And on Google Playstore
Do they also contain backdoors?
Domain and email used: www.dvr163.com email@example.com
Screenshots in the app come from this site: http://www.juancctv.com/jishu.asp
I mean, after all they are capable of bundling the all FOSS together, writing some code by their own, and even shipping a working product, but they don't realize that running commands as root from query string is horrible idea? That's hard to buy.
It's just ~~desire~~ mandate to "ship it cheap", and no desire or care at all. He didn't go back.
I keep mine on a separate lan which can't connect to the internet or the other more-trusted lan. The average grandpa connecting these things to the internet is screwed though.
But so many of these things are pitched as "oh so easy to set up! Just plug it in and open an app on your iPhone and you can monitor your house from anywhere!"
It's bad enough that this app-centric branding/marketing pitch ignores the fact that you never even see the popup saying "for security purposes, change your password", much less mentions just how this easy access works.
Sure, it's easier to just plug something in and get a picture with no more action needed than pointing at a square on a screen. But even the ones that can be made moderately secure (at least versus casual Shodan searchers and Google dorks) by setting a password and turning off DDNS, telnet, ftp, etc. are often left in their wide-open setup state by users.
On the flip side, I don't want something that only works with a "cloud" subscription or by going through a third party that I may or may not have to pay for monthly. I just want to be able to pull an mp4 or mjpeg stream from an old computer running iSpy or my Synology on the local-only LAN.
tl;dr: these things are affordable and very useful if you know how to set them up but by default they're wide open and often irresponsibly marketed as plug-and-play and never actually configured.
This code seems related - it has the cow ascii art and the email-sending functionality and email address mentioned in the article: https://github.com/simonjiuan/ipc/blob/master/src/cgi_misc.c - I wonder what else is in there!
From what I can tell, the e-mail address etc. are defaults used in CGI_send_email, which is only invoked as the handler for the /email endpoint. Looking at the order of endpoints defined in https://github.com/simonjiuan/ipc/blob/master/src/ipcam_netw... it seems that /email was probably left out in the DVR's code, so it's possible this function is simply never invoked, and we're just left with the WTF that not only did the original author (Mr. Law) think that an e-mail service needed a default "To", but that he thought it should be him, and that he left it in the final product.
Yes, it does send the emails.
And according to that source, you can change that target email address via a request parameter.
Actually, from a brief scan of a related codebase, it's likely that it doesn't send e-mails. The title of the article is therefore at a minimum unsubstantiated.
My device sends an email at boot to the email address, and it has also been triggered at other times - I am not sure why.
It looks like there are a number of variants of the device out there.
The repo mentioned in another comment has a MakeFile for another device, and has been forked 9 times. It could be used anywhere.
The article will be updated, but I'll have to get a trace another time.
That image isn't so curious. Try 'apt-get moo' on any debian based box.
Fortunately, I disconnected it from the network a long time ago. Works well standalone, the UI is ok.
openssl passwd -salt a0 juantech
I've bruteforced all alphanumeric for the descrypt hash, and not found anything. Trying the whole space now, but it will be weeks.
I think mine was regularly rebooting, but I've put it away so need to check.
Any other suggestions?
I think I messed with Blue Iris when I was initially playing with using an old laptop as an IP cam DVR but never bought it after the trial expired.
I definitely agree that if you want some or all of the "premium" features, a one time purchase is the only option. I don't like recurring subscriptions and avoid them when possible. I guess in this case, since you're paying for functionality on their servers it makes sense to pay as you use it. Still, as an end user, I do avoid subscriptions if I can.
Good to know you've got a better option though. Anything that allows you to self-host this stuff (mostly at least) is a positive thing IMO. In my early experiments before moving to the Synology software on my NAS, I had the computer running iSpy save to the Dropbox folder on that computer and limited the archive size to match the capacity of that Dropbox account. That way I could at least access recordings from elsewhere but I never got into email or SMS alerts. Not sure how I'd personally set that up.
Someone please go arrest this voyeur before he deletes the evidence.
If he was some low level engineer i would perceive this as unintentional. That's not the case. Unless the title "chief software engineer" means something else in China... https://www.linkedin.com/in/frank-law-2b14b790
From my sleuthing experience, deleting things [the github repository] usually means some kind of wrongdoing; not necessarily related to the erased.
It is my belief this was intentional.
It's a dirty dangerous hack even for a debug scenario, but you can see how it might come about
(Link has been shortened to use only the ASIN.)
I submitted a review but it has yet to be approved.
It has been approved but the exploit link and link to the blog post are not in it.
yeah.com is early free hosting and email provider in China.
maybe the same person with an avatar http://tieba.baidu.com/home/main?un=lawishere
maybe his blog http://blog.csdn.net/lawishere
lots of C/C++, mpeg, streaming stuff.
On Google Play, https://play.google.com/store/apps/developer?id=Frank+Law
The developer email is the same.
By the nicknames combine(lawishere and Frank Law), this maybe his Github page, https://github.com/lawishere
Someone reported the issue on there before I found it.
Part of the problem though is that there is not a full toolchain. You could replace the DVR app, but the OS is still going to be crap.
I had a very quick go at updating the firmware with Juantech and it failed. There is some check in place to prevent this.
I didn't look into that as the other stuff meant it was game over.
"Backdoor in DVR firmware sends CCTV camera snapshots to email address in China"
"Backdoor in DVR firmware sends CCTV camera snapshots to email address"
Notice the difference?