A botnet made up of more than 25,000 hacked security cameras spread around the world is being used to launch DDoS attacks, researchers say
Researchers have uncovered an unusual botnet made up entirely of Internet-connected CCTV cameras, in the latest sign of the security risks posed by the “Internet of Things” (IoT).
The incident recalls a similar case last autumn in which a computer security firm found that a botnet made up of 900 CCTV cameras was launching an attack on an unnamed cloud services provider.
But in this case the attack network was much larger, launching malicious data from more than 25,000 unique Internet addresses, according to computer security firm Sucuri.
The attack came to light when Sucuri was contracted to protect the website of a bricks-and-mortar jewellery shop that had been knocked offline by a denial-of-service attack, according to Daniel Cid, founder and chief techology officer of the company.
After Sucuri had blocked the attack, they found that instead of giving up, the attackers increased the intensity of the barrage from 35,000 HTTP requests per second to 50,000 requests per second, Cid said in an advisory.
“Since this type of long-duration DDoS is not so common, we decided to dive into what the attackers were doing, and to our surprise, they were leveraging only IoT CCTV devices as the source of their attack botnet,” he wrote.
He said it was the first time the firm had come across an entirely CCTV-based botnet of that scale.
Sucuri found that at least 25,500 devices were being used to launch the attack, with 24 percent located physically in Taiwan, followed by the US with 12 percent, Indonesia with 9 percent, Mexico with 8 percent and Malaysia with 6 percent.
The devices were located across a total of 95 countries, and all were based on BusyBox, a Unix utilities package that often runs on embedded devices, Cid said.
Sucuri said it is contacting the network providers hosting the devices’ Internet addresses to help fix the issue, but botnets are notoriously difficult to dismantle due to their diffuseness.
“If you are an online camera user or vendor, please make sure it is fully patched and isolated from the Internet,” he wrote.
Last autumn computer security firm Incapsula said it had seen a 240 percent increase in malicious traffic on its network in March of 2014, most of it originating from compromised CCTV cameras.
Security camera risk
About 245 million professionally installed surveillance cameras were operating worldwide last year, according to figures from research firm IHS Technology, but Incapsula estimated there are “millions” more that have been set up on an ad-hoc basis.
Research firm IDC anticipates there will be more than 28 billion IoT devices installed by 2020.
Incapsula said last October it had found a CCTV-based botnet made up of about 900 devices that were being used to launch denial-of-service attacks, all of which were, like the network found by Sucuri, running BusyBox.
Incapsula found that the devices had been easy to hack because they had all used the factory default login credentials. The lack of security meant, unsurprisingly, that the devices involved had, in almost every case, been hacked by several different individuals.
The cameras involved were spread around the world, with particularly large numbers from India (169), Latin America and Eastern Europe. By coincidence, one of the infected devices was located at a shop five minutes from Incapsula’s Tel Aviv offices, the company said .
“We were able to meet with the store owners, show them how their CCTV cameras were abused to attack our clients and help them clean the malware from the infected camera’s hard drive,” wrote Incapsula’s researchers at the time. “As we did, we witnessed it coughing out attacking requests up to the very last moment.”
A study released last year found that up to 68 percent of IT professionals believe business efficiency requirements are forcing their organisations to adopt IoT devices in spite of the security risks.
Are you a security pro? Try our quiz!