Camera system Hacked

[sweetm...@gmail.com]

Woke up this morning to camera monitor blank and the word hacked displays. I unplugged wifi as I believe that was the point of entry. Reset the system and still no display.

How do I get the system up and running again?

[sweetm...@gmail.com]

GW Security HD-CVI 1080P 4 Channel Video DVR Security Camera System with 4 Outdoor 2.0MP 1080P Weatherproof Bullet CameraDay/Night 30IR 90ft Night Vi (Camera)

[GW Security Q&A forum]

Hello

Please log into the NVR console and perform a factory reset on the system.

Once the system boot back up, please change the password for both user 888888 and admin.

[slg...@basileiapictures.com]

This happened to me this weekend also.  The hackers reformatted my NVR hard drive and changed the admin password.

[GW Security Q&A forum]

If you have an NVR, please email us your model number, NVR's MAC address, and the current system date time on it so we can calculate a master password for you.

[xeng...@gmail.com]

Hi GW Security,

Is this something your customers should know about.... My NVR keeps reformatted my Hard-drives and the admin password keeps changing

[slg...@basileiapictures.com]

Your system is being hacked.  GW Security knows about it.  its happening across the country.  I have been able to determine the root clause. 

[xeng...@gmail.com]

Hi,

Is there a way to prevent this from happening?

Is that something that you can share? Or does it require intervention from the GW team?

[slg...@basileiapictures.com]

There a temporary solution.  Disable the built-in iCloud features on the NVR and disable any port forwarding on your router.  GW Security says to just change the default port settings.  But this will not prevent the hackers from getting in if the iCloud features and port forwarding are enabled.  They can just ping your IP address until the port that the system is on answers.  I have launch an investigation to identify the hackers. What I know so far is that they have the ability to use the backdoor built into the firmware to generate the master password to access any GW Security that they find. The only way to stop them is the deny them access to the NVR via the internet.  Current my system is blocked from accessing the internet.  I get to it via a proxy that has 2-factor authentication.

[slg...@basileiapictures.com]

Also I would not use RealView Pro to access the system remotely.  RealView Pro uses another backdoor mechanism to access your NVR.  It does not use the ID and Password of any user you may have setup for the system. 

[xeng...@gmail.com]

Thank you, much appreciated.

[GW Security Q&A forum]

Hello

We have a new firmware for the affected machine that prevent this from happening.

The firmware is available in our firmware section:

https://www.gwsecurityusa.com/firmware

or directly from the following link:

GW22-24 series NVR
https://goo.gl/LprxxS

GW32-34 series NVR
https://goo.gl/Azi2Q6

The cause, determined by our developers so far, is a glitch in the P2P back-end server. The issue has been patched.

[slg...@basileiapictures.com]

This is not going to fix the larger problems.  There are multiple other serious security flaws with this system.  Even if you, make the changes you just stated, it will not prevent someone from easily hacking this system and reaping havoc.  There are multiple other firmware changes you need to make immediately. One is that you MUST be able to EDIT the ADMIN account's Remote Permission settings.  Currently all permissions are lock ON.  This needs to be change so that certain Admin rights can be turned OFF for remote access; thereby making them only available for LOCAL logins. So when the hack does break in, they cannot reformat the hard drive and change other system settings.  This will remove 95% of the vulnerability with this system.  There are several others, but let's fix this one first. 

[GW Security Q&A forum]

We will most certainly suggest our developers to try and include such feature in the next firmware update.

[slg...@basileiapictures.com]

This needs to be a very high priority to get done immediate (like now).  Not a casual suggestion for a future update. We have seen major security breaches with GW systems over the last week due to carelessness .  Which could have been prevented with just a little foresight.  I've lost both time and money.  This one should have been a no brain-er.  I do like the system in general, but these security issues are irritating.

[GW Security Q&A forum]

The recommendation have already been passed on to the developers and they are evaluating on how to implement the change.

[slg...@basileiapictures.com]

Great!
It will be highly appreciated.

[Fek]

Thanks for all the info shared here.

So is it still safe to use the app on my phone?
If not what is the alternative ?

Thx

[Fek]

Referring to the Realview Pro App

[Sunny Kuo]

After you update the NVR to the latest firmware, there should be no problem using the app to connect to the NVR remotely.

[slg...@basileiapictures.com]

Exactly what changes were made?  The reason I'm asking is that (technically) RealView Pro worked before. 

[slg...@basileiapictures.com]

What I mean to say was, can you explain what changes were made?

[GW Security Q&A forum]

The main reason Realview Pro stopped connecting was because the network IP changed on the NVR. Once they are patched and network connection restored, they should connect.

Unfortunately, we don't have a detailed change log to publish yet. Once the dust have settled, we could provide a more detailed explanation as to what had happened.

So far, to the best of our knowledge, the new firmware fixed the glitch where the P2P server is sending out setting change that shouldn't have been sent and the NVR was accepting it which it shouldn't have accepted.

It was an oversight by our developers and we are really sorry for the inconvenience this have caused.

[Fek]

Just wanted to make sure that with the new firmware, my GV password and address will not change again when i activate the cloud. This happens to me 3 times this week.

[slg...@basileiapictures.com]

This fix does not appear to address the underlying problem. 
You only patched one issue.  But, there are multiple other issues still outstanding.
The damage didn't happen while RealView Pro was connected, even though RealView Pro appears to be using backdoor credentials to access the NVR also.

The larger question is, how was someone able to remote into the NVR, make an admin configuration change (WITHOUT LOGGING IN), and THEN login into the NVR with a master admin password?   Then reformat the HD?  And God knows what else.  This was not a software glitch.  Someone with knowledge of the inter-workings of the firmware deliberately did this. 

Since this has happen, I've been able to identity at least 3 mechanisms someone, besides the customer, can gain access to that NVR remotely.

I'm starting to lose trust and confidence with GW Security.  Which is unfortunately, because I was actually liked this system and was recommending it, before this happened.

I'm hoping you guys will be able to fix these problems.

[Dan Spiteri]

Nice to know I'm not the only one. It was my fault somewhat because I was port-forwarding traffic and had the default password, but I also noticed that even if I disabled port forwarding they were able to access the system so I disabled UPnP as well.

Looking at the access logs, the remote user was able to gain access to the system and update the login credentials before signing in. There are so many ports open in the DVR, more than just the ones listed in the network settings.

[Dan Spiteri]

Does this address the vulnerability where remote users can update the DVR configuration before they are authenticated?

[Jason Gardner]

I am in this predicament as well. Is there any way to access my NVR remotely to implement the firmware update (I'm at work)? Can this be done via network or does it have to loaded from a USB drive? 

[GW Security Q&A forum]

Yes, the firmware does fix the vulnerability.

[Sunny Kuo]

You can update the NVR via the web interface but it is recommended to update using a USB at the console.

[Jason Gardner]

How would I do this since I can't access the NVR remotely? PW has been changed.

[GW Security Q&A forum]

If you have physical access to the NVR, we can calculate a master password for you. Please email your machine's current system time and MAC address to sup...@gwsecurityusa.com

[Jason Gardner]

Attempted to apply the firmware update via USB, but it failed repeatedly. Had to reset everything again yesterday because the something had caused it to become inaccessible remotely. Now again this morning I can't access it remotely, probably the same issue. Will the firmware update fix this issue? If so, how can I update it if the USB method doesn't work?

[GW Security Q&A forum]

What is the current firmware version on your NVR? It might be on a older version which cannot upgrade to the latest version directly.

Please email us a screenshot of the current version you have and we will email you a version you can upgrade to before upgrading to the latest.

Please email to sup...@gwsecurityusa.com

[Lucid Information]

Saying there was glitch in one of your servers is mis-leading.
I understand that you simply re-brand hanbang / Dahua camera's and DVRs, so maybe you don't actually have any knowledge of the undocumented telnet access that is still running in the latest version of your firmware.
And maybe you don't actually know that the camera's and DVRs connect to a T2uSvr @ nat.vveye.net regardless of what the settings are, and register with a dns server that doesn't show in the settings anywhere and cannot be removed.

But the people who's products you rebrand were notified in March of the issue and it was documented in CVE-2017-14335
https://nvd.nist.gov/vuln/detail/CVE-2017-14335
You could consider CVE-2017-14335 a "glitch" since it is an exploit of the HTTP server not properly handeling authentication.
But the previous CVE's going back 5 years specifically mention the backdoor telnet access.
You have been "patching" this backdoor since at least 2012, and while thousands of camera's and NVR get hacked over and over, the backdoor is never removed, just the undocumented account and password are changed.

hikvision and Dahua refused to admit it existed, and Hanbang simply refused to respond.

I ran a port scan on your latest firmware and sure enough Telnet on port 23 is responding, although it is not documented anywhere in your product information.

On your camera, after I downloaded the latest firmware it took less than 10 minutes for me to guess the backdoor password you still have in place.
I understand you only resell what the Chinese feel like giving you, that isn't your fault.
Continuing to do it when you know about it is.

I was hoping You could just copy this to GW SECU, and GW Security-inc etal "QA" areas and save on the reposting.

regards
DJ

[GW Security Q&A forum]

Reply lock due to length; please open a new topic to ask related question.