Don't buy cheap home automation/security/whatever equipment

Bad stuff happens.  Like the stuff that happens on this cheap home video surveillance DVR:

* The default username/password is blank, and it's hard to change.
* The above doesn't make much difference because they're not enforced anyway.
* There is a remote, unauthenticated web-accessible root shell that you can't disable.
* Snapshots from the first camera connected to the DVR are sent to…someone.  That someone is not the owner of the DVR, that's for sure.

Pwning CCTV camerasPen Test Partners

Leave a Reply