[Guest Diary] Compromised DVRs and Finding Them in the Wild, (Thu, Apr 16th)

[This is a Guest Diary by Alec Jaffe, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1]. Security cameras are great at monitoring physical doors, but terrible at locking their own digital ones. Across the internet, thousands of unpatched DVRs sit publicly exposed, many guarded only by the default vendor passwords they shipped with. For threat actors, these are low-hanging fruit. This write-up details a recent two-second Telnet capture, providing a mechanical breakdown of how quickly an exposed camera system goes from online to fully compromised by bad actors. An attack from IP address %%ip:46.6.14.135%% was detected for 1.934 seconds, successfully connecting and authenticating to TCP %%port:23%% (Telnet) for the aforementioned time period. This initial access vector (utilizing username root and password root) maps to MITRE ATT CK techniques T1110.001 (Password Guessing) [2] and T1078 (Valid Accounts) [3]. The execution of ten sequential commands within a ~2-second session is inconsistent with manual interaction, meaning the attack is most likely automated. Figure 1: Summary of attack from output of cowrieprocessor [4]. Further investigation of the IP address using Shodan [5] reveals that the offending device is an Airspace Digital Video Recorder, (DVR) exposing an 8-channel CCTV system in Spain. Note that the OEM of Airspace is Dahua, a Chinese manufacturer of surveillance cameras and related equipment. Figure 2: General information exposed services of offending device, retrieved from Shodan [5], as of 2026-04-01. Figure 3: More exposed services of the offending DVR device, retrieved from Shodan [5], as of 2026-04-01. Note that the cameras are exposed through the web service. It s highly likely that an unsophisticated threat actor could gain direct access to the camera video feeds relatively easily through this by leveraging common Dahua default credentials (e.g. admin/admin or 666666/666666 ), which are explicitly documented in the vendor's own user manuals for legacy systems [6][7]. Additionally, note that the device s firmware hasn t been updated since at latest August of 2014, indicated by the Last-Modified value. Figure 4: AbuseIPDB results [8], as of 2026-04-01. Figure 5: First attack reported on AbuseIPDB [8], indicating the device has been compromised since 2025-11-28. Noticing similar attacks in my honeypot logs, I prototyped a PowerShell script (assisted by Gemini Pro) to estimate the global footprint of these compromised DVRs. For reference, the script is available on my Github [9]. It pulls IPs from Shodan matching the offending device's RTSP server hash [10], then cross-references them against AbuseIPDB to check for malicious activity reported within the last 90 days, utilizing the APIs of both services. Figure 6: sample of PowerShell script [8] output. Due to AbuseIPDB s free-tier API limits, I could only scan the first 1,000 of the 5,313 matching IPs identified on Shodan