CCTV camera botnets on the rise

It is slowly becoming common knowledge that connected devicesthat are under-protected, just waiting to be compromised by any half-competent hacker. The most common reason is that typically products are rushed to market so they can be first on the scene, and not much consideration is invested in giving the device security by design.

As a result IoT botnets are now gaining popularity with hackers, with CCTV botnets reported to be among the most common. Security experts at Incapsula, the cloud-based application delivery platform, first warned about them in March 2014, when they became aware of a steep 240 percent increase in botnet activity on their network, much of it traced back to compromised CCTV cameras.

As well as increasing the volume of attacks, criminals are now using multi-vector attacks. Incapsula's figures show that 81 percent of all network attacks employed at least two different attack methods, with almost 39 percent using three or more different attack methods simultaneously.

Not surprising, given that CCTV cameras are among the most common IoT devices. Reports show that in 2014, there were 245 million surveillance cameras operating around the world. These numbers, and the lack of cyber-security awareness on the part of many camera owners, are the reasons why CCTV botnets are some of our oldest enemies in the fight against botnets.

Attack details

The most common assault consists of HTTP GET request floods commonly peaking at around 20,000 RPS, with traffic originating from roughly 900 CCTV cameras spread around the globe. Top countries for CCTV botnets include India, China, Iran, Indonesia, US and Thailand.

Researchers also discovered they could carry out man-in-the-middle attacks on the cameras which means attackers could insert their own video feed. This is particularly dangerous when considering the purpose for which CCTV cameras are installed; one unnamed security expert told SC that our city centres are under a serious security risk because of this problem.

All compromised devices were running embedded Linux with BusyBox - a package of striped-down common Unix utilities bundled into a small executable, designed for systems with limited resources. The malware inside them was an ELF binary for ARM named .btce, a variant of the ELF_BASHLITE (a.k.a. Lightaidra and GayFgt) malware that scans for network devices running on BusyBox, looking for open Telnet/SSH services that are susceptible to brute force dictionary attacks.

Notably, compromised cameras monitored were logged from multiple locations in almost every case—a sign that they were likely hacked by several different individuals. This goes to show just how easy it is to locate and exploit such unsecured CCTV cameras.

Closing the loop

The security experts at Imperva said that even as they were doing this research, their team was mitigating another IoT DDoS attack, this time from an NAS-based botnet. And much like the last one it was also compromised by brute-force dictionary attacks.

Whether it is a router, a Wi-Fi access point or a CCTV camera, the team said default factory credentials must be changed upon installation. The attacks described above are only possible because of the weak passwords commonly set on these kinds of devices, as people assume they can only be manipulated if they have physical access to them.