A new proof-of-concept tool has been released that claims to be able to remotely access thousands of digital video recorders (DVRs). getDVR exploits a vulnerability in two series of DVRs produced by TBK Vision.
Of the main concerns surrounding GetDvR and the associated CVE-2018-9995 vulnerability is the fact that there are many “white label” and rebranded versions of DVR IoT equipment by TBK.
The researcher who produced the proof-of-concept claims there are more than 55,000 vulnerable devices he was able to reach remotely when testing the exploit.
The website Bleeping Computer reached out yesterday to a few security researchers to assess the tool’s working state and efficacy.
“I verified the code, and the script smoothly does what it is advertised, providing plaintext credentials for a variety of DVR models at the press of a button,” Ankit Anubhav, Principal Researcher at NewSky Security, a cyber-security company specialized in IoT security, told Bleeping Computer.
The researcher estimated the number of vulnerable devices to at least a few tens of thousands.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.