Security Week has written an article discussing a spike in attacks exploiting CVE-2018-9995, a 5 year old critical authentication bypass vulnerability in TBK Vision devices, and CVE-2016-20016, a 7 year old vulnerability in MVPower devices. Reported by Fortinet, both of these manufacturers produce CCTV equipment often used to protect critical infrastructure facilities, with TBK Vision claiming it’s deployed “over 600,000 cameras, 50,000 CCTV recorders, and other devices being used by organizations in banking, government, retail, and other sectors.” Reportedly, the vulnerability impacts the following products – TBK’s DVR4104 and DVR4216 devices, which are also rebranded and sold under the CeNova, DVR Login, HVR Login, MDVR Login, Night OWL, Novo, QSee, Pulnix, Securus, and XVR 5 in 1 brands. FortiGuard Labs is not aware of any patches provided by the vendor and recommends organizations review installed models of CCTV camera systems and related equipment for vulnerable models.
Members who utilize the impacted products are highly encouraged to review available reporting and address accordingly. This spike in detection and exploitation attempts is another example of how insecure IoT devices persist, as both CVEs still do not have a patch available, and, as Fortinet notes, why “network camera devices remain a popular target for attackers.” Read more at Security Week.