Privacy News Surveillance camera compromised in 98 seconds

T

tim one

Level 21
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
All your cameras are belong to Mirai

Robert Graham, CEO of Errata Security, on Friday documented his experience setting up a $55 JideTech security camera behind a Raspberry Pi router configured to isolate the camera from his home network.

According to Graham's series of Twitter posts, his camera was taken over by the Mirai botnet in just 98 seconds.

Mirai conducts a brute force password attack via telnet using 61 default credentials to gain access to the DVR software in video cameras and to other devices such as routers and CCTV cameras.

After the first stage of Mirai loads, "it then connects out to download the full virus," Graham said in a Twitter post. "Once it downloads that, it runs it and starts spewing out SYN packets at a high rate of speed, looking for new victims."

Graham said the defense recommended by the Christian Science Monitor – changing the default password of devices before connecting them to the Internet – doesn't help because his Mirai-infected camera has a telnet password that cannot be changed.

"The correct mitigation is 'put these devices behind your firewall'," Graham said. ®
 
  • Like
Reactions: Solarquest, SHvFl, jamescv7 and 10 others
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
tim one said:
All your cameras are belong to Mirai

Robert Graham, CEO of Errata Security, on Friday documented his experience setting up a $55 JideTech security camera behind a Raspberry Pi router configured to isolate the camera from his home network.

According to Graham's series of Twitter posts, his camera was taken over by the Mirai botnet in just 98 seconds.

Mirai conducts a brute force password attack via telnet using 61 default credentials to gain access to the DVR software in video cameras and to other devices such as routers and CCTV cameras.

After the first stage of Mirai loads, "it then connects out to download the full virus," Graham said in a Twitter post. "Once it downloads that, it runs it and starts spewing out SYN packets at a high rate of speed, looking for new victims."

Graham said the defense recommended by the Christian Science Monitor – changing the default password of devices before connecting them to the Internet – doesn't help because his Mirai-infected camera has a telnet password that cannot be changed.

"The correct mitigation is 'put these devices behind your firewall'," Graham said. ®
Click to expand...

What does he mean with"The correct mitigation is 'put these devices behind your firewall'?
Don't you always connect these devices behind your router/firewall?
Or does he mean to configure the firewall?
 
  • Like
Reactions: DardiM, Dirk41 and tim one
T

tim one

Level 21
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Solarquest said:
What does he mean with"The correct mitigation is 'put these devices behind your firewall'?
Don't you always connect these devices behind your router/firewall?
Or does he mean to configure the firewall?
Click to expand...
Right question :)

The normal condition for working in the Internet, is to put the IP of the cam in DMZ otherwise the router's firewall will not allow the visualization and the remote control.

Otherwise, instead of putting it in the DMZ, it is possible to forwarding, on the router, the ports that are necessary to the functioning of the cam, but it is necessary to understand which ports it uses, then many technicians get the easy way using the DMZ, and this is the problem.

What is DMZ

What is a DMZ and How to Configure a Router to Use it - Networking
 
  • Like
Reactions: DardiM, Dirk41 and Solarquest
Solarquest

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
tim one said:
Right question :)

The normal condition for working in the Internet, is to put the IP of the cam in DMZ otherwise the router's firewall will not allow the visualization and the remote control.

Otherwise, instead of putting it in the DMZ, it is possible to forwarding, on the router, the ports that are necessary to the functioning of the cam, but it is necessary to understand which ports it uses, then many technicians get the easy way using the DMZ, and this is the problem.

What is DMZ

What is a DMZ and How to Configure a Router to Use it - Networking
Click to expand...
With DMZ you "bypass" the router firewall, with port forwarding you "just" open a port (if you know it), right?
Since most users have cheap (and unsafe/not updated ) NAT routers the best solution is a SW firewall on the PC that is used to allow only incoming traffic from specific IPs, or?...again if you know them...

Interesting reading:
-http://www.cctvcameraworld.com/port-forwarding-for-dvr-and-nvr/
-http://www.larrytalkstech.com/port-forwarding-small-network-security/
-http://security.stackexchange.com/questions/84317
 
Last edited:
  • Like
Reactions: DardiM and tim one
T

tim one

Level 21
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Solarquest said:
With DMZ you "bypass" the router firewall, with port forwarding you "just" open a port (if you know it), right?
Since most users have cheap (and unsafe/not updated ) NAT routers the best solution is a SW firewall on the PC that is used to allow only incoming traffic from specific IPs, or?...again if you know them...

Interesting reading:
-http://www.cctvcameraworld.com/port-forwarding-for-dvr-and-nvr/
-http://www.larrytalkstech.com/port-forwarding-small-network-security/
-http://security.stackexchange.com/questions/84317
Click to expand...
Speaking of Mirai, it doesn't seem completely clear on the concept, but it certainly tries to log in via Telnet.
Therefore, it is likely that this cam had a public IP, otherwise they would be behind a NAT and, without the rule of port forwarding, the Telnet port would have been out of reach.

But the problem is that many of these cheap cam devices do not allow users to change default password and username, but they can still be reached through Telnet and SSH communication services.

Telnet and SSH are command-line interfaces, and the main problem is that because of low quality HW, often the passwords are entered directly within the firmware, and the necessary tools to disable or change them are not present.

I don't know if software firewall could mitigate the problem but an efficient solution would be to act on the Router, and in particular on UPnP protocol, designed to automatically open the firewall ports, allowing an external source to access a server of a local machine behind the firewall.

It would be useful to change all the passwords and usernames of cam devices and ensuring to change (where possible) also SSH and Telnet access and disabling UPnP.
 
  • Like
Reactions: DardiM, Solarquest and Dirk41
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
Security News Unpatchable 0-day in surveillance cam is being exploited to install Mirai
Replies
1
Views
1,959
Security News
EASTER
EASTER
upnorth
    • Like
    • Wow
    • +Reputation
Eufy’s “No clouds” Cameras Upload Facial Thumbnails to AWS
Replies
5
Views
1,287
News Archive
HarborFront
H
oldschool
    • +Reputation
    • Like
    • Thanks
Security News Why it’s time to take warnings about using public Wi-Fi, in places like airports, seriously
Replies
3
Views
1,533
Security News
bazang
bazang

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top