CCTV cameras worldwide used in DDoS attacks

Over 900 CCTV cameras have been enlisted as slaves in a botnet thanks to default credentials.
Written by Charlie Osborne, Contributing Writer

Over 900 CCTV cameras have become slaves in a global botnet used to disrupt online services, researchers have discovered.

In the past year, we've seen refrigerators being hacked, Jeeps being remotely controlled by attackers while the driver is a helpless passenger, and everything from baby monitors to routers being criticized for poor security which can place not only our Internet of Things (IoT) devices at risk, but our personal privacy and security.

There are approximately 240 million surveillance cameras in use worldwide -- counting only those which have been professionally logged and installed. Unfortunately, if default settings are left in place and forgotten about, surveillance cameras can become an easy target for cyberattackers setting up or empowering botnets -- networks of slave systems which can flood Internet services with traffic after directions from a master controller, resulting in denial-of-service for legitimate traffic.

According to Incapsula's research team, CCTV cameras are a common element of IoT-based botnets. In March last year, Incapsula discovered a 240 percent surge in botnet activity across the firm's network -- and much of this uptake was placed at the feet of enslaved CCTV cameras across the globe.

Now, a fresh attack is poised to disrupt online services. First discovered when investigating a HTTP Get Flood attack -- a type of distributed denial-of-service (DDoS) campaign -- which peaked at around 20,000 requests per second, the researchers found that within the list of attacking IPs, many of them belonging to CCTV cameras.

Traffic was able to surge through these connected devices due to installers failing to change default credentials in order to protect the cameras from infiltration.

All of the compromised devices were running BusyBox, a lightweight Unix utility bundle designed for systems with limited resources. Once an attacker gained access to a camera through the default credentials, they installed a variation of the ELF Bashlite malware, a type of malicious code which scans for network devices running BusyBox.

If devices are discovered, the malware then searches for open Telnet/SSH services which are susceptible to brute force dictionary attacks. This particular variant, however, was also equipped with the power to launch DDoS attacks.

A map of all the hacked CCTV cameras involved in DDoS attacks is below:


"Notably, the compromised cameras we monitored were logged from multiple locations in almost every case -- a sign that they were likely hacked by several different individuals," the team says.

"This goes to show just how easy it is to locate and exploit such unsecured devices."

See also:How to hack self-driving cars with a laser pointer

A simple method to prevent hackers from gaining access to these cameras is to change the default username and passwords associated with your devices.

This is not the first time hackers have taken advantage of home devices with poor security. In September this year, Rapid7 researchers discovered a vast array of vulnerabilities within nine modern baby monitors, granting hackers access to the connected home systems and communication passed through them.

How to protect your connected home and Internet of Things devices

Read on: Top picks

Editorial standards