In a recent blog post, Incapsula researchers described analyzing a DDoS attack on one of their clients only to find that several of the attacking IPs belonged to CCTV cameras — all of which were accessible via their default login credentials.
One of the cameras, the researchers found, was located in a mall less than five minutes away from Incapsula’s offices.
“We were able to meet with the store owners, show them how their CCTV cameras were abused to attack our clients and help them clean the malware from the infected camera’s hard drive,” the researchers wrote. “As we did, we witnessed it coughing out attacking requests up to the very last moment.”
The attack, which consisted of HTTP floods peaking at 20,000 requests per second, leveraged approximately 900 CCTV cameras worldwide to attack a large cloud service. All of the compromised devices were running embedded Linux with BusyBox, and were infected with a variant of the ELF-BASHLITE malware.
“Notably, the compromised cameras we monitored were logged from multiple locations in almost every case — a sign that they were likely hacked by several different individuals,” the researchers wrote. “This goes to show just how easy it is to locate and exploit such unsecured devices.”
“Whether it is a router, a Wi-Fi access point or a CCTV camera, default factory credentials are there only to be changed upon installation,” they added.
ForgeRock CTO Lasse Andresen told eSecurity Planet by email that the attack again highlights the importance of securing the Internet of Things (IoT). “As this incident shows, username and password are easily compromised and are no longer a sufficient way to secure systems,” he said.
Instead, Andresen suggested, contextual identity and access management (IAM), using contextual cues like location and time to verify identity, should be leveraged to protect IoT devices. “In this case, the cameras were accessed from multiple new locations,” he said. “With contextual authentication, this would have been flagged as suspicious and required an additional level of verification like a multi-factor authentication token, denying access to the unauthorized user.”
Tripwire director of IT security and risk strategy Tim Erlin said by email that it’s crucial to remember that anything that’s on the Internet and has an operating system can be attacked. “Protecting these devices starts with visibility,” he said. “In many cases, the responsible organizations simply don’t know they’re on the network or accessible.”
“Just because a third party vendor installs devices on your network doesn’t mean you should trust they’ve secured them properly,” Erlin added. “You must require secure configurations and verify them continuously after deployment.”