The late October takedown of Dyn DNS services caused major websites and services to become unavailable to many millions of users in North America and Europe. Affecting a large number of well-known sites—including Twitter, Amazon, Tumblr, Reddit, Spotify, GitHub and Netflix—it showed just how disruptive a distributed denial of service (DDoS) attack can be. The previous month, a 620Gbps assault hit the website of renowned security journalist Brian Krebs in one of the largest DDoS events to date.
The massive but short-lived success of both assaults has been attributed to the widespread infection of Mirai malware in Internet of Things (IoT) devices, including a large number of network security cameras. Krebs notes that the Dyn assault also involved DVRs connected to CCTV devices.
And while the attacks on Krebs and Dyn eventually stopped, the botnet threat remains.
As Dyn states on its blog site, "This attack has opened up an important conversation about Internet security and volatility. Not only has it highlighted vulnerabilities in the security of… (IoT) devices that need to be addressed, but it has also sparked further dialogue in the… infrastructure community about the future of the Internet."
In a recent post, Imperva saw the following:
Investigation of the [Krebs] attack uncovered 49,657 unique IPs [that] hosted Mirai-infected devices… these were mostly CCTV cameras—a popular choice of DDoS botnet herders… Overall, IP addresses of Mirai-infected devices were spotted in 164 countries… even in such remote locations as Montenegro, Tajikistan and Somalia.
Compounding matters, Mirai source code has been released into the wild, enabling anyone to easily build out additional botnets and repeat such large-scale events on a global scale.
The Camera Landscape
A year ago, the Imperva Incapsula research team had an encounter with a botnet which was highlighted in a blog post, CCTV DDoS Botnet in Our Own Backyard.
We first warned about [CCTV botnets] in March 2014, when we became aware of a steep 240 percent increase in [such] activity on our network, much of it traced back to compromised CCTV cameras.
…Reports show that in 2014 there were 245 million [CCTV] surveillance cameras operating around the world. And this only accounts for the professionally-installed ones… millions more [have been] installed by [non-pros] with even fewer security precautions…These numbers, and the lack of cybersecurity awareness on the part of many camera owners are… why CCTV botnets are some of our oldest foes.
Analyst firm Gartner, Inc., forecasted in late 2015 that "6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected every day." How many of these devices will be cameras is an unknown.
Numerous Vulnerabilities
Security cameras represent numerous vulnerabilities. Perhaps the largest is the lack of vendor security awareness as shown when products are shipped with default passwords and management interfaces are public-facing. Since device owners often fail to change factory default user credentials once cameras are deployed, these are exposed to hacks. Mirai managed to gain such widespread access by cycling through default username/password combinations, such as "admin/admin" and "root/xc3511" over telnet.
Beyond the obvious, perhaps the next largest challenge is that few IoT devices, including many security cameras, weren’t designed to incorporate built-in security. Other weaknesses include outdated firmware and known Wi-Fi, Bluetooth, and ZigBee security deficiencies. This might let a hacker install a backdoor.
Samy Kamkar, one of the nation’s leading ethical hackers, reveals through a recently-released IoT Enterprise Risk Report how IP-connected security systems can be hacked in under three minutes. It states that, "Many use [easily detectable] proprietary radio frequency technology that lacks authentication and encryption to communicate. They also have dependencies on some cloud services and are connected to the internet."
The report also reveals how cameras can easily be jammed or spoofed, allowing perpetrators to "…turn off motion sensors, remotely open locks, or redirect/switch off surveillance equipment… Weak credentials can be used as 'bouncing off' points to attack other systems…" Add potential break-ins, data theft, espionage, and physical damage to this list. Such IoT threats can penetrate entire networks and possibly spread to another that is within wireless range.
An Imperva Incapsula client was hit by repeated HTTP flood attacks, peaking at 20,000 requests per second. To everyone’s surprise, one of the offending botnet devices was a CCTV camera located in a mall a short distance away, literally in Imperva’s backyard. Reinforcing the trend, it was easily accessible by way of default login credentials.
The team was able to quickly deal with that infected unit and provided a quick education to the store owners, but hundreds of unprotected botnet cameras remained scattered across the globe. The investigation revealed that it was likely the remaining cameras were hacked by several different individuals, once again showing how easy it is to locate and exploit such unsecured devices.
What You Can Do
The best first step if you have a security camera is to change default factory credentials when you first install your unit, just like you would with any Internet-connected device. For example, you would change your phone password when you buy a new unit.
It can be deduced from cybersecurity expert Bruce Schneier’s public comments that it may even be necessary to replace older CCTV units where possible. "A lot of our systems, like phones, are patched all the time, but a lot of the security comes from the fact we get a new one every 18 months… That allows us to get better," he says.
However, sometimes a device may be too expensive to replace or the physical act of replacing the device may present accessibility issues. In the case of CCTV systems, physical accessibility becomes a factor.
On top of that, many IoT hardware suppliers are not focusing on integrating security. As a first step, it’s been recommended that device manufacturers force users to change credentials upon initial installation, but this solution has yet to be adopted by many.
Meanwhile, the U.S. Federal Trade Commission offers some good advice online, starting with only purchasing a camera that, "... encrypts your information, including your username, your password, and the live feeds. Check the label on the box or read online, or contact the manufacturer directly to see if the camera uses SSL/TLS, or some other industry standard, to protect your information in transit." It further reminds us that, "... if your camera uses SSL/TLS to protect your login credentials, the URL for the camera’s login page should begin with HTTPS.”
Other protective measures from the FTC:
- Keep your firmware and software up-to-date.
- Check your camera’s password settings (a password should be required for access).
- Use a strong password.
- Enable your camera’s security features.
Additional security steps include:
- Avoid public-facing management interfaces. Your device admin page should not be accessible from outside your network. Even if you have a good password and updated firmware, new vulnerabilities are often discovered and can leave you open for an attack.
- Whenever possible, choose a vendor that has a mature security patch management process. Look for research detailing how they responded to previous disclosures.
- Separate your networks! Your CCTV should not be in the same network as your sensitive file server.
- Take proactive measures: Periodically log in to your device and look for suspicious programs that are running and new executable files created on its drive.