by Constantine von Hoffman

Hackers Hijacking Security Cameras for Malware and Spying

Jan 30, 20133 mins
CybercrimeData and Information SecurityData Breach

Tens of millions of devices -- including printers, routers and smart TVs -- are also at risk. Vulnerability of the devices' unprotected Linux servers compounds the problem with the Universal Plug and Play networking standard.

Hackers are taking over an increasing number of security cameras to spread malware, break in to networks and to see what governments and businesses are keeping an eye on.

Tommy Stiansen, CTO of NorseCorp, an IT security company that delivers real-time cyber risk intelligence, says, “We are seeing a lot of unexplained devices communicating to our honeypots, for example CCTV cameras. We’re seeing a lot of CCTV cameras attacking our honeypots.”

Stiansen says that the codes in the CCTV cameras he’s examined have software developed in Asia and still has traces of the development code in them. In addition to that, the DVR boxes running the feeds use a traditional Linux pack that admins haven’t done anything to secure.

“Administrators buy these cameras and install them straight on their network without realizing they are running a full Linux server,” he says. “They’re running a web system that has jQuery, cross-site scripting and all the vulnerabilities in the book in them.”

This news comes just a day after another Rapid7 reported a different exploit which can also be used to take advantage of CCTVs, printers and Cisco and Netgear networking equipment. In a study released yesterday, researchers said they had found 80 million public IP addresses responded to Universal Plug and Play. Putting at risk untold millions of Internet-connected devices, including printers, CCTV cameras and Cisco and Netgear networking equipment.

NorseCorp’s findings show that hackers are already taking advantage of security flaw first reported last week.

As Forbes’ Andy Greenberg reported:

“Eighteen brands of security camera digital video recorders (DVRs) are vulnerable to an attack that would allow a hacker to remotely gain control of the devices to watch, copy, delete or alter video streams at will, as well as to use the machines as jumping-off points to access other computers behind a company’s firewall, according to tests by two security researchers. And one of the researchers, security firm Rapid7′s chief security officer H.D. Moore, has discovered that 58,000 of the hackable video boxes, all of which use firmware provided by the Guangdong, China-based firm Ray Sharp, are accessible via the Internet.”

As with every other type of cyber-attack these are overwhelmingly aimed at financial institutions. So far the hackers are more interested in using the unprotected processors in the cameras for theft than observation.

“It appears that they are using the processor to do financial fraud,” says Stiansen. “It also appears they are using them to infect other networks, so it’s more of a launch point for malware.”

It’s not as easy to tell if the criminals are taking advantage of all the free visual data as well, but it would be odd if they were not.

“When you go to the IP address you get free access to the cameras,” he says. “The cameras can be scary. They could be satellite downlinks from the government with 26 cameras linked to it. We have actual bank monitoring systems you can pull up in your browsers.”

In addition to security cameras, modems, printers and routers, Stiansen says the company’s honeypots are also picking up increased traffic from smart TVs. Securing most of these devices can be done by users, although if you lease your router or modem you may want to check with your ISP before taking any action.

As for the UPnP problem, Rapid7 has released a scanning tool which consumers and administrators can use to find problem devices. In addition to that, CERT has put out a warning and a patch for it.