Compromised DVRs and Finding Them in the Wild
Compromised DVRs and Finding Them in the Wild
Across the internet, thousands of unpatched DVRs sit publicly exposed, many guarded only by the default vendor passwords they shipped with. For threat actors, these are low-hanging fruit. This write-up details a recent two-second Telnet capture, providing a mechanical breakdown of how quickly an exposed camera system goes from online to fully compromised by bad actors. An attack from an IP address was detected for 1.934 seconds, successfully connecting and authenticating to TCP port 23 (Telnet) for the aforementioned time period. This initial access vector, utilizing username root and password root, maps to MITRE ATT&CK techniques T1110.001 (Password Guessing) and T1078 (Valid Accounts). The execution of ten sequential commands within a ~2-second session is inconsistent with manual interaction, meaning the attack is most likely automated.
Further investigation of the IP address using Shodan reveals that the offending device is an Airspace Digital Video Recorder (DVR), exposing an 8-channel CCTV system in Spain. The OEM of Airspace is Dahua, a Chinese manufacturer of surveillance cameras and related equipment. It’s highly likely that an unsophisticated threat actor could gain direct access to the camera video feeds relatively easily by leveraging common Dahua default credentials (e.g. admin/admin or 666666/666666). Additionally, the device’s firmware hasn’t been updated since at latest August of 2014. To estimate the global footprint of these compromised DVRs, a PowerShell script was prototyped, pulling IPs from Shodan matching the offending device’s RTSP server hash and cross-referencing them against AbuseIPDB to check for malicious activity reported within the last 90 days. Due to AbuseIPDB’s free-tier API limits, only the first 1,000 of the 5,313 matching IPs identified on Shodan were scanned. Within that limited sample, 38 IPs (3.8%) were actively reported for abuse. Extrapolating this 3.8% infection rate across all 5,313 exposed devices yields roughly 202 compromised DVRs globally. Because this script only flags devices caught and reported in the last 90 days, this 202 figure should be treated as a highly conservative baseline. The actual number of compromised devices, including dormant ones, is likely much higher.
Once authenticated, the attacker executed a reconnaissance and environmental staging script. The script sequentially attempts to escape restricted, vendor-specific CLI menus to access a standard Unix shell, mapping to MITRE ATT&CK technique T1059.004 (Unix Shell). It reads /proc/mounts to identify writable file systems, mapping to MITRE ATT&CK technique T1082 (System Information Discovery). The script then navigates to /dev/shm (a memory-backed filesystem used to evade disk forensics) and copies /bin/echo to a hidden file (.s). This dotfile creation maps to MITRE ATT&CK technique T1564.001 (Hidden Files and Directories). The script checks for the presence of network utilities (tftp and wget) to determine the available mechanisms for downloading the primary malware payload, corresponding to MITRE ATT&CK technique T1105 (Ingress Tool Transfer). Finally, mapping to MITRE T1070.004 (File Deletion), the script removes the temporary .s file to avoid leaving forensic artifacts before terminating the staging session.
To protect against this specific attack vector, defenders should implement the following baseline configurations:
- Restrict Telnet access via a local firewall or VPN to a strictly allowed IP list, preventing exposure to the public internet.
- Enforce strong password policies and change default credentials for all service accounts.
- Disallow remote root login over Telnet.
The set-and-forget lifecycle of physical security devices is actively fueling digital insecurity. When a DVR is left exposed and unmanaged, it ceases to be just a camera system and morphs into a free server for malicious actors. The ~2-second compromise documented here is a stark reminder: if you aren’t managing your edge devices, someone else already is.