A five-year-old vulnerability (CVE-2018-9995) in TBK’s DVR camera system was successfully exploited in April 2023, according to Fortinet security researchers.
A high-severity flaw stems from an error experienced by the camera when handling a maliciously crafted HTTP cookie. A remote attacker could exploit this flaw to bypass authentication, gain administrative privileges, and ultimately access the camera’s video feed.
In an outbreak alert published Monday, the Fortinet team said it had noticed a spike in over 50,000 attack attempts against these devices last month due to proprietary IPS (intrusion prevention system) detections. . This type of advisory is used by companies to alert the broader cybersecurity industry about events that have a significant impact and could affect multiple organizations.
In this case, an alert was issued because even though the vulnerability was first discovered in 2018, it may not have been patched yet.
“[We are] We are not aware of any vendor-provided patches and recommend that organizations review their CCTV camera system installation models and associated equipment for vulnerable models,” the company wrote.
You can read more about CCTV-focused attacks here.The Rise of CCTV Hacking in the Evolving Cyber Threat Landscape
Moreover, according to TBK’s website, there are currently 600,000 cameras, 50,000 CCTV recorders, and 300,000 accessories installed worldwide in banking, retail, government, and other sectors, all of which are vulnerable. The attack surface is particularly large.
“There are tens of thousands of TBK DVRs available in various brands and public PoC [proof of concept] code, and this easy-to-exploit vulnerability make it an easy target for attackers,” the warning reads. shows that.”
Organizations need to protect internet-facing devices such as cameras, which are often overlooked in the patching process.
“Patching (or updating the firmware) is the first step in securing almost any device, especially one that connects to the internet. Ideally, the manufacturer would set these devices to auto-update by default. ”commented John Bambenek, Principal Threat Hunter at Netenrich.
Fortinet’s advisory comes amidst changing video privacy trends and challenges. This analysis by Pimloc CEO Simon Randall delves into these emerging trends.
