An expert in IoT security offers perspective on findings by (published on Twitter) by Ankit Anubhav, Principal Researcher at NewSky Security, that login passwords for tens of thousands of Dahua DVR devices have been cached and indexed inside search results returned by IoT search engine ZoomEye. Related: CVE-2013-6117.
Sean Newman, Director Product Management at Corero Network Security:
“Reports of passwords for thousands of public Internet-facing DVRs being exposed by the ZoomEye search engine, further highlight how connected device vulnerabilities can go unpatched for many years. In this case, a vulnerability from 2013 is being openly leveraged to extract admin passwords for the systems. This highlights one of the key issues with IoT security where, even though the vendor had actually fixed the vulnerability, the owners of the devices still haven’t got around to, or been able to, upgrade them.
“While this behaviour continues, there remains no end in sight for IoT devices being acquired for various nefarious activities including use in botnets for launching DDoS and other large-scale criminal campaigns.”