Shopping mall CCTV gear commandeered to blast websites offline Crooks are hijacking CCTV cameras in shopping malls to launch denial-of-service attacks, datacenter security firm Imperva warns. The abuse is possible because camera operators are taking a lax approach to security and failing to change default passwords on the devices. CCTV equipment are common Internet-of-Things (IoT) device …
directly connected to the Internet by trunkslammers that couldn't give a damn about network security, don't change default passwords/usernames etc. Cheap IP video recorders are (poorly) designed to allow remote connections of multiple kinds and as long as the owner or manager can see the cameras on their iPhone, no one cares if the network is secure. Typically, there are no VPN's being used on these "appliances" and these guys don't know what a firewall is (other than something you automatically disable if you run into one).
However, when we include the labor required to do all the things that responsible IT professionals are supposed to do for security, we become laughably uncompetitive.
"A healthy respect for the Computer Misuse Act prevented my less benevolent side from probing quite how far you could go."
Probably just as well you didn't tell them either. That class of idiot is so misguided, they'll likely throw the book at anyone who even appears to know what's going on.
At one of our clients they have hosts called Fridge, Kettle, Toaster, and (for slightly different reasons) Stockpot.
Ok, I admit I named fridge by looking round the office and naming it after the first kitchen appliance I saw, ut in my defence, it's a good name for a server, easy to spell, relatively distinct, what's not to like?
ISTM that the only way round this is to add a requirement for type approval that a device have its default creds only effective for an initial login and at initial login the user must enter new values before it will become operational. A factory reset will restore the defaults and the user must then enter new values again. In order for this to become effective there must be no means of carrying out a remote factory reset.
...unfortunately you've been able to connect and control IP cameras for donkey years.
Here is the first one I ever used.
http://www.coresecurity.com/content/axis-network-camera-http-authentication-bypass
Later on, a simple search on Hotbot, AltaVista or WebCrawler would conveniently return the results of every open camera out there, oh the joys of pointing cameras at walls, ceilings and random objects in the shop.
They never learn, connect first, worry about security later.
I remember an anonymous posting a few years back on a notorious website I need not name, whereby a page was linked that had a whole heap of those cheap IP cams listed. They were mainly inside peoples homes (including bedrooms). These cams were not 'hacked' per se because they were just hooked up to the net with their default passwords and were most likely very easily harvested by anyone interested in doing so.
If you put technology of this kind into the hands of idiots expect certain consequences to unfold.
Of course in the 'look at me' generation we now have some sites where people willingly allow cams to 'spy' on them 24/7.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
