New Hacking Tool Lets Users Access DVRs And Their Video Feeds

A new proof-of-concept tool has been released that claims to be able to remotely access thousands of digital video recorders (DVRs). getDVR exploits a vulnerability in two series of DVRs produced by TBK Vision.

Of the main concerns surrounding GetDvR and the associated CVE-2018-9995 vulnerability is the fact that there are many “white label” and rebranded versions of DVR IoT equipment by TBK.

The researcher who produced the proof-of-concept claims there are more than 55,000 vulnerable devices he was able to reach remotely when testing the exploit.

The tool, named getDVR_Credentials, is a proof-of-concept for CVE-2018-9995

The website Bleeping Computer reached out yesterday to a few security researchers to assess the tool’s working state and efficacy.

“I verified the code, and the script smoothly does what it is advertised, providing plaintext credentials for a variety of DVR models at the press of a button,” Ankit Anubhav, Principal Researcher at NewSky Security, a cyber-security company specialized in IoT security, told Bleeping Computer.

The researcher estimated the number of vulnerable devices to at least a few tens of thousands.