Over 130,000 vulnerable products available online
AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm that spent more than a year trying to inform the company about 14 security bugs affecting the firmware of all its products.
Almost a year after it first contacted the hardware maker, Search-Lab published a public advisory about the vulnerabilities it discovered, warning sysadmins that their AVTECH products may be in danger of exploitation.
AVTECH fails to provide firmware updates
According to a long list of security flaws, the bugs found by Search-Lab researcher Gergely Eberhardt allow attackers to take over AVTECH products from a remote location, via the Internet.
As such, the researcher is issuing a public warning, urging sysadmins to change the default admin password for AVTECH equipment in order to avoid having these devices added to a DDoS botnet, like it previously happened with devices manufactured by companies such as Dahua, AVer, and TVT.
But changing the admin password is not enough, the researcher says. There are also other security flaws that allow attackers to bypass authentication procedures.
In order to safeguard their equipment, Eberhardt recommends companies to block access from the Internet to the devices’ configuration panel, and limit access to this section only to internal IPs or via selected IP ranges.