It may be the favorite easy target for those of us who like to grumble about the sad state of security in the consumer market, but there have been some egregious examples of poor security in “smart” cameras recently.
We buy security cameras to help keep us and our families safe, but their own lax security may be doing the opposite.
Security researcher Rob Graham decided to see just how much security he could expect from a newly purchased JideTech camera.
He set up the camera to isolate it from the rest of his home network, just in case the worst happened.
It ends up he had good reason to be concerned, though the speed at which this new camera became a problem was shocking even to him.
Less than two minutes – just 98 seconds – after he plugged it in, it was compromised, infected with the Mirai malware that’s been turning IoT devices into botnet zombies to attack internet services.
You can follow the outline of his experience on Twitter, where he posted a play-by-play as he watched his new camera become infected:
The camera is no longer available on Amazon, though that is where he originally bought it for $55.
Admittedly this camera is not one of the more high-end models – but a more expensive camera is no guarantee of better security practices.
What does it all mean?
For one thing, if a security professional takes proper precautions to safeguard his new IoT device and it still gets infected, that surely doesn’t bode well for the rest of us.
But the bigger picture is this: it’s incredibly easy to find internet-connected devices if you’re someone looking to do a little research or wreak a little havoc.
If you can use a search engine, you can find unsecured webcams and their relevant identifying data, with search engines such as Shodan making it easy to find these devices.
Combine how easy it is to find IoT devices with the fact that a huge number of IoT users never change the passwords on their devices from the well-known defaults.
It’s easy to see why criminals have a treasure trove of devices they can easily work with.
This leads to the problem of the Mirai malware: it hijacks IoT devices, turns them into botnet zombies, and uses them to knock entire internet services offline.
Even if Mirai isn’t out to get you directly, you may still end up knocked offline, as close to a million Deutsche Telekom users in Germany found out last weekend: their routers crashed when exposed to Mirai’s attempts to probe the network for victims to drag into a future attack.
And, with IoT devices being so quickly and easily infected, and so easily discovered, Mirai isn’t likely to go away any time soon.
13 comments on “IoT camera turned into a zombie in under two minutes”
So I studied Rob Graham’s twitter thread and while I understand the processes that occurred, I don’t understand how the attacker acquired/guessed the password. That doesn’t look like a default password to me. Also, Rob didn’t explain what steps to take to prevent this. Can anyone elaborate on these?
Yeah, don’t ever open telnet ports to the internet. Had he not done this, it would not have been infected.
How was the password acquired guessed or acquired? Was it a default password or not?
I was going to ask if he opened a port that he shouldn’t have. I watched this all play out on the internet and even went to their website where he talks about using a Raspberry Pi for a router. I noticed one step in the tutorial before he “configured” the camera that he mapped his ports to the camera. Again that is assuming that he followed his own page instructions.
Honestly, I think that somebody who is a security researcher should know better. I would have expected Robert Graham’s paranoia level to be extremely high.
I honestly wonder if he did it to show that if the instructions with the camera were out of order, or was not security conscious. Probably somewhere in a dynamic DNS server is his IP address lodged in there forever.
I know it may be a bit naive to say, but can we not enforce standards on the industry as a whole? After all, basic high end encryption of any IoT device is really simple nowadays?!? It should simply be a standard of the device that it is encrypted end-to-end, (even better, make it hardwired chip encrypted – harder to circumvent), it’s not like it will cost that much more to do and that would definitely cut down the problem somewhat – or is it that business has become so capitalistic that profits come even before basic safety standards?
The difficulty in doing that is in (at least)
– Making product makers aware it is needed
– Providing guidelines that can be adapted/followed for a wide range of devices (technically the easy part)
– Policing (when isn’t that an issue)
– Setting & Enforcing minimum hardware requirements
It’s a lovely idea, and I too would like to see something done in that direction. I’m not that it’ll happen any time soon though.
You really aren’t doing any favors in making it seem like he did nothing but turn the thing on. In fact he made it accessible intentionally in a way most users wouldn’t if it is on a home network behind a router/fw. He opened up port 23 (TELNET) to the device intentionally and that is as bad of a move as there is. 1, as a home user there would be very few reasons to do this! I’m sure it happens, I’m sure some are behind a firewall, but in your article you could do a service to your readers to point out that it wasn’t just turned on. This puts all devices in a bad light. The real issue is that you should protect your devices behind things and you should NOT open ports to the internet unless absolutely required and even then you should work to minimize that however possible. Good read, somewhat misleading!
Rob intentionally used this device as a honey pot and sat back watching for an infection. It’s no surprise – it was his intent. The summary might as well be: “This one time I connected a device to the internet, disabled my firewall, and someone accessed the device using the administrative interface and default password”.
If this project has any value, it’s in reminding us that networked devices often don’t include their own security and rely on an external firewall for security/policy enforcement as well as configuration by the owner. This should not be surprising to anyone in the IT field.
Exactly, terribly misleading article…
The whole “this shouldn’t happen if you are smart” argument is a bit like all those Linux and macOS fans who claim that malicious software “doesn’t count as malware if it requires any user intervention such as opening a document”.
Let’s be serious here: webcams that listen by default via telnet can’t ever be considered to be secure, and that issue alone should be considered a serious problem worth demonstrating with a real-life example.
Simply put, the point of the article and the research is not that “it’s your own fault if you get pwned by plugging a badly-programmed device onto the internet and you don’t have a firewall”, so no one is being misled.
The point is to remind everyone that if you *do* make a slip-up such as opening the wrong port in your router, you will be made to pay for it sooner rather than later. There are still a lot of people who assume that they are not important enough to be on what you might call the cybercrime radar.
If it is so jolly vital not to allow port 23 connections through your home router, surely it’s equally jolly vital to put device vendors on notice not to accept port 23 connections by default, either?
And if you shouldn’t have telnet listening on the internet, why have it listening on your LAN either, considering tlenet is unnecessary and considered unacceptable these days?
Don’t think with IT professional’s mind; always taking scenarios as realistic as possible. So, a “consumer” will have a router (ISP provided modem/router/WiFi) for his/her own network. The default (firewall) setting of this router should be protecting the internal network BUT quite some have “UPnP” enabled (which is a huge security risk).
Then the consumer plugged the IoT (not necessary camera) and follow the instructions from manufacturer. At his point, I’m sure the IoT will ask or assume the router will be UPnP enabled. We can’t ask a consumer to understand and configure (static) IP address and NAT, can we?
Hence, it all depends on how the manufacturers handle their own software/firmware and configuration. i.e. the industry should think of risk management like these. Moreover, if over the course, the software/firmware has bugs/vulnerabilities, how these IoT going to be “patched”?
The whole IoT wave needs a proper review and future projection by the industry. Consumer just needs to know how to “operate” (here already have difficulties to some people); not to “configure” a complex network/system (that’s why UPnP comes in the first place, right?).
I had a bit of trouble reading over this paragraph (paste incoming), and the paragraph two below it has a repeated word.
“Combine how easy it is to find IoT devices are with the fact that a huge number of IoT users never change the passwords on their devices from the well-known defaults.”
Fixing them now, thanks.