A wormable vulnerability involving an estimated one million digital video recorders (DVR) is at risk of creating a Mirai-style botnet, security researchers warn.
UK-based security consultancy Pen Test Partners said that the issue stems from a zero-day (unpatched) flaw in networking software from Chinese manufacturer XiongMai.
Pen Test Partners has been researching DVR security since February 2016, long before Mirai took out DNS provider Dyn in October 2016. The firm found a buffer overflow in the web interface that leaves more than one million devices vulnerable.
"This [flaw] leads to remote code execution and a wormable exploit," researchers warned. "Shodan [a search engine for internet-connected devices] shows ~1M devices available as of today, which would make for a nice botnet."
Pen Test Partners has discovered other Mirai-style vulnerabilities before but the latest issue represents a different and potentially more severe threat.
"There are more than 50 different brands of DVR that use this software," Pen Test Partners' Ken Munro told El Reg. "The supply chain is so extended, most of the DVR vendors probably don't even realise they're using XiongMai software."
Pen Test Partners' experts also discovered an non-standard telnet port (12323) that creates a route for brute force hack attempts based on default passwords against some vulnerable devices.
El Reg has invited XiongMai to comment but we're yet to hear back. We'll update this story as and when we learn more. ®