Don't know if anyone saw this on TheRegister :
In short, the DVR code has security issues which make it accessible without logging in - which wouldn't be too bad if it were just visible on it's own network. However, the device also uses uPNP to ask the router to open up a hole in any firewall and make an inbound port mapping - which then makes the vulnerable device appear on your outside internet connection. And the third bit of the jigsaw is that many (most ?) consumer routers ship with uPNP enabled by default and few users realise just what a gaping security hole this is - I always turn it off when setting up a router as it's a completely f***ing stupid feature to have on.Hackers squeeze through DVR hole, break into CCTV cameras
Miscreants can copy, delete streams and even control the device
The digital video recorders of several CCTV video cameras are vulnerable to attacks that create a means for hackers to watch, copy or delete video streams, according to security researchers.
The researchers added that unless systems are properly firewalled, security flaws in the the firmware of the DVR platform also create a jumping-off point for attacks aimed at networks supporting these devices. The hackable CCTV devices from an estimated 19 manufacturers all use allegedly vulnerable firmware from the Guangdong, China-based firm Ray Sharp.
Scans suggest 58,000 hackable video boxes across 150 countries are vulnerable to attack.