360Netlab finds multiple vulnerabilities in LILIN DVR and has been compromised by botnets

The security of IoT devices, such as video recorders, has always been poor. Such devices usually have extremely slow firmware updates and end-users rarely perform maintenance.

This situation causes many video recorders to be directly compromised by botnets, and it is also possible that many users have not upgraded after the vulnerability has been fixed.

For example, this time 360Netlab discovered that there were multiple vulnerabilities in LILIN’s video recorders and it was used by botnets as early as last year.

LILIN is an established security camera manufacturer located in New Taipei City, Taiwan. Its products are located in China, the United States, the Middle East, Europe, and Africa.

360Netlab started monitoring multiple botnets on August 30, 2019. When it was unclear how these botnets attacked LILIN, in subsequent traces, researchers discovered vulnerabilities in their firmware.

DDoS Research Report

The discovered vulnerabilities include arbitrary file reading, command injection, and hard-coded login credentials. Among them, hard-coded login credentials are the weakest but most harmful vulnerabilities.

The so-called hard-coded login credentials refer to the manufacturer writing the account password in the firmware. Users of this type of password cannot be changed. Of course, the user does not know.

But after the attacker found this set of login credentials, as long as the network-connected camera is detected, they can drive straight in, and there is no need to resort to other vulnerabilities to complete the attack.

This time LILIN’s hard-coded login credentials in its webcam are root/icatch99 and report/8Jg0SR8K80, which looks like they are used for debugging.

The Qihoo360 team reported these vulnerabilities discovered in January to LILIN, and LILIN can still release a new version of firmware fixes in February.

Among them, there are 11 models of zero-day vulnerabilities in LILIN DVR. These webcams must update the firmware in time to block these zero-day vulnerabilities.

If the firmware is not updated, the vulnerability will always exist and be infected by botnets. At that time, the content captured by the camera may be viewed by hackers in real-time. The models involved include DHD516A/DHD508A/DHD504A/DHD316A/DHD308A/DHD304A/DHD204 IP Camera/DHD204A IP Camera/DHD208 IP Camera/DHD208A IP Camera/DHD216 IP Camera/DHD216A IP Camera.

Qihoo 360 found that at least three botnets took turns attacking these LILIN cameras, including the Chalubo, FBot, and Moobot botnets. Researchers did not disclose the use of cameras by these botnets, but most botnets are used to launch DDoS distributed denial of service. Here, we also remind you once again that all kinds of IoT devices must regularly check for firmware updates to prevent vulnerabilities.