Hackers of India

Backdooring DVR/NVR devices

By Arun Mane on 08 Nov 2018 @ Defcamp
πŸ“Ή Video πŸ”— Link
#hardware-reverse-engineering #embedded-security #security-assessment #backdoors #firmware-analysis
Focus Areas: πŸ”§ Hardware Security , πŸ“‘ IoT Security , 🎯 Penetration Testing , πŸ”¬ Reverse Engineering , πŸ” Vulnerability Management

Presentation Material

Abstract

Embedded devices, IoT, connected devices are growing very fast as their demand increases and innovation taking place in the industry. Due to huge demand in market, they lack in security prospect. There are many ways to attack such devices especially in DVR/NVR devices. 5 to 6 years back NSA ANT catalog leaked, they used to backdoor devices and they use to intercept/get data from the system. Due to ANT catalog leakage, Hardware implant attack were introduced in public. Although it’s an old technique to perform attack on embedded devices but its easy and proven attack and because of this some well-known researcher came with an idea called NSA playset which introduces the different kind of tools which researchers, security fellows can take advantage off and leverage their research/study/attack. In this talk, we are taking the reference of these ideas and implement a hardware backdoor by taking advantage of hardware hacking skills. Through this hardware backdoor, we can track devices, access root shell from anywhere and can stream fake videos/images on console like Hollywood style.

AI Generated Summary

This talk addresses hardware-based backdooring of embedded video recording devices, specifically Digital Video Recorders (DVRs) and Network Video Recorders (NVRs), within the broader context of insecure Internet of Things (IoT) and industrial control systems (ICS). The research highlights that market pressure leads vendors to neglect hardware security, resulting in devices with common software vulnerabilities (e.g., default credentials, web application flaws) and accessible debug interfaces.

The core technical contribution is the demonstration of a hardware implant for persistent, remote access. Through manual (multimeter conductivity testing) and automated (JTAGulator) methods, UART debug ports were discovered on target devices. These ports, often intended for monitoring, provided direct root shell access without authentication. A low-cost prototype implant was constructed using a Raspberry Pi, a GSM module (~€12), and a USB-to-serial converter (e.g., Chakra). This device, physically installed inside the DVR/NVR, exfiltrates GPS coordinates via SMS and creates a Wi-Fi hotspot for local shell access. A cron-driven bash script automates the location reporting.

Practical implications include the feasibility of such implants for physical penetration testing or red team engagements, bypassing network-level defenses. The attack requires initial physical access but enables long-term compromise. The research underscores a systemic failure in embedded device design, where debug interfaces are left enabled and unsecured, and identical hardware/firmware across many low-cost devices allows a single implant design to be widely effective. Mitigation requires vendors to disable or secure debug ports and implement secure boot, though this is uncommon in consumer-grade equipment. The work demonstrates that hardware security is a critical, overlooked component of IoT/ICS risk.

Disclaimer: This summary was auto-generated from the video transcript using AI and may contain inaccuracies. It is intended as a quick overview β€” always refer to the original talk for authoritative content. Learn more about our AI experiments.