185,000+ IoT security cameras are vulnerable to a new worm

Persirai is a new strain of Internet of Things malware that infects more than 1,250 models of security camera, all manufactured by an unnamed Chinese manufacturer that has sold at least 185,000 units worldwide.


The vulnerability the malware exploits was discovered and documented by Pierre Kim, an independent security researcher, who has located at least 185,000 vulnerable devices using the Shodan search engine. The cameras all try to tunnel out of their local firewalls by sending unencrypted data over UDP — a cousin to TCP — leaving them vulnerable to hijacking. Once compromised, the cameras can be used to direct devastating, unstoppable floods of traffic to bring down web sites, and can also be remotely monitored by voyeurs, burglars, and other malefactors.

The cameras are "overall badly designed with a lot of vulnerabilities" and are sold as "white-label" goods that other companies can brand and sell under a variety of model numbers (this is common with Internet-of-Shit devices, like the insecure PVRs used by criminals to monitor CCTVs in order to plan robberies).


Less than a month after Kim's report, the Persirai appeared on the scene, harnessing infected devices to serve as part of a denial-of-service botnet. Persirai alters infected devices to prevent them from being infected by competing strains of malware — this may also offer some protection against the vigilante worms (like Brickerbot) that unknown parties have fielded to infect and permanently shut down vulnerability devices.

New IoT malware targets 100,000 IP cameras via known flaw
[Michael Kan/CSO Online]


Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server
[Pierre Kim/IT Security Research by Pierre]


(via /.)