Backdoor Found in MVPower DVR Firmware

Security researchers from Pen Test Partners regualrly test random IoT devices, this time they  decided to test DVRs (Digital Video Recorders), which are also part of standard CCTV setups. MVPower DVR was selected for the experiment.  A few tests discovered a large number of security and privacy issues.


Hi guys,

Make sure your CCTV isn’t one of these.

Security researchers from Pen Test Partners regualrly test random IoT devices, this time they  decided to test DVRs (Digital Video Recorders), which are also part of standard CCTV setups.

MVPower DVR was selected for the experiment.  A few tests discovered a large number of security and privacy issues.

It had been possible for the researchers to, bypass the device’s Web-based login system by manually setting a random username and password in their browser’s cookie; force the device to start as root, open a Web shell that allowed them to run commands on the DVR.

They have managed to install a reverse shell for easier access to the device’s terminal.  There hadn’t been CSRF protection in the device, no brute-force attack protection, and the lack of HTTPS communications for the Web admin panel exposed its users to MitM attacks.

That’s not all, MVPower DVRs sends CCTV feed snapshots to a hard-coded email address and worse it had backdoor functionality that takes snapshots of the first camera and sends it to email address hosted on a Chinese email provider -“lawishere@yeah.net,” the email’s subject was “Who are you?” and the email’s body contained a 320x180px snapshot of the CCTV feed.

It was also discovered that the firmware was taken from the JUAN-Device GitHub repo, managed by someone named Frank Law. This account was taken offline after the British developer Gregory Fenton confronted Frank.

Apparently the  email address is still active and as shown by a Shodan search, there are currently around 44,000 devices available online that have the same server header like the one broadcasted by the MVPower DVR.

MVPower seems to be available only on Amazon out of the online stores.

According to Andrew Tierney of Pen Test Partners, any detail on the name MVPower cannot be found. The firmware suggests commonality with Juantech, but none of their firmwares [sic] are compatible. Given that the company is not well known, it’s unlikely that there will be security updates.

It has been noted that both Juantech and the Yeah.net email provider are registered in China’s Guangdong province (near Hong Kong).

Someone under the name Frank Law is also the author of two CCTV apps on theiTunes App Store and the Google Play Store, which lead back to the dvr163.com website.

The problem is why the GitHub repositories keep going offline whenever it’s been pointed out that the emailing functionality still exists in the firmware’s code; instead of fixing it. Here’s another repo where the emailing functionality is also included. Emails are still sent to the same address.


Source: Akati

Comments are closed.