Hardcoded Root Credentials In Multiple DVRs

Zhuhai RaySharp Technology is a Chinese manufacturer of CCTV systems including stand-alone DVRs. While based in China, the company’s products are available worldwide. Supposedly, “more than 60,000 DVR units are exported every month & delivered to all over the world”. Furthermore, the firmware used in the company’s own DVR product line is also sold to a large number of DVR OEM vendors located in Europe and USA.

The vendor’s mission is to “provide easy-to-install, simple-to-operate, high-quality and competitive-priced line of video surveillance products and let people feel safe in their daily life and work”. Most of the goals in the mission statement may have been achieved, but certainly people using their DVR products should not “feel safe in their daily life” based on our research findings.

DVRs based on the Zhuhai RaySharp firmware provide a web-based management interface for users to manage the system, view feeds from connected surveillance cameras, and use the PTZ (Pan-Tilt-Zoom) controls. It was found that the interface contains hardcoded root credentials that allow anyone to easily access the device.

Based on searches using Shodan.io, there seem to be between 36,000 to 46,000 affected Internet-connected devices. About half of these are located in USA with the remaining Top 5 countries being UK, Canada, Mexico, and Argentina in that order.

For full details, please access the research report here.

In addition, CERT has published an alert.