
CCTV Cameras Sold on Amazon Come with Pre-Installed Malware - walterbell
http://artfulhacker.com/post/142519805054/beware-even-things-on-amazon-come
======
anexprogrammer
Since the growth of third party sellers there should be no "even Amazon" about
it. The image watermark makes it pretty clear it's a 3rd party seller.

I do wish Amazon would vet the stuff they permit sale of on their site though.

~~~
noxToken
This isn't meant to be snarky: How does a company like Amazon, that sells damn
near anything you could want, vet everything that they sell in an efficient
manner? Even if you vet everything the first time around, what about updates?
Software and hardware devices/gadgets are obvious, but this includes other
physical goods that undergo a redesign as well.

~~~
anexprogrammer
I'm not sure. Perhaps charge a vetting fee until your store established a
level of trust. Whilst there are some great 3rd party sellers there's now a
huge number of awful ones. Amazon is no longer a site that feels trustworthy.

Physical stores have to meet quality and legal requirements on sale of goods
and what have you. The retailer can be sued if something isn't as described,
or fit for sale. Things can and do get pulled. Mistakes are of course made.

Selling a bunch of stuff under the Amazon brand but disclaiming everything
(take it up with the seller in China) except their own supply has taken it a
little far. They became ebay but somehow still carry the trust "even Amazon".

~~~
saidajigumi
> Physical stores have to meet quality and legal requirements on sale of goods
> and what have you.

Yes, but that's probably the wrong physical analogy. Has a mall ever been sued
because one of its stores sold illegal and/or deceptively advertised goods? I
seriously doubt it. Now a mall (or Amazon) might kick a seller out if there
are problems. This absolutely happens, but it's not very visible, and only
occurs after the fact.

~~~
anexprogrammer
Your analogy helps focus the crux of the problem. How many malls have all
their stores branded as the mall?

Amazon have been so successful integrating stores into their site that
customers don't realise who they're buying from.

~~~
saidajigumi
I'll argue that the branding issue is a distraction. Shoppers generally
understand that Home Depot, Walmart, etc. don't make or comprehensively vet
everything they sell, yet they still stand behind the customer experience via
returns and support. I find holding Amazon to a higher standard of product
vetting as compared to other mass retailers a difficult position to defend.

~~~
anexprogrammer
Holding them to exactly same standard as all retailers. It seems US and EU law
may be vastly different on this front. Here it's the retailer held responsible
for problems, so it's in their interests to vet as a normal part of the buying
process, and they do.

New Company will find product looked at to decide if it's worth putting in the
stores, that they meet electrical safety or whatever laws etc.[1] Only once
approved will they be placed in store. They'll probably trial in just a few
stores first. At least some retailers have an audit process for the factory
too.

[1] [https://www.homeretailgroup.com/suppliers/how-to-be-a-
suppli...](https://www.homeretailgroup.com/suppliers/how-to-be-a-supplier/)
80,000 lines, they say they assess all products, and mention lab testing and
pre-shipment inspections. They're a mass market retailer with a lot of product
at the cheaper end of the scale.

------
ausjke
Whenever I saw news like this I began to think: we need an OSS software
project for various IPCAM on the market, the way as what Openwrt does to
routers. So you can know for sure you're watching, not vice versa.

Most if not all IPCAM run Linux, the trick part is its codec libraries that is
tied to some old kernel using some strange toolchains, that can be improved
with vendor's help over time.

In the past TI owns the IPCAM chip market, now it's Huawei, whose chip
(hisilicon) occupies about 80+% IPCAM on the market nowadays and TI is getting
out of this game. The project may only need support one or two chip vendors.

~~~
brashrat
an OSS project is not enough to give us any security, chips that are mostly
made super cheaply in sketchy countries and that are complex enough to contain
whole computers and OS's... If you are successful with your OSS stopping
spying or any other mal-MITM, the spies will be further incentivized to move
upstream, and then you discover that even more spies live up at the
headwaters.

I'm not saying it's hopeless, I'm saying that the problem needs to be stopped
at its root and systemically, with random selections and inspections, 3rd
party audits, etc. That's not perfect either (as we see from banking
regulation) but unless you start in a civilized country with checks and
balances, there is no end in sight.

~~~
sdca
No flagship SOC in the world is immune to backdoors. Both Chinese & U.S.
governments have massive spying programs with corporate participation. Good
luck getting meaningful third party audits with highly complex, obfuscated,
and proprietary designs that the companies will lobby against deciphering...

------
krzrak
It is worth noting, that domain used by the malware (as well as some other
domains) was seized and shut down by .pl's registrar's (NASK) security team
(CERT). Here's the report of the operation:
[https://www.cert.pl/PDF/Report_Virut_EN.pdf](https://www.cert.pl/PDF/Report_Virut_EN.pdf)

~~~
xpose2000
Thank you for mentioning this. It's as if the other user comments didn't
actually read the article or go to the forum post that was linked to.

Looks like attackers managed to include this in a firmware update to launch
DDoS. Amazing. Luckily the malware site is no longer working, so the users are
safe. The users of the product mentioned that older versions of the firmware
did not have this included.

Not sure how it happened, but to blame Amazon is ridiculous. I would look into
the manufacturer a bit more to make sure it won't happen again before buying
it.

To sum up. The price of the product is good. Amazon is still good. The company
who made the product is now questionable. The firmware is bad.

------
buserror
I got a few of these (related) cameras on Aliexpress a little while back and
yes, they also had the same malware. Saw it immediately as Chrome flagged it
when I loaded the UI page.

There are some 'vanilla' firmware around that can be reflashed, but it's
definitely not into most people's ability to reflash them.

it's too bad, it _is_ very nice hardware, and the price is incredible...

~~~
ams6110
So if i just resolve that domain to 0.0.0.0 on my local network, is the camera
safe to use?

~~~
lstamour
No, I'd flash the firmware on the camera first before trusting it.

Alternatively, connect the cameras to a second network without any internet
access at all, which is probably best for security to the cameras anyway.

~~~
buserror
You can also give them DHCP leases that don't set the gateway. That's usually
a good idea anyway, and it's pretty easy to do if you use something like
dnsmasq.

On my config I have an IP range on my subnet that is the default one and
doesn't set the gateway. When I 'trust' the device I add it's MAC to the list
of trusted ones.

------
ComputerGuru
In response to everyone asking about open standards and standardized
platforms, there's already an open standard for networked IP cameras and it's
called onvif, run by a non-profit organization (for what that is worth). There
are open implementations for OnVif and virtually all cameras shipping from
China already support OnVif.

------
joering2
[http://www.amazon.com/Sony-Chip-
Camera-1080P-CCTV/dp/B00YMEV...](http://www.amazon.com/Sony-Chip-
Camera-1080P-CCTV/dp/B00YMEVSGA)

 _We 're sorry. The Web address you entered is not a functioning page on our
site_

Wonder what Amazon is doing right now...

~~~
pkaye
Probably sucking the money back out of that resellers account to pay for any
unexpected costs?

------
ocdtrekkie
I have found modern support for analog security cameras to really be coming to
an end, which is pretty unfortunate, because they're often cheaper and pretty
much impossible to come across these sorts of problems with. (I can't even
find a PCI-E card with BNC connectors in this day and age.)

If you're going to buy ANYTHING with a network port (or Wi-Fi, or Bluetooth,
or heck, USB), you should be wary of where it came from.

~~~
angst_ridden
Have you checked Blue Cherry? They have always been my go-to place for analog
video input cards, and they have tons of them. Check
[http://store.bluecherry.net/product-category/capture-
cards/v...](http://store.bluecherry.net/product-category/capture-
cards/video4linux-supported/)

------
smcquaid
This is so unfortunate. I've been wanting to do a security system for awhile
now, but it looks like I will have to do it via USB webcam + raspberry pi
instead of an integrated IP camera. I really wish there was was cheap IP
camera hardware standard where the firmware could be easily flashed with
something open source.

~~~
noxToken
Check out the OpenIPCAM wiki[1]. It's not a standard, but it's a start.

[1]:
[http://wiki.openipcam.com/index.php/Main_Page](http://wiki.openipcam.com/index.php/Main_Page)

------
awesomerobot
Are there any cameras I can buy that aren't garbage in some way?

~~~
danielvinson
This isn't an easy to answer question - I'd answer differently depending on if
you want cameras from home vs. business purposes and differently if you want
local vs. cloud storage.

~~~
awesomerobot
Fair. Just looking for something with decently secure firmware that I can
permanently install outside, store locally on a NAS, and live stream remotely
if I choose to. It's just kind of difficult to get a clear option because the
market is saturated with junk.

------
cpncrunch
Link isn't working. I assume Amazon pulled the item.

Is this the same/similar item?:

[http://www.amazon.com/Annke-Sensor-2-1MP-Security-
Camera/dp/...](http://www.amazon.com/Annke-Sensor-2-1MP-Security-
Camera/dp/B01B2MO96K/ref=sr_1_5?ie=UTF8&qid=1460610078&sr=8-5&keywords=sony+chip+1080p+camera)

Incredibly cheap and zero reviews, so perhaps they've just reposted it with a
slightly different product code on Amazon?

------
camel_gopher
Bought a brand new foscam HD off Amazon. Plugged it in, network immediately
started acting weird. Router confirmed it was sending outbound traffic where
it shouldn't.

------
GTP
I think the safest solution is raspberry py + webcam, but I'm not sure if
exist webcams suitable for outdoor use.

~~~
txutxu
Raspberry py has direct memory access by a binary blob driver. The 'safest'
solution, could include all the kernel/userland code to be audited by the
community.

------
Aelinsaar
When are people going to demand standards for networked cameras, mics, and the
like? My guess? Someone has to provably die as a result.

------
dang
Url changed from [http://thehackernews.com/2016/04/home-security-
system.html](http://thehackernews.com/2016/04/home-security-system.html),
which points to this.

------
kelvin0
We've passed the IoT stage, now entering the IoS (internet of surveillance). I
wonder how many people bought this and will never notice.

