China Unicom or…Sneaky bastards

If you walk into any business or restaurant these days and look around or up, you’re likely to see a camera in a corner or the ceiling. The wires coming out of it go back to a box called a DVR. Some have four cameras, and some as many as 64 or more. They sit quietly capturing images and motion, most live. No one bothers to check on them to make sure they’re working. Just a digital video recorder. Until something happens.

Google or Bing around for DVR systems and you’re likely to come across one that’s become popular with businesses, hospitals, and schools. The Networker Pro PoE (Power over Ethernet) DVR. It comes in flavors up to 64 channels. That means up to 64 cameras. The price is very attractive. The setup is easy. Management is slick. Plug it in, and it basically works. You walk away happy as a lark that you’ve installed a security camera system to protect your business.

Now for the bad news.

The NWP PoE series of appliances runs on Helix /RealServer OS, a customized flavor of Linux. Over the years it’s been known to have vulnerabilities, some of which were patched. The software that runs this DVR is written and developed in China. The box itself is very OEM and nondiscript, with nothing to indicate it was made in China.

What you don’t know is that once your platform is operational and your cameras are live, they call home. What? Yes, they call home to momma. Where’s momma? China. Specifically, China Unicom, which is a government owned entity, that provides “cloud” storage.

Your NWP DVR cameras are uploading to a cloud based storage owned by the Chinese government. And you don’t know about it. You can’t tell either unless you make it your business to hunt Chinese bad guys. Your DVR isn’t uploading the recordings. The cameras are sending live feed. Zoom. Tilt. Pan. Record. Everything. Someone on the other end watches.

Hello People’s Republic of China. Your ass just got busted. Next I’m going to tear down the Helix setup and see what you’ve done. I know where you are. I know who you are. I know your IPs. One of these days I’m going to leave a note for you on that pretty cloud storage platform you’ve built. Before that, I’m going to call up some friends who will take an interest in what you’re doing.

Want more information? Just ask.

And if you’re from PRC and work for China Unicom, I’m coming for you.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s