Always-on CCTVs with no effective security harnessed into massive, unstoppable botnet

When security firm Sucuri investigated the source of a 50,000-request/second DDoS attack on a jewelry shop, they discovered to their surprise that the attacks originated on a botnet made of hacked 25,500+ CCTV cameras in 105 countries.

These Internet of Things cameras were typical of IoT devices in that they ran with next to no security and inadequate patching systems. What's more, since they were always on and designed to transmit data over the public internet, they were especially powerful members of the botnet.

Sucuri researchers queried a sampling of the boxes and found that all of them showed they were running what was called the "Cross Web Server" that had a default Web page titled "DVR Components." The researchers later found the malicious IPs contained the company logos of resellers of CCTV services and that all the devices were running BusyBox, a collection of Unix-based utility tools that run on embedded devices. To make it harder to block the attack, the malicious devices had been programmed to emulate normal browser behavior by displaying a variety of common user agents, such as those associated with the Chrome, Internet Explorer, and Safari browsers. The hacked devices also displayed "referrers" falsely showing they had most recently visited sites including Engadget, Google, and USA Today.

Large botnet of CCTV devices knock the snot out of jewelry website [Dan Goodin/Ars Technica]

(Image: Different Types of Cctv Cameras, Tamasflex, CC-BY-SA)

Notable Replies

  1. So... Skynet is a bunch of webcams?

    We are so fucked.

  2. Back in the day, America had to learn on it's own that corporations don't always make safe decisions for consumers. Dr. Zog's Bag O' Glass comes to mind (Fun sparkly colors! Fantastical noises! Never be bored again!)...okay, the Pinto and the Corvair come to mind as real examples.

    Can there be code that's unsafe at any speed? Will we reach a point in the near future of being able to sue the manufacturer of a webcam that allowed virtual intruders because of shoddy programming? Or will this always be a case of, "well gosh, that's too bad, sorry to hear it"?

  3. people keep bringing up Skynet. For this I'm thinking more like The Machine

  4. You and I, both (hoping that this project works out). I'm enough of a computer person to think creating such a UL is a great idea, but not enough of a programmer to know how bad of an idea it is or how difficult such a thing would be to build/setup. I'm all for it, though, as the marketplace for IoT things feels a lot like (and looks a lot like) the Wild West.

Continue the discussion

3 more replies