36 comments

[ 3.1 ms ] story [ 102 ms ] thread
I wonder how many of these cheap things are going to get plugged in this holiday season with default login/passwords.
> Better-quality devices will almost certainly be better protected against this kind of thing, and may for example block all incoming traffic until they’re paired with another device and set up manually. Still, this is a good reminder that it really is a jungle out there.

This seems like a bold claim, unless they define "better quality".

How would the malware even know that the camera was connected in? Especially if you're on a home network (which is firewalled / has NAT on).

I suspect that it must be the central server that this camera reports to that is infected, either directly, or indirectly with some program sitting at a nearby router listening for traffic.

Because the camera requests port forwarding from your firewall using UPnP. Now your mobile app connects directly to port 83785 and streams video from the camera without any firewall hassles. The problem now is that hackers can also connect to port 83785 and exploit unpatched security holes.

If a firmware update exists, its probably too technically challenging for Joe User to find and install. For a lot of these devices, there isn't even a published fix. These manufacturers are just rebranding some generic camera from a larger manufacturer or using the same camera and IoT guts and putting them into different cases. These companies probably don't even have a software developer on staff who has access to these firmwares, just perhaps a binary blob, assuming they have any software people on staff at all.

so are you stating the hacker was notified, or was the hacker polling to check the port?
Polling sounds the most likely. Note that previously compromised cameras can be used to perform tasks such as port scanning other IP addresses. They can also be used to compromise other devices in the home network.
(comment deleted)
I don't believe you could download and install a firmware update in those 2 minutes.

If you knew about the risk, you would have secured your router firewall. If you did not know, you wouldn't be rushing to install the firmware.

Once the camera is compromised, it can modify the firmware being transmitted (to compromise it) or prevent its install.

If you knew about the risk, you would have secured your router firewall

I suppose there's a follow-up story to be had on routers that come with UPNP enabled by default, because wherever that's the case, your firewall has a hole poked in it as soon as the device powers up and connects to the LAN.

Assuming the router is somehow allowing NAT punctures or port forwarding, or if there is no router, then any easily compromised device will be compromised within 5 minutes of connecting it to the Internet.

Usually much less than 5 minutes. There's just that much Internet scanning.

If NAT is configured properly, then there is no risk.

News flash: If you expose a device web-accessible port to an internet IP with no firewall and leave the default user name and password intact, it will get hacked.

Put your shit behind firewalls and change the default user name and password to something secure. This is common sense stuff, people. Port scanners have existed for ages.

I was just wondering how 98 seconds compared to any device...
What if the device opens up some random port via UPnP? What then? Do you turn off UPnP? If you did, why did you even buy this camera?
What is a good security camera? Who makes good ones?

I haven't been able to find a company who provides a quality POE device that allows me to control the feed into something like Zoneminder.

Do I have to use something more analog to be "safer" from something like this?

We use Ubiquiti Unifi. We use their software with it, but I'm sure you could feed it into Zoneminder. Very happy with it.
Do they host their software or is it installed on a local device?
It's all self hosted.
It almost looks like the camera producer/someone from an internal team was responsible for either giving out backdoor or actually infecting the camera...
From the tweet pics, it looks like the outside IP was able to connect to the camera via telnet.

Does the camera firmware open a UPNP tunnel in AP to its telnet port?

Does this guy's Wifi router enable anyone one to open tunnels in his AP router?

UPnP is turned on by default on almost all access points.
What is the expected time between port scan for an arbitrary IPv4 address? Is the level of scanning activity so high (or so well-targeted to "promising" address spaces) that one should expect to be scanned in minutes?
I have between 2500 and 40,000 SSH login attempts on a server on my home broadband in Denmark, usually around 30,000. That's one every 90 seconds or so.

Wow.

I don't know about other ports, other than HTTP I don't have any open.

A server on slow home broadband in the UK is only receiving 100-300 attempts per day. It's almost identical to the one in Denmark, except the broadband is terrible.

Several servers in a university's IP space has about 5000-10000 attempts per day.

Are most of these things spread via random IPv4 address probes? Are we going to be a somewhat safer when networks are IPv6-only due to the size of the address space vs the used addresses?
This brings back memories of Windows 95-98 era, where a fresh install would get infected in matter of seconds after connected to the internet.

I expect the IoT to go though a similar phase, but eventually get fixed and be secure enough.

Maybe. Windows had a single company behind it, and as I recall Bill had to issue a company-wide cease and desist order to get people to stop developing and focus on security for a while.

IoT may always be plagued by cheap hardware with buggy software from fly-by-night companies.

Eek, who knew the rise of cheap CMOS-based surveillance cameras would lead to DDOS attacks?
The article missed an important fact:

Question: interesting tweets Rob, is it used Dynamic DNS when it is initially setup? If no , how is it exposed to internet?

Answer: I had to map the external port 23 on the firewall to the device.

Having flashbacks to the 'bad old days' of similar things happening to Windows machines (PCs, ATMs, etc). Microsoft, the gigantic, near-monopoly company in the space with a jillion very smart people working for it, struggled with such issues for many years (though eventually reined it in).

This time, though, I don't see a tenable path to actually fix this. The IoT industry is terribly, terribly fragmented. Few business models incentivize providing ongoing maintenance once they've sold you their gizmo. Few consumers have the ability to detect that this is happening.

I suspect that security and compatibility issues will cripple a large chunk of the IoT industry, with bigger players slowly picking off the profitable/useful chunks with niche products customers will think of as 'safe' (read: Amazon/Google's many IoT products).

In the mean time, I'll continue avoiding smart/IoT devices in my house. The risks seem to far, far, outweigh the rewards.

a tech industry veteran - Internet-scanning(his hobby) - cheap camera - no firewall - wannabe famous -> make your pick. 100% he infected it himself.