A five-year-old vulnerability in TBK’s DVR camera system (CVE-2018-9995) has been exploited in the wild in April 2023, according to security researchers at Fortinet.
The High severity flaw derives from an error the camera experiences when handling a maliciously crafted HTTP cookie. A remote attacker may exploit this flaw to bypass authentication and obtain administrative privileges, eventually leading to access to camera video feeds.
In an Outbreak Alert published on Monday, the Fortinet team explained it noticed a spike of more than 50,000 attempted attacks on these devices with unique IPS (intrusion prevention systems) detections last month. This type of advisory is used by the company to warn the wider cybersecurity industry about events that may have significant ramifications and affect several organizations.
In this case, the alert was issued because, despite the vulnerability being first discovered in 2018, a patch for it may not yet be available.
“[We are] not aware of any patches provided by the vendor and recommend organizations to review installed models of CCTV camera systems and related equipment for vulnerable models,” the firm wrote.
Further, according to TBK’s website, there are currently 600,00 cameras, 50,000 CCTV recorders and 300,000 accessories installed worldwide across banking, retail, government and other sectors, making the attack surface for the vulnerability particularly wide.
“With tens of thousands of TBK DVRs available under different brands, publicly-available PoC [proof of concept] code, and an easy-to-exploit makes this vulnerability an easy target for attackers,” reads the alert. “The recent spike in IPS detections shows that network camera devices remain a popular target for attackers.”
Organizations need to protect internet-facing devices like cameras, but often overlook them in their patching processes.
“Step one in protecting almost any device, especially Internet-facing ones, is patching (or firmware updates). Ideally, manufacturers would be setting these devices to auto-update by default,” commented John Bambenek, Principal Threat Hunter at Netenrich.
The Fortinet advisory comes amid a shift in video privacy trends and challenges. This analysis by Pimloc’s CEO, Simon Randall, digs into these new trends.