- Jul 22, 2014
- 2,525
A Chinese company that manufactures white-labeled DVRs still hasn't patched a security flaw that's been targeted by IoT botnets for over a year.
This particular vulnerability is a severe RCE (Remote Code Execution) bug that allows an attacker to take over a DVR via a simple request.
Security flaw discovered in March 2016 remained unfixed
The flaw came to light last year, after a report from security researcher Rotem Kerner. His investigation discovered that this flaw was present in the firmware of DVRs manufactured by Chinese company TVT.
Unfortunately, this wasn't any DVR manufacturer, but a seller of white-label products, meaning other vendors purchased the DVRs from TVT, slapped their logo on top, and sold them to their own customers as separate products. In total, Kerner tracked the sloppy-coded DVR firmware to 70 other DVR vendors.
Despite numerous contact attempts, Kerner was unable to get in contact with the company, meaning the vulnerability remained unpatched.
TVT flaw became a favorite target for IoT botnet herders
...
This particular vulnerability is a severe RCE (Remote Code Execution) bug that allows an attacker to take over a DVR via a simple request.
Security flaw discovered in March 2016 remained unfixed
The flaw came to light last year, after a report from security researcher Rotem Kerner. His investigation discovered that this flaw was present in the firmware of DVRs manufactured by Chinese company TVT.
Unfortunately, this wasn't any DVR manufacturer, but a seller of white-label products, meaning other vendors purchased the DVRs from TVT, slapped their logo on top, and sold them to their own customers as separate products. In total, Kerner tracked the sloppy-coded DVR firmware to 70 other DVR vendors.
Despite numerous contact attempts, Kerner was unable to get in contact with the company, meaning the vulnerability remained unpatched.
TVT flaw became a favorite target for IoT botnet herders
...
Last edited by a moderator:
