been reported, advisories released, or updates made available.
I was told:
This didn't put me at ease. As it was made in China for the Australian market, it doesn't have an FCC ID, just an A-tick and I don't want to physically crack it open juuuust yet. I'm also convinced whilst the local distributor had a home-brand stamped on it, it's likely an off-the-shelf product from some Chinese OEM.Thanks for your query.There has not been security issues reported or identified for this product.There is no software update for this product at this stage.
I tried to hit it via the web, and on port 8080 it responded that I must use Internet Explorer or I cannot access it. Ok, so it has an ActiveX bundle it wants to foist on me - I use Linux, and even if I didn't, that's not happening, thanks!
Alrighty, I search webpage source code, find the reference to a .cab file, pull it down, extract it, and then run all the Windows binary files through "exiftool" looking for something that might hint at a manufacturer, and I find:
It bundles GPL components - I wonder if there's source code available for them? :)
What's strange, is that the web page source code also references older Chrome and Safari plugins, but their use has been disabled/commented out, and they're not included in the webserver output. The source code of the page also has several HTML comments in Mandarin, but none of them refer to a business name.
In the mean time, I'm running a port scan on it, and it comes back with:
$ exiftool *.dll *.ocx | egrep -i 'File Name|Company Name|File Description|Comments|Special\ Build'
File Name : AVI.dll
File Name : hi_h264dec_w.dll
Company Name : HiSilicon Technologies Co.,LTD
File Description : H.264 PC Decoder
Original File Name : hi_h264dec_w.dll
File Name : hisi_voice_engine.dll
Comments : 语音编解码器 (Translation: Speech CODEC)
Company Name : Co., Ltd.
File Description : hisi_voice_engine
Original File Name : hisi_voice_engine.dll
Special Build :
File Name : lib_VoiceEngine_dll.dll
Comments : 语音编解码器 (T/L: Speech CODEC)
Company Name : 海思半导体有限公司 Hisilicon, Co., Ltd.
File Description : lib_VoiceEngine_dll
Original File Name : lib_VoiceEngine_dll.dll
Special Build :
File Name : RSNet.dll
File Flags : Special build
File Description : RSNet 动态链接库 (T/L: Dynamic Link Library)
Original File Name : RSNet.dll
Special Build : 5.20 修改设备信息结构(登录时返回),使后续扩展不需要重新编译该库;修改搜索设备收到非法消息后错误中止的BUG;DDNS,Email test;参数查询方法内存泄露;增加远程抓拍功能;add force I frame;1.0.1.14:兼容数据包1400/8K;1.0.1.14:消息加密;16:ForecIframe加密修正;17:全消息加密
... (Translation: Modify the search device to receive illegal messages after the error stop BUG; DDNS, Email test; parameter query method memory leak; increase the remote capture function; modify the device information structure (log back) Add power I frame; 1.0.1.14: compatible packet 1400 / 8K; 1.0.1.14: message encryption; 16: ForecIframe encryption correction; 17: full message encryption)
File Name : RSPlay.dll
File Flags : Special build
File Description : RSPlay.dll
Original File Name : RSPlay.dll
Special Build : ffmeg裁减版;使用ffmpeg-0.8;11.10.12:动态加载ffmpeg,解码海斯编码器编码数据可以不打包ffmpeg相关库;111022:修正音频解码失败后无法再次打开音频的bug。AES解密,1.0.2.14:AES_ENC_LEN 64。1.0.2.15:显卡加速;1.0.2.16:图片放大校正;UpdateFrame位置调整;1.0.2.17:player进度拖动报错处理;91旧UI录像文件播放;抓拍前一帧;单实例音频控制
... (Translation: Ffmegg-0.8; 11.10.12: dynamic loading ffmpeg, decoding Hess encoder encoding data can not be packaged ffmpeg related library; 111022: Fixed audio decoding failed to open the audio again after the bug. AES decryption, 1.0.2.14: AES_ENC_LEN 64.1.0.2.15: graphics acceleration; 1.0.2.16: picture magnification correction; UpdateFrame position adjustment; 1.0.2.17: player progress drag error processing; 91 old UI video file playback; Frame; single instance audio control)
File Name : RSSkinNormal.dll
File Name : RSVideo.ocx
Original File Name : RSVideo.ocx
- Port 23 - Telnet ... hrrrmm
- Port 8080 - HTTP ... served by Boa webserver
- Port 9000 - Used by various Android and iOS clients that can talk to device
I can't help but think there's going to be some hard coded credentials on the telnet server, or otherwise there wouldn't be a reason to have it enabled by default.
Has anyone else dug a bit deeper into this particular DVR unit? I'm guessing I may just need to bite the bullet at some point and open it up... might be a good excuse to get a serial line level adaptor and go fiddling :)
No comments:
Post a Comment
Hey... thanks for leaving a comment! Due to Casino spam, I've had to turn on moderation for some of the posts. Apologies - I do read every comment left!