Search Lab finds numerous flaws in AVTech cameras and DVRs

Search Lab finds numerous flaws in AVTech cameras and DVRs

Flaws affecting IoT equipment made by AVTech have been targeted by the Imeji botnet

According to researchers from security company Search Lab in Hungary, malware has targeted numerous flaws in internet-connected security cameras and digital video recorders.

The Imeji malware targets products made by a single manufacturer – AVTech of Taiwan. According to researchers, the Shodan IoT search engine of IoT-connected devices lists more than 130,000 AVTech products connected to the internet.

The flaw was discovered in 2015, but was only disclosed recently, after Search Lab’s attempts to contact AVTech were met with a stony silence.

The flaws include storage admin passwords in plaintext, allowing hackers easy access to admin credentials, and a folder within the devices that can be accessed without any form of authentication.

Other flaws allow hackers to inject commands into digital video recorder equipment without any form of authentication. Two other flaws enable authentication to be bypassed, allowing hackers entry.

“Since there is no verification or white list-based checking of the exefile parameter, an attacker can execute arbitrary system commands with root privileges,” the company said in an advisory.

According to an blog post by Trend Micro, the Imeji malware targets AVTech equipment by taking advantage of a remote file inclusion (RFI) vulnerability that forces a device into downloading it. Specifically, it targets a file on the devices called CloudSetup.cgi, to inject a command into the device.

“Once the malware is installed on the device, it gathers system information and network activity data. It can also execute shell commands from the malicious actor, initiate Distributed Denial of Service (DDoS) attacks, and terminate itself,” Trend Micro researchers said. “Infected devices also put other devices connected to the same network at risk.”

Researchers at Trend Micro said there was no connection between the Imeji malware and Mirai, which  targeted multiple IoT platforms running BusyBox.

At present, there are no patches available to the IoT equipment. Researchers said that IoT devices can be protected by checking internet traffic passing between routers and any IoT devices that connect to it.

Robert Miller, head of operational technology at computer security service MWR InfoSecurity, told Internet of Business that it is important that manufacturers of these devices stop seeing security as a burden to their development, but rather as a value that can benefit their customers.

“Given the likely PR nightmare that some manufacturers will face following ransomware attacks, it will be the companies that take security seriously that will gain the advantage in this competitive new market,” he said.