back to article 25,000 malware-riddled CCTV cameras form network-crashing botnet

A massive network of hacked CCTV cameras is being used to bring down computers around the world, we're told. The unusual 25,000-strong botnet was apparently spotted by US security outfit Sucuri when it investigated an online assault against an ordinary jewelry store. The shop's website was flooded offline after drowning in 35 …

  1. Peter Prof Fox

    Our Linux IP CCTV

    Is installed to watch over Mum's front door.

    (Quite clever actually with lots of features and connectivity.)

    How would I ever know the camera had been hijacked?

    Is there code I could run?

    Would BT (sigh) be able to spot 'a signature' of naughtiness?

    1. Anonymous Coward
      Anonymous Coward

      Re: Our Linux IP CCTV

      If you don't know how to tell whether you have been hijacked, you have no business putting any form of server on the internet. Please stop. It is that sort of behaviour that is at the root of this problem.

      And once you've become educated enough to not be part of the problem, change your ISP - there are much better ones than BT around!

      1. Anonymous Coward

        Re: Our Linux IP CCTV

        Nice one AC, now piss off to your basement and masturbate over pictures of routers:

        "If you don't know how to tell whether you have been hijacked, you have no business putting any form of server on the internet"

        I'm sorry I missed the word "server" in their post. Can you point it out?

        "And once you've become educated enough to not be part of the problem, change your ISP - there are much better ones than BT around!"

        I've been with BT fibre for a few years now. Never dropped a connection, is the only one available to offer fibre and is a decent price. So should I go to someone else more expensive, slower and potentially less reliable?

        Maybe you should get out more, mingle with human beings and stop being such a condescending dick.

        1. Dan Paul

          Re: Our Linux IP CCTV

          Trouble is that many of todays IP cameras already have their own limited webserver built in to the equipment chipset and that the previous poster was completely correct.

          Maybe, just maybe the prick you mentioned is in the mirror you are looking at.

    2. phuzz Silver badge

      Re: Our Linux IP CCTV

      "How would I ever know the camera had been hijacked?"

      This could be tricky. Packet sniffing (ie looking at the network traffic to/from it) might help, especially if your camera seems to be trying to access a jewellery website.

      Without a fair bit of expertise though your best bet is to make sure that the firmware is as up to date as possible. Check online to see if there's any vulnerability reported for that particular camera (or whatever it's software is based on). Finally, limit the internet access of the camera to the absolute bare minimum necessary through your modem/router. If you don't need to access it over the internet, then remove all it's access.

      "Is there code I could run?"

      Not really, sorry.

      "Would BT (sigh) be able to spot 'a signature' of naughtiness?"

      They could, but they almost certainly wouldn't.

      What's the make and model of the camera? People might be able to advise you if it's got know problems or not.

    3. Mahhn

      Re: Our Linux IP CCTV

      Put up a Firewall (free like Sophos) that lets you have VPN access and restrict access there. Best to allow no outside access to/from the camera. You can (over vpn or in person) access a PC in the house to view/control the camera.

      1. swschrad

        locate the port. block it for outside your network.

        even the simplest DSL router/modem allows you to see what devices are on the net. many can show the ports in use. more sophisticated commercial equipment has more sophisticated tracking.

        if the security system/fridge/DongleFromHell is always using port 666, don't let that go outside.

        if you always want to check remotely from your smartphone what is going on, that doesn't work. if the device you are thinking about does not have good user-managed security, don't buy it.

        if the vendors don't make that information availiable, don't buy it.

        if there are hardcoded factory access items you can't disable, don't buy it.

        (short version) don't buy iotThingies. they are wide freaking open.

    4. Lotaresco

      Re: Our Linux IP CCTV

      Hey, you're a professor Prof Fox, you should have the smarts to work this out, I mean you wouldn't be telling a fib about your academic achievements, would you?

      You could run to an online supplier and buy a small, relatively cheap, mini PC with multiple NICs. Something like the Hystou/Eggsnow/Generic Chinese vendor systems available on Aliexpress (or Amazon). A Celeron or Atom powered box is probably all you need. Then install an open source firewall package such as pfSense, ipfire or smoothwall. Make sure that the only way that your IoT devices can communicate with the world is via the firewall/router.

      Block SMTP traffic. Monitor your logs to see if the camera is generating any.

  2. redpawn

    Almost as good as an IOT government.

    1. gollux

      Definitely one we'd want to BrExit...

    2. Oengus

      You missed the "ID"... at the start of IOT

      1. Bob Dole (tm)

        >>You missed the "ID"... at the start of IOT

        we already have that, in spades

  3. Mark 85

    IoT and it will get worse?

    I note the article mentions that this type of IoT isn't high on the sysadmin's list. I wonder how many of these aren't supported by anyone? Maybe home/small business that don't have a "sysadmin". Long term, IoT is going to end up as a very bad thing unless the companies building this stuff take some responsibility for security. Let's face it, how many Joe Average User types know to change the login name and password to their home router much less how to block their thermostat or lightbulb at their router firewall?

    1. Paul Crawford Silver badge

      Re: IoT and it will get worse?

      Have an up-vote!

      "I wonder how many of these aren't supported by anyone including the manufacturers of them?"

      Fixed it for you...

      1. Lotaresco

        Re: IoT and it will get worse?

        I'm having a look at some commercial IoT stuff at the moment, a combination of sensors, actuators and controllers. The manufacturer is completely unconcerned that their software only runs on Windows CE 5. They repeat to me that "it's not software, it's code". <sigh>

  4. Alan Brown Silver badge

    the moment a company is told their equipment is participating in a DoS attack, their liabilities for not disconnecting it or mitigating the attack start stacking up - and the moment they're told, their liability insurers will be saying "anything from this point onwards is NOT convered"

    Ditto on ISPs.

    The cure for botnets is simple and brutal - make the hacking victims pay through the nose. Hitting them in the wallet is the fastest way of making any organisation pay attention to network security.

    1. Anonymous Coward

      " make the hacking victims pay through the nose."

      Why not fine victims of muggings or rape while we're at it for not bothering to learn self defense?

      The issue is not the victims fault IoT security is so bad, it's the suppliers fault. End of.

      As for punishing ISP's. We'll lets do that and come back in a years time to see people bitching on here about how their 10gb business connection was taken offline for a week because a pc was detected having malware and until they could get signed proof it was no longer an issue, the link was shut down.

      1. Dadmin

        "The issue is not the victims fault IoT security is so bad, it's the suppliers fault. End of."

        "End of" what? You couldn't be more wrong! Plus my phrase uses incorrect English, thanks to the bree-exit of your lesser educated Britonions. The problem is your mum, or you, thinking that you need an Internet connected security device, or any IoT device. What the fuck did you do BEFORE IoT? These are extra conveniences that are OPTIONAL. You don't need the camera on the open Internet 24/7. NO ONE DOES! Putting a shitty little device out there, and one you have no clue to its' operation, is not a thing. Period.

        The other problem is that you, or some other, knowledgable person should setup the camera so it is not on the open Internet, or for extra credit; use the FUCKING INTERNAL SD SLOT TO RECORD THE FUCKING SECURITY/CAT VIDEOS YOU SO DESPERATELY CRAVE!!1! GOD DAMN! Get a fucking clue for once in your life, or just move out of the city and into a dumpster in the countryside and forego any Internet or other services you don't really need or understand. I have an old mum too, so doesn't setup any fucking cameras or other stupid shit. She bakes some, and does grandma shit. She doesn't setup IoT bullshit devices for no good reason. Take note, idIoTs; all the IoT in the world is not going to make anyone or anything "smarter." The "smarts" come when you setup the device, like most normal people would, in the correct manner; inside a firewalled, personal network.

        I have a stupid security camera too. You know how it's connected? IT'S NOT! You fucking, dolts! It merely gets timeserver updates from behind two firewalled routers and records only to the SD slot, and never to the broken services of the manufacturer. THAT is the "End of." Now go back to downloading Windows 10, dummies. I'll be back to educate any Remainers who would remain.

        1. Down not across


          These are extra conveniences that are OPTIONAL. You don't need the camera on the open Internet 24/7. NO ONE DOES! Putting a shitty little device out there, and one you have no clue to its' operation, is not a thing. Period.

          I hate to break your bubble, but do not know what other people's requirements are. As for clue of its operation, the user may well have a clue of its operation and has installed it in good (if somewhat misplaced) faith that the device is fit for purpose and reasonably well designed.

          It is not the end user's fault that most manufacturers products are like swiss cheese when it comes to security. The responsibility of the robustness of the firmware is with the manufacturer not the end user.

          As for rest of your trolling rant, tempting as it is its not even worth responding to.

        2. A Ghost

          At least have the courage of your convictions @Dadmin

          and tell us how you really feel.

        3. JLV
          Thumb Down


          >"End of" what? You couldn't be more wrong! Plus my phrase uses incorrect English.

          Seems kinda ironic to me that you go ballistic about that bit of English usage. Given your copious use of CAPITAL LETTERS and random cussing which make your rant way more credible. Not.

          Not that I find any great amount of actual useful info in your post either.

          I would argue that you may need (or at least want) to access a security camera remotely in many cases. That's, hum, one of their basic use cases, at least for home gear. How exactly that is to be carried out, how to protect it with your router, what the safety measures are and what is best practice, many would benefit from knowing.

          Maybe it's as simple as picking the right vendor (one that patches their gear) and installing those patches.

          Maybe there is no way to actually do it, but I certainly wouldn't take _your_ word for it. Or the equally douchy's "once you've become educated enough" AC. No wonder our profession is public-perception-challenged.


        4. benderama

          Why is tripe like this allowed to slip through the censor?

  5. Anonymous Coward
    Anonymous Coward

    Just wait until you have

    30 million Hacked Smart Electricity Meters

    30 million Hacked Smart Gas Meters

    30 million Hacked Smart Water Meters

    all busily sending out Denial of Service Attacks.

    1. Richard 12 Silver badge

      Re: Just wait until you have

      And creating penis-shaped dark spots in major cities...

      1. Jim 43

        Re: Just wait until you have

        More likely penis shaped bright spots.

  6. MK_E

    Doesn't strike me as very "closed-circuit" if you ask me.

  7. Anonymous Coward

    insert free advert for Sucuri.

    "Their first meeting with the botnet came when a jewelry shop that was facing a prolonged DDoS attack opted to move their website behind Sucuri's main product, its WAF (Web Application Firewall)." link

  8. Androgynous Cow Herd

    Unrelated but maybe not

    Not long ago I deployed IP cameras around my building - high traffic area with lots of tourists and others. I had the rest of the infrastructure (Cisco VSM) and my platform is ONVIF compatible, so I went to Amazon and bought some fairly generic ONVIF compatible cameras, rather than paying Cisco tax. The cameras work as needed and are actually nice, but the bundled software was amazingly bad from a security standpoint - will only run on windows, must be run from a browser, browser must be Internet Exploiter, turn off ALL security for the session with the camera app, install these plugins, trust the camera app to do lots of things it should not need to do ever....and then you are able to blow a new IP address into the camera. However, the camera was configured out of the box to connect to various "Free" services automagically and had factory settings that would have put the camera right on the internet and likely checking in with some CiC location when first plugged in if the user had used the default settings in their consumer grade router.

    No way to simply log into the camera and set IPs as I would expect, you had to deploy the craplication to configure the camera at all.

    A sandboxed VM was used to re-IP the cameras for the PoE subnet (and subsequently deleted), the camera switches are on a discreet switches with their own dedicated subnet and an invalid gateway, and the firewall supporting the does not show anything unexpected. But the out-of -box experience caused me to realize that this sort of IoT crap can be an entirely new attack vector.

  9. MasterofDisaster

    Physical security got to the party very late....

    Physical security is still analog in many places, and the move to IP is probably the slowest of any major industry. Hackers finding the weak point and exploiting it - not surprising. What is surprising is the shocking head-in-sand approach by many security integrators who are being paid maintenance contracts to make sure this stuff works (note: IT MSPs don't cover this stuff for the most part, and it's a huge missed opportunity for them because of how behind the times the security integrators are). Apparently working and being secure are two completely different concepts to a security integrator.

    Like IoT in general, in physical security it seems that basic IT needs like "operational intelligence", "service assurance", "monitoring", and "cyber-security" are weirdly lacking. Adding real IT competency would prevent situations like this.

  10. druck Silver badge

    Turn off UPnP

    Most of these IP cameras are just plain nasty, even if you've got a reasonably secured router if UPnP is enabled, they will reconfigure the router to open up numerous ports to dodgy Chinese servers in order to allow equally dodgy smartphone apps to remote monitor the camera feed. Often there is absolutely no security, all that is needed is a simple and easily guessable serial number of the camera.

  11. JeffyPoooh

    "Exactly how the cameras were infected isn't yet known..."

    Bought a Pan and Tilt Internet-enabled 'security' camera off eBay for next to nothing and with free shipping. I couldn't even mail it back for what it cost delivered.

    I just assume it's subsidized by malware embedded at the factory.

  12. fidodogbreath

    The real priority problem

    "sadly, CCTVs aren't high on the patching priority list of most admins"

    And they're even lower on the patching priority list of most CCTV manufacturers. A fix has to exist before an admin can deploy it.

  13. Bob Dole (tm)


    Most phone manufacturers can't be bothered to let their devices be upgraded to the latest OS version, why in the world would anyone think that CCTV camera manufacturers would actually deploy bios updates?

    The problem is that we are dealing with cheap devices that manufacturers have zero interest in supporting beyond throwing them in a box and getting that initial payment. After that they don't really care because in a few months a completely "new" version is going to come out anyway.

    There are 2 potential answers here.

    The first would be to regulate IoT such that manufacturers are forced to respond to security issues and provide bios/firmware updates within 30 days of detection. This should extend to a minimum of 3 years after the last device of that type was sold. Failure would mean buy back of the devices from consumers. In order to protect against companies "going out of business" they'd have to have business insurance to cover it.

    The second possibility would be to establish a core OS for these devices and force the manufacturers to not only use that OS but to have their devices automatically update to the latest version when it's available. The downside here is the potential for those devices to go belly up during an update. however I think I'd rather have a device die during an update than it be a launch pad for hackers.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like