Hackers use 25K cameras to carry out botnet attack

July 1, 2016
Recent DDoS attack reveals the dangers unsecured IP cameras pose

Physical and IT security experts alike have been warning about the dangers posed by using unsecured IP cameras on the network for years. While there have been a handful of incidents that have certainly raised awareness about the severity of the problem, some integrators and end-users remain apathetic and have even failed to take even basic precautions. A recent report from website security firm Sucuri shows just how dangerous that lackadaisical attitude towards safeguarding IP cameras against hackers can be.

According to Sucuri co-founder and CTO Daniel Cid, their firm was recently contacted by the owner of a small jewelry store whose website had fallen victim to a distributed denial of service (DDoS) attack that was generating nearly 35,000 HTTP requests per second. They were eventually able to get the jewelry store’s website back up and running by switching their domain name system (DNS) to the Sucuri Network; however, shortly after the site came back online, the attack only grew in intensity – reaching nearly 50,000 HTTP requests per second. This continued for days, which is highly unusual in the case of most DDoS attacks. After some research, Cid and his team discovered that the attackers were using surveillance cameras to carry out the botnet attack – more than 25,000 of them to be precise.   

Although the culprits and their exact motivations for the attack against this website remain unclear, Cid said that a DDoS attack is typically perpetrated with the goal of taking down a website and that the cyber criminals behind them rely on a botnet, which is a network of servers, desktop computers and other Internet-enabled devices that can provide them with massive amounts of computing power.

“They always look for easy targets – usually desktop computers they can compromise – and then use this huge network of 10,000 desktops and just attack you,” Cid explains.

While it is not unprecedented for network cameras to be used as botnets, which cybersecurity firm Imperva Incapsula discovered late last year – Cid said the scale at which they were used in this attack hasn’t been witnessed before.

“This was a huge [number] of cameras with 25,000 different devices attacking one of our clients. As we started to look a bit deeper, we saw these cameras were spread all around the world,” Cid says. “Why are they doing that? First it hides the attacker, nobody knows who the attacker is and secondly, it gives them an immense amount of power to execute an attack. If they have 25,000 cameras, they can create 50,000 [HTTP] requests a second easily on a target and they are probably attacking multiple targets at the same time.”

After examining the IP addresses of the cameras used in the attack, Sucuri discovered they were all running the “Cross Web Server” and had a similar default HTTP page with a “DVR Components” title. Eventually, they were able to uncover company logos from the resellers and manufactures on all the IP addresses.

The majority, 46 percent, had default “H.264 DVR” logos and Cid said they are still working to determine the brand or brands of these cameras that were used in the attack. “We only know the software and they all used the same software,” Cid explains. “It’s all the same software and the same device, we just don’t know brand they’re using and that’s one of the things we’re trying to find out now.” 

The other compromised cameras had modified branding to match the company that built or sold them. Among the brands involved in the botnet and their distribution as a percentage of the cameras used in the overall attack included:  

  • ProVisionISR - 8 percent
  • QSee - 5 percent
  • QuesTek - 5 percent
  • TechnoMate- 3 percent
  • LCT CCTV - 2 percent
  • Capture CCTV - 2 percent
  • Elvox - 2 percent
  • Novus - 1 percent
  • MagTec CCTV- 1 percent

Cid says they are also currently trying to figure out who the hackers behind this particular botnet scheme are as this DDoS attack only represents a small portion of what they’re cable of doing with so many cameras at their disposal. “We are trying to find and go deep into the botnet itself and try to find their command and control device to see what else they are doing,” Cid adds.

Unsecured IP cameras are an extremely easy mark for hackers, according to Cid, as most of them are still running old software and are rarely, if ever, isolated from the larger network.  In fact, Cid said a quick search on Shodan, a search engine that indexes devices connected to the Internet, reveals more than 100,000 cameras that are vulnerable.

Cid says integrators and end-users really have to start taking the cybersecurity of surveillance camera networks much more seriously. First and foremost, Cid recommends that surveillance cameras be completely isolated from the Internet if at all possible. Secondly, he advises installers and end-users to change default usernames and passwords on cameras. “Are you kidding me, you’re putting this device on the Internet, anyone can see your cameras and not only that, you are leaving the default password open?” Cid says incredulously. “Anyone, who is not even an expert, can just guess your password, really easily, and take over your cameras.”

Unfortunately, Cid believes the botnet they uncovered is just the tip of the iceberg when it comes to the number of cameras that are or could potentially come under the control of cyber criminals as many of them have just started to expand the scope of their networks beyond infected desktops. “I think that’s the next step. They are really going to start going after [cameras],” Cid concludes.   

About the Author

Joel Griffin | Editor-in-Chief, SecurityInfoWatch.com

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com, a business-to-business news website published by Endeavor Business Media that covers all aspects of the physical security industry. Joel has covered the security industry since May 2008 when he first joined the site as assistant editor. Prior to SecurityInfoWatch, Joel worked as a staff reporter for two years at the Newton Citizen, a daily newspaper located in the suburban Atlanta city of Covington, Ga.