Select Page

Remember last week when we looked at the large number of unsecured cameras running wild on the Internet, like Mustangs on the open, Western plain?  Well, this week, someone found a way to harness all of that unsecured horse power to cause mischief and woe.  It’s enough to make a cowboy cry.


Bad actors, created and used a large botnet of CCTV devices to knock a jewelry website offline during a Distributed Denial of Service (DDoS) attack.  Researchers at Sucuri, providers of website security, determined that there were 25,513 unique IP addresses being used to generate the DDoS attack, which Sucuri was able to thwart.  Usually this type of attack is performed using infected workstations or servers, but this time Digital Video Recorders (DVRs), the devices to which video cameras send their data, were compromised and infected with malware and used to perform repeated web requests against a single website.  The attack, delivered by devices from 105 countries and all running the BusyBox operating system, generated almost 35,000 HTTP requests each second against the affected website, making it impossible for legitimate users to reach the site.  The attack was later increased to 50,000 HTTP requests each second after Sucuri neutralized the initial attack.


While it is not known how all these DVRs were compromised, it is suspected that a Remote Code Execution (RCE) flaw affecting DVR devices sold by more than 70 vendors may the cause.  The fault was discovered and reported back in March by security researcher Rotem Kerner.


So, not only were each of these 25,000 devices compromised, but the herd was turned into a network that was used to trample websites.  The moral of the story is, don’t trust wild horses.  No, not really, but don’t trust that devices in the Internet of Things (IoT) will come with security in mind.  Depending on IoT manufacturers to build adequate security into their devices can be dangerous to you and others.  All networked devices should be secured behind a firewall that allows only the minimum of traffic required to and from them, and access from the outside world should be severely limited.


For more information, and some nice detailed write-ups on this event, please see Ars Technica here and Ms Smith here.