An AVTech device exploit was recognized in October of 2016 following an advisory released by the Security Evaluation Analysis and Research Laboratory. The exploit outlined 14 vulnerabilities in DVR, NVR, IP camera, and like devices as well as all firmware of the CCTV manufacturer. These vulnerabilities include: plaintext storage of administrative password, missing CSRF protection, unauthenticated information disclosure, unauthenticated SSRF in DVR devices, unauthenticated command injection in DVR devices, authentication bypass # 1 & 2, unauthenticated file download from web root, login captcha bypass # 1 & 2, and HTTPS used without certificate verification as well as three kinds of authenticated command injection vulnerabilities.
An expert malware coder, EliteLands, is working on designing a botnet that capitalizes on these vulnerabilities to perform DDoS attacks, steal information, spam, and grant himself access to the attacked device. The hacker claims that the he does not intend to use this botnet to particularly carry out such attacks but to warn people of the capability such vulnerability exploits pose. Just like the recent Hide ‘N Seek botnet which worked to hack AVTech devices, this new botnet named “Death” aims to do the same with a more polished code. The intentions of EliteLands were revealed by NewSky Security’s researcher, Ankit Anubhav, who revealed to Bleeping Computer that EliteLands said, “The Death botnet has not attacked anything major yet but I know it will. The Death botnet purpose was orginally just to ddos but I have a greater plan on it soon. I dont really use it for attacks only to get customers aware of the power it has.”
As of March, 2017, AVTech came forward to work with SEARCH-Lab to improve the security systems on their devices. Firmware updates were sent out to patch some of the issues but several vulnerabilities remain. Death Botnet works to exploit the remaining vulnerabilities to access the CCTV network of AVTech and its IoT devices, putting users of the brand’s products at high risk. The particular vulnerability that makes this all possible is the command injection vulnerability in the devices, making them read passwords as shell command. Anubhav explained that EliteLands uses burner accounts to execute payload on devices and infect them, and according to him, over 130,000 AVTech devices were vulnerable to exploit previously and 1200 such devices can still be hacked using this mechanism.
Last month, AVTech came out with a security bulletin warning users of the risk of these attacks and recommending that users change passwords. However, this is not a solution. Prior firmware updates from the company have worked to reduce the number of exploitable vulnerabilities but further such updates are required to entirely mitigate the risk posed.