Researchers at Incapsula have discovered a botnet that runs on compromised CCTV cameras. There are hundreds of millions, if not billions, of these in the field, and like many Internet of Things devices, their security is an afterthought and not fit for purpose.
The botnet that Incapsula discovered was being used to direct HTTP flood attacks at 20,000 requests per second, originating from 900 CCTVs all over Earth. The researchers have identified another botnet running on network attached storage devices.
While the botnets running on these devices don't harm their owners very much (apart from using up some of their bandwidth), the fact that cameras aimed at potentially sensitive locations and drives holding sensitive data are being compromised at scale by Internet-based attackers suggests some ways in which the owners of these devices could also be victimized by their lack of security.
All compromised devices were running embedded Linux with BusyBox—a package of striped-down common Unix utilities bundled into a small executable, designed for systems with limited resources.
The malware we found inside them was an ELF binary for ARM named (.btce) a variant of the ELF_BASHLITE (a.k.a. Lightaidra and GayFgt) malware that scans for network devices running on BusyBox, looking for open Telnet/SSH services that are susceptible to brute force dictionary attacks.
CCTV Botnet In Our Own Back Yard [Ofer Gayer, Or Wilder, Igal Zeifman/Incapsula]
Troy Hunt, proprietor of the essential Have I Been Pwned (previously) sets out the hard lessons learned through years of cataloging the human costs of breaches from companies that overcollected their customers’ data; undersecured it; and then failed to warn their customers that they were at risk.
A security researcher has published a vulnerability and proof-of-concept exploits in Google’s Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months […]
The DHS has advised some airlines that flights originating from some overseas airports will only be allowed to land in the USA if passengers are required to check any electronic device bigger than a phone (excepting medical devices) in the hold.
The Lightning port has thus far resisted the cruel fate that befell the headphone jack, and despite rumors that it may be disappearing come iPhone 8, for the present and foreseeable future, Lightning cables are a hot commodity for iPhone users. As such, we must make do in this strange time in which long, glorified […]
All the filters in the world won’t save your smartphone pics from a shaky hand. To really step up your mobile photography game, you’ll need some kind of mount to hold it steady. You could buy a smartphone attachment for a conventional camera tripod, but who wants to carry that kind of gear everywhere they […]
The forced transition from analog to digital TV signals was probably met with relative indifference from people with Netflix subscriptions and the “I don’t even own a TV” snoots. But anyone living in the vast swaths of the country that don’t have guaranteed high-speed internet, broadcast TV is a perfectly valid (and 100% free) way […]