Privacy News Surveillance camera compromised in 98 seconds

tim one

Level 21
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
All your cameras are belong to Mirai

Robert Graham, CEO of Errata Security, on Friday documented his experience setting up a $55 JideTech security camera behind a Raspberry Pi router configured to isolate the camera from his home network.

According to Graham's series of Twitter posts, his camera was taken over by the Mirai botnet in just 98 seconds.

Mirai conducts a brute force password attack via telnet using 61 default credentials to gain access to the DVR software in video cameras and to other devices such as routers and CCTV cameras.

After the first stage of Mirai loads, "it then connects out to download the full virus," Graham said in a Twitter post. "Once it downloads that, it runs it and starts spewing out SYN packets at a high rate of speed, looking for new victims."

Graham said the defense recommended by the Christian Science Monitor – changing the default password of devices before connecting them to the Internet – doesn't help because his Mirai-infected camera has a telnet password that cannot be changed.

"The correct mitigation is 'put these devices behind your firewall'," Graham said. ®
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
All your cameras are belong to Mirai

Robert Graham, CEO of Errata Security, on Friday documented his experience setting up a $55 JideTech security camera behind a Raspberry Pi router configured to isolate the camera from his home network.

According to Graham's series of Twitter posts, his camera was taken over by the Mirai botnet in just 98 seconds.

Mirai conducts a brute force password attack via telnet using 61 default credentials to gain access to the DVR software in video cameras and to other devices such as routers and CCTV cameras.

After the first stage of Mirai loads, "it then connects out to download the full virus," Graham said in a Twitter post. "Once it downloads that, it runs it and starts spewing out SYN packets at a high rate of speed, looking for new victims."

Graham said the defense recommended by the Christian Science Monitor – changing the default password of devices before connecting them to the Internet – doesn't help because his Mirai-infected camera has a telnet password that cannot be changed.

"The correct mitigation is 'put these devices behind your firewall'," Graham said. ®

What does he mean with"The correct mitigation is 'put these devices behind your firewall'?
Don't you always connect these devices behind your router/firewall?
Or does he mean to configure the firewall?
 

tim one

Level 21
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
What does he mean with"The correct mitigation is 'put these devices behind your firewall'?
Don't you always connect these devices behind your router/firewall?
Or does he mean to configure the firewall?
Right question :)

The normal condition for working in the Internet, is to put the IP of the cam in DMZ otherwise the router's firewall will not allow the visualization and the remote control.

Otherwise, instead of putting it in the DMZ, it is possible to forwarding, on the router, the ports that are necessary to the functioning of the cam, but it is necessary to understand which ports it uses, then many technicians get the easy way using the DMZ, and this is the problem.

What is DMZ

What is a DMZ and How to Configure a Router to Use it - Networking
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Right question :)

The normal condition for working in the Internet, is to put the IP of the cam in DMZ otherwise the router's firewall will not allow the visualization and the remote control.

Otherwise, instead of putting it in the DMZ, it is possible to forwarding, on the router, the ports that are necessary to the functioning of the cam, but it is necessary to understand which ports it uses, then many technicians get the easy way using the DMZ, and this is the problem.

What is DMZ

What is a DMZ and How to Configure a Router to Use it - Networking
With DMZ you "bypass" the router firewall, with port forwarding you "just" open a port (if you know it), right?
Since most users have cheap (and unsafe/not updated ) NAT routers the best solution is a SW firewall on the PC that is used to allow only incoming traffic from specific IPs, or?...again if you know them...

Interesting reading:
-http://www.cctvcameraworld.com/port-forwarding-for-dvr-and-nvr/
-http://www.larrytalkstech.com/port-forwarding-small-network-security/
-http://security.stackexchange.com/questions/84317
 
Last edited:
  • Like
Reactions: DardiM and tim one

tim one

Level 21
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
With DMZ you "bypass" the router firewall, with port forwarding you "just" open a port (if you know it), right?
Since most users have cheap (and unsafe/not updated ) NAT routers the best solution is a SW firewall on the PC that is used to allow only incoming traffic from specific IPs, or?...again if you know them...

Interesting reading:
-http://www.cctvcameraworld.com/port-forwarding-for-dvr-and-nvr/
-http://www.larrytalkstech.com/port-forwarding-small-network-security/
-http://security.stackexchange.com/questions/84317
Speaking of Mirai, it doesn't seem completely clear on the concept, but it certainly tries to log in via Telnet.
Therefore, it is likely that this cam had a public IP, otherwise they would be behind a NAT and, without the rule of port forwarding, the Telnet port would have been out of reach.

But the problem is that many of these cheap cam devices do not allow users to change default password and username, but they can still be reached through Telnet and SSH communication services.

Telnet and SSH are command-line interfaces, and the main problem is that because of low quality HW, often the passwords are entered directly within the firmware, and the necessary tools to disable or change them are not present.

I don't know if software firewall could mitigate the problem but an efficient solution would be to act on the Router, and in particular on UPnP protocol, designed to automatically open the firewall ports, allowing an external source to access a server of a local machine behind the firewall.

It would be useful to change all the passwords and usernames of cam devices and ensuring to change (where possible) also SSH and Telnet access and disabling UPnP.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top