Security camera bought off Amazon hacked in 98 Seconds of switching it on. (1 Viewer)

[Gromett]

A security researcher checked to see how fast a cheap security Camera he bought off Amazon would get hacked. Shockingly 98 seconds...

He used a raspberry pi to act as a router and isolate it from his home network. But the speed at which it was hacked was enough to give anyone buying a cctv camera pause for thought.

Update link to first tweet in the story.

 

[pappajohn]

To what end ?
What would be gained hacking a security camera ?

 

[sdc77]

Well they can be used in a network to assist in a denial of service attack against servers ... such as the recent attacks against dns servers.

^{_{Subscribers  do not see these advertisements}}

 

[pappajohn]

Well they can be used in a network to assist in a denial of service attack against servers ... such as the recent attacks against dns servers.

Whoooosh!!!!
Straight over my head.

 

[Beacons]

Mine too.

 

[chaser]

Que!

^{_{Subscribers  do not see these advertisements}}

 

[sdc77]

Whoooosh!!!!
Straight over my head.

Mine too.

Que!

A simple explanation ...
http://www.kalitutorials.net/2014/03/denial-of-service-attacks-explained-for.html?m=1


and an example of what can be done

http://thehackernews.com/2016/10/dyn-dns-ddos.html?m=1

 

[Vanman]

It's not just that ... the camera usually has access to the router and once you have access to the router you can often get anywhere on the network. They are a pretty well known weakness.

 

[Deleted member 29692]

It's not just cameras, IoT devices in general are becoming more and more common. I think a lot of them are equally vulnerable.

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

To what end ?
What would be gained hacking a security camera ?

Mine too.

Que!

There has been an ongoing story if you follow the security trade. (I need to as part of my job)
There is an investigative journalist who breaks lots of stories in this area, who is really excellent. His name is Brian Krebs and he is pretty central to the whole issue.

For the main part DDOS attacks generally were either kiddies trying to knock game competitors offline or cyber criminals trying to extort money with threats of taking an entire company off line. A DOS attack is where you put so many requests to a server that it becomes unable to respond. Imagine the server is a teacher in a class room. The teach is accustomed to having 20-30 kids and can control the questions and answers. Then imagine the same teacher with 200 kids that are not under his control all asking questions at the same time. The teacher (server) gets over loaded and has a mental breakdown.

A standard DOS attack is usually quite easy to stop as it comes from one IP address (computer). A DDOS attack though is distributed. Where the attack comes from 100's, 1,000's or even more different computers (or internet connected devices).

Oh just realised I used terminology without explaining it. DOS stands for Denial of Service. DDOS stands for Distributed Denial of Service.

Anyway, back to the story. Up until now the DDOS'ers were mainly targetting companies like gambling firms and online shops, with demands for bitcoins. If they don't pay their business gets taken offline by a DDOS attack.

There were actually companies offering what are known as stress testing services. Basically DDOS attacks for hire. They proffessed to only offer this to companies so they could stress test their own servers. But in actual fact it was a thinly veiled criminal enterprise. This is all kept fairly quiet and has been plodding on for a while now.

This is where my favourite journalist comes in. He managed to track down the owners of one of these vDOS companies and outed them. He also collaborated with the authorities and they were arrested. You can read about it here. http://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/
and the follow up here. https://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/

This obviously pissed a lot of these idiots off. So they all launched attacks on his service resulting in his service provider kicking him off their network. Krebs suffered the biggest attack seen on the internet at that time. It was MASSIVE!!!

Anyway, Google offered it's services for free to Brian and he was back online.

The people who were responsible for the massive attack got cold feet and gave away the source code for their attack software due to all the attention the Mira botnet software was getting. https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/ This led to lots of wannabes and script kiddies launching their own attacks and things have got worse over the intervening weeks.

He then wrote an article about the companies who are creating this crap hardware that can be hacked in seconds using default passwords that users can't change.
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/ and here https://krebsonsecurity.com/2016/10/iot-devices-as-proxies-for-cybercrime/
There has since been threat of lawsuits which fortunately have come to nothing.

Shortly after the Mirai botnet which was used in the previous attacks on Krebs and OVH was used on Dyn. Dyn are like a yellow pages that convert the domain name such as motorhomefun.co.uk into the ip address 123.123.123.123
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
Whilst it wasn't believed Dyn was the target it took some major internet companies offline and caused major problems across the internet.
https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/

Even the hackers themselves are getting wary. Some hacker forums are now closing down sections of their forums related to booter/disrupter services.
https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/

Things are only going to get worse before they get better. However old hands like me are not too concerned as we have seen these issues before, they come and they get fixed eventually. But in the meantime don't buy crappy internet connected hardware from cheap chinese sources.

I highly recommend reading the krebs blog though. He covers everything from credit card skimmers to Russian hackers at great risk to himself and writes a great story that is easy to read with just enough technical detail to keep the likes of me happy. But his writing doesn't really require any technical knowledge.

Crikey that is one wall of text I don't want to retype....

 

[mitzimad]

im just about to install honeywell internet enabled thermostats at home what should i be looking at the reciver part plugs into the router?

 

[Geo]

Me thinks you are about to give the crooks a key
Interweby thermostats come on "You cant be serious"
My timer and manual valve is 101% crack proof as is my 7 camera stand alone CCTV system
Because I can is wearing very thin now days
Got to go and shut down now Hackers you know!!!

^{_{Subscribers  do not see these advertisements}}

 

[The Wino]

im just about to install honeywell internet enabled thermostats at home what should i be looking at the reciver part plugs into the router?

Just thinking about something like that but looking at the cost of the kit not sure how long the payback time will be

 

[Peter & Elaine]

It's ok guys Hilary has it covered

 

[Vanman]

im just about to install honeywell internet enabled thermostats at home what should i be looking at the reciver part plugs into the router?

Chances are a decent brand will have some security ... at the very least make sure your Router has a secure password - not Admin lol.

^{_{Subscribers  do not see these advertisements}}

 

[Gromett]

im just about to install honeywell internet enabled thermostats at home what should i be looking at the reciver part plugs into the router?

If I was not experienced at this type of stuff I would look for 2 things and ask questions before buying.
The first would be, does the device have a means to easily update the firmware. These software updates means that if a security hole is discovered it can be patched by the user.
The second is, I would look to see how many patches had been released for the device already. The problem with the cheap manufacturers who are causing this issue is they spend very little time developing the product, they then manufacture a large batch and dump them on the market and move onto the next product.

However with branded products, they spend time on the development and support it for quite some time after.

If you know a bit about networking though, you can buy these cheap devices. Turn off uPnP on my router. Block all incoming ports for services that I don't want people or systems outside of my network to access such as port 22 (SSH) port 23 (Telnet). For my cameras and thermostats etc I would set up a VPN so I could connect to my home network securely and from there access the devices. This is not always possible as some devices communicate with a central server where you are supposed to login. I would avoid these devices. I would also log network traffic from those devices and look at it closely for the first few months of operation to ensure it isn't phoning home or doing anything else it shouldn't.

These latter things are not practical for joe public so the first 2 tips should be the prime concern. Can the software be updated, and does the company have a history of providing these updates.