A security researcher has found a slew of vulnerabilities in products made by Taiwanese electronics maker Avtech.
Gergely Eberhardt said in a blog post that of the most serious flaws, an attacker could retrieve the plaintext-stored password of various Avtech products, including digital video recorders and internet-connected surveillance cameras. In the 14 vulnerabilities, he also found unauthenticated command injection and information leakage flaws.
Eberhardt published proof-of-concept code alongside each vulnerability after not hearing back from the company after three separate attempts in almost a year.
You probably think that bug-ridden surveillance cameras aren’t a big deal but it’s what hackers can do with those compromised devices that should have you concerned.
At the time of Eberhardt’s post, he said at least 130,000 Avtech devices appear on Shodan, the search engine for open ports and Internet of Things devices. (It was slightly less when we checked, landing in at 120,757 devices as of Wednesday.)
But that’s still a significant number of Internet of Things devices that are prime-picking for launching a powerful botnet, capable of bringing down sites and overloading networks.
These types of botnets are becoming more common. Just last week, independent security reporter Brian Krebs’ website was downed by a huge distributed denial-of-service attack launched by the Mirai botnet, which was powered in part by compromised internet-connected devices.
Eberhardt’s advice is simple. Users should change their Avtech device passwords. And to be really safe, “never expose the web interface of any Avtech device to the internet,” he added.