Penetration test engagement on client’s CCTVs and DVR VLAN.
During pentest and red team engagement, it is quite normal to see different pitfalls on network devices, some can be addressed easily like mis-configurations and lack of hardening, but some may require different approach. As an example, consultants found a particular brand of IP-CCTVs that is widely used here in the Philippines. Consultants were able to identify the specific model. Shortly, consultants were able to find and leverage several vulnerabilities to exploit CCTV devices within the network.
Some of the vulnerabilities found:
- Non SSL/TLS Login and communications
- Privilege Escalation
The findings in general were considered in a high criticality rating. Devices were found to be using the latest firmware available. Therefore, fixing the issues may require calling the attention of the manufacturer to release a patch for the aforementioned vulnerabilities.