How an IT Pro Kicked Hackers Off Surveillance CamerasBusinesses are Reluctant to Replace Devices That Are Insecure But Still Functional
IoT botnets, the term for armies of hacked internet-connected devices, aren't going away. And an anecdote from the field shows the gravity of the problem and why it's unlikely to be resolved any time soon.
See Also: Top 50 Security Threats
Rich Farris, an IT consultant based in Minneapolis, says that earlier this year, Comcast notified one of his clients via email that devices on the company's network were participating in a distributed denial-of-service attack.
DDoS attacks, which involve pummeling a service with a barrage of unwanted data traffic, have come into focus of late because the sizes of some attacks have hit record levels. The most notable one reportedy struck security writer Brian Krebs' website with 620 gigabits per second of traffic, far exceeding the average DDoS attacks that range between 1 Gbps to 15 Gbps (see Hacked IoT Devices Unleash Record DDoS Mayhem).
Although many companies offer DDoS mitigation services, retaining those firms can cost tens of thousands of dollars per month depending on the intensity and duration of the attacks.
Hackers have executed ultra large-scale attacks by compromising internet-connected devices, such as digital video recorders that are widely used for surveillance. Those devices have proved to be particularly vulnerable because they're often shipped with default passwords and software vulnerabilities.
Farris initially was in disbelief when he traced the IP addresses supplied by Comcast that were sending the attack traffic. The addresses pointed to the 40 to 80 surveillance cameras his client, a health and beauty business with more than 300 employees, uses in five locations.
"I thought there's no way that could be right," Farris says.
No Login Credentials Required
Farris, a 20-year IT veteran, began investigating the cameras, high-definition digital video recorders supplied by MCM Electronics with a model number of VC-SYS-HD1600A. An instruction manual indicates the system was made in South Korea but does not list a manufacturer.
"I was really lost at where to even begin," he says.
Farris set up the cameras five or six years ago. He remembers changing the default passwords as a security precaution and insisting that the cameras be set up on an external network isolated from the main corporate one. In retrospect, that move may have saved his client further grief, as hackers often use compromised devices to move laterally through networks.
Farris spoke with Leadertech, a Chicago-based systems integrator that sold the cameras to his client. Leadertech was friendly yet dubious of Comcast's claim, but reached out to the cameras' manufacturer.
Eventually, it became clear that the cameras had a security vulnerability that had likely allowed attackers to gain access without needing login credentials. Even though Farris says he changed the passwords to strong, 14-character ones, "it didn't matter," he says.
"This device was almost end-of-life the moment it was released because of the way it was not properly secured from the ground up," Farris contends.
Weighing the Options
Farris learned that the firmware for the cameras was never going to be updated, which meant the devices will always have security flaws. Although retiring the cameras would eliminate the problem, that wasn't practical. When businesses invest in equipment, they're unlikely to fork over money to solve what to non-technical people is an abstract problem that doesn't cause them direct harm, he says.
"They're not going to do it," says Farris, who at least successfully argued for his client to move off Windows XP when Microsoft retired the operating system. "That's another expense for them."
In an attempt to secure the cameras, Farris decided to reprovision several retired firewalls that had been sitting on shelves in a warehouse. He blocked access to all ports except for those for audio, video and a web interface. All other outgoing traffic is blocked, he says.
Farris also obtained the original firmware for the cameras, which he used to replace the infected software. Although he believes the cameras are still vulnerable, he hopes his preventive measures will be enough to fend off attacks until the day the cameras just stop functioning and can be replaced.
"The best solution would be to get a whole different system or to have this manufacturer come to the table and say, 'You know what? We realize there's a problem here we're going to release some fixes for this,'" he says.
Many Manufacturers Affected
This particular model of camera is far from the only one that has security issues. Experts have warned of the potential for IoT devices to become the next platform of attacks, but only in recent weeks have details emerged describing exactly what kinds and brands devices are being targeted.
Earlier this month, Krebs published a list of devices that are targeted by Mirai, which is the malware that enables DDoS attacks to be staged from IoT devices running embedded Linux. All told, Mirai was coded with the default login credentials for 68 types of cameras, routers and printers made by manufacturers including Dahua Technology, HiSilicon, Toshiba, Samsung, and Panasonic.
Cameras and video recorders made by Dahua were originally thought to have been a large source of the attack traffic in the September attacks against Krebs and OVH, according to the Wall Street Journal.
But computer security firm Flashpoint said on Oct. 7 that a large proportion of the attack traffic also came from devices made by XiongMai Technologies, which is based in Hangzhou, China. A scan of the internet showed 500,000 devices made by XiongMai that use the default username "root" with the password "xc3511," Flashpoint says.
"The issue with these particular devices is that a user cannot feasibly change this password," Flashpoint writes. "The password is hardcoded into the firmware, and the tools necessary to disable it are not present."
Efforts to reach XiongMai Technologies officials were not successful.