In recent years different news has emerged linked to webcam and IP camera attacks, such as the vulnerabilities of any system, embedded credentials, and the most well-known, open cameras without a password... as well as many other examples.
A few days ago, another attack against these types of systems was made public, with the publication by Incapsula (subsidiary of the company Imperva) of a botnet that uses closed-circuit television (CCTV) cameras to carry out DDoS.
In the attack, detected by Incapsula, besides inform about the volume and location of some of the cameras, it was explained how the attack occurred in these systems, despite it not being something particularly novel…
- Geolocation of affected CCTV devices -
These systems execute a small Linux version, as in the case of BusyBox (as occurs with many other devices) and the attackers carry out a scan of IPs searching for Telnet/SSH with easy passwords, in order to enter the system and put in place a malicious ELF binary (such as .btce) through which they continue attacking other systems, execute DDoS or carry out another malicious action.
The mechanism is the same as we mentioned recently in the post about "Domestic routers in the spotlight" with which we detected more than 100 attacks in 48 hours.
The mechanism used is so similar that even in INCIBE honeypots we identified the same campaign detected by Incapsula, although our analyses showed that the attack was not only aimed at CCTV systems but that they also affected technologies such as Ubiquiti, used in the deployment of wireless networks airMAX and EdgeMAX, residential network installations such as Tilgin Home Gateway, and even satellite TV tuners such as MaxDigital XP1000.
All of these systems had a publicly exposed web access interface that allowed them to be identified immediately.
- airMAX device website interface -
- EdgeMAX device website interface -
- Tilgin Home Gateway website interface -
- Website interface of a MaxDigital XP1000 satellite TV tuner -
Although in many articles that discuss this type of botnet specific to surveillance video cameras it is indicated that these devices are one of the main targets of attacks against what is known as the "Internet of Things" (IoT), it is true that, in addition to cameras, another element often attacked is cash registers or points of sale (PoS), where cases such as PoSeidon or BrutPOS have occurred.
Although the concept of "Internet of Things" has a major marketing element, it is true that security cameras nowadays have a combination of rather sensitive features, since they are physical security elements but are exposed to attacks of the world of Cybersecurity.
Indeed, since they are sensitive physical security elements, the British centre CPNI (Centre for the Protection of National Infrastructure) has various publications about their security, which go beyond the most common security measures such as:
- Do not use default usernames or passwords. Make them complex, do not share them and change them every so often.
- Update all of the CCTV software and use antivirus software in PCs that operate the system.
- Segmentation of these systems and control of remote access, including changing ports by default.
- Encryption of communication in these systems, particularly in wireless communications.
- Management of logs, connections and events detected in the system.
Specifically, CPNI has published an information system physical security guide, which addresses the issue of the convergence of both securities and the associated systems (switches, routers, etc.) incorporated into CCTV systems, alarms, intrusion detection systems, and access control systems, taking into account the different topologies and the advantages and disadvantages of each, including remote access or connections with other networks.
- Typical architecture of a CCTV system -
In addition to this, CPNI has also published a video that addresses the main IT security threats in physical security systems such as CCTV.