Threat of the month: April 2016
What is it?
Hardcoded credentials in DVRs based on firmware from Chinese vendor Zhuhai RaySharp. DVRs from up to 55 vendors may be affected.
How does it work?
Hardcoded accounts are added to firmware by device vendors and act as backdoors into devices allowing full control to view video feeds and change settings. The account “root” password is 519070.
Should I be worried?
If a device offers authentication, most people trust this authentication process to be reliable. However, vulnerabilities allowing authentication bypasses are regularly found. Within the past year, there have been 59 reports of devices with hardcoded accounts. Even if a service does require authentication, users should be careful about making it Internet-accessible.
How can I prevent it?
Short of vendors releasing fixes to remove hardcoded accounts, there is little users can do except make sure that devices are not internet-accessible.