
This security camera was infected by malware 98 seconds after it was plugged in - brakmic
https://techcrunch.com/2016/11/18/this-security-camera-was-infected-by-malware-in-98-seconds-after-it-was-plugged-in/
======
maaaats
Previous discussion on the original tweets:
[https://news.ycombinator.com/item?id=12985974](https://news.ycombinator.com/item?id=12985974)

------
kinkdr
This brings back memories of Windows 95-98 era, where a fresh install would
get infected in matter of seconds after connected to the internet.

I expect the IoT to go though a similar phase, but eventually get fixed and be
secure enough.

~~~
macintux
Maybe. Windows had a single company behind it, and as I recall Bill had to
issue a company-wide cease and desist order to get people to stop developing
and focus on security for a while.

IoT may always be plagued by cheap hardware with buggy software from fly-by-
night companies.

~~~
wfunction
Whoa, any reading you can point to on that historical note?

~~~
macintux
[http://www.zdnet.com/article/10-years-since-the-bill-
gates-s...](http://www.zdnet.com/article/10-years-since-the-bill-gates-
security-memo-a-personal-journey/)

~~~
wfunction
Thanks!

------
ruddct
Having flashbacks to the 'bad old days' of similar things happening to Windows
machines (PCs, ATMs, etc). Microsoft, the gigantic, near-monopoly company in
the space with a jillion very smart people working for it, struggled with such
issues for many years (though eventually reined it in).

This time, though, I don't see a tenable path to actually fix this. The IoT
industry is terribly, terribly fragmented. Few business models incentivize
providing ongoing maintenance once they've sold you their gizmo. Few consumers
have the ability to detect that this is happening.

I suspect that security and compatibility issues will cripple a large chunk of
the IoT industry, with bigger players slowly picking off the profitable/useful
chunks with niche products customers will think of as 'safe' (read:
Amazon/Google's many IoT products).

In the mean time, I'll continue avoiding smart/IoT devices in my house. The
risks seem to far, far, outweigh the rewards.

------
oxide
I wonder how many of these cheap things are going to get plugged in this
holiday season with default login/passwords.

------
stamps
What is a good security camera? Who makes good ones?

I haven't been able to find a company who provides a quality POE device that
allows me to control the feed into something like Zoneminder.

Do I have to use something more analog to be "safer" from something like this?

~~~
hrrsn
We use Ubiquiti Unifi. We use their software with it, but I'm sure you could
feed it into Zoneminder. Very happy with it.

~~~
stamps
Do they host their software or is it installed on a local device?

~~~
hrrsn
It's all self hosted.

------
jbyers
What is the expected time between port scan for an arbitrary IPv4 address? Is
the level of scanning activity so high (or so well-targeted to "promising"
address spaces) that one should expect to be scanned in minutes?

~~~
Symbiote
I have between 2500 and 40,000 SSH login attempts on a server on my home
broadband in Denmark, usually around 30,000. That's one every 90 seconds or
so.

Wow.

I don't know about other ports, other than HTTP I don't have any open.

A server on slow home broadband in the UK is only receiving 100-300 attempts
per day. It's almost identical to the one in Denmark, except the broadband is
terrible.

Several servers in a university's IP space has about 5000-10000 attempts per
day.

------
DanBC
> Better-quality devices will almost certainly be better protected against
> this kind of thing, and may for example block all incoming traffic until
> they’re paired with another device and set up manually. Still, this is a
> good reminder that it really is a jungle out there.

This seems like a bold claim, unless they define "better quality".

------
fanzhang
How would the malware even know that the camera was connected in? Especially
if you're on a home network (which is firewalled / has NAT on).

I suspect that it must be the central server that this camera reports to that
is infected, either directly, or indirectly with some program sitting at a
nearby router listening for traffic.

~~~
drzaiusapelord
Because the camera requests port forwarding from your firewall using UPnP. Now
your mobile app connects directly to port 83785 and streams video from the
camera without any firewall hassles. The problem now is that hackers can also
connect to port 83785 and exploit unpatched security holes.

If a firmware update exists, its probably too technically challenging for Joe
User to find and install. For a lot of these devices, there isn't even a
published fix. These manufacturers are just rebranding some generic camera
from a larger manufacturer or using the same camera and IoT guts and putting
them into different cases. These companies probably don't even have a software
developer on staff who has access to these firmwares, just perhaps a binary
blob, assuming they have any software people on staff at all.

~~~
jenamety
so are you stating the hacker was notified, or was the hacker polling to check
the port?

~~~
drzaiusapelord
They're just mass scanning for known IoT ports. UPnP opens up the port for
everyone. My port number is an example. This blogger found his camera opening
up port 80 via UPnP:

[https://www.pentestpartners.com/blog/hacking-the-aldi-ip-
cct...](https://www.pentestpartners.com/blog/hacking-the-aldi-ip-cctv-camera-
part-2/)

Also Brian Krebs examined that Foscam camera and found it enabled a P2P
protocol and opened a port on the firewall using UPnP as well:

[https://krebsonsecurity.com/2016/02/this-is-why-people-
fear-...](https://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-
internet-of-things/)

------
t0mbstone
News flash: If you expose a device web-accessible port to an internet IP with
no firewall and leave the default user name and password intact, it will get
hacked.

Put your shit behind firewalls and change the default user name and password
to something secure. This is common sense stuff, people. Port scanners have
existed for ages.

~~~
garyrichardson
What if the device opens up some random port via UPnP? What then? Do you turn
off UPnP? If you did, why did you even buy this camera?

------
tonyplee
From the tweet pics, it looks like the outside IP was able to connect to the
camera via telnet.

Does the camera firmware open a UPNP tunnel in AP to its telnet port?

Does this guy's Wifi router enable anyone one to open tunnels in his AP
router?

~~~
toomuchtodo
UPnP is turned on by default on almost all access points.

------
shendu
The article missed an important fact:

Question: interesting tweets Rob, is it used Dynamic DNS when it is initially
setup? If no , how is it exposed to internet?

Answer: I had to map the external port 23 on the firewall to the device.

------
ryanstanton
Eek, who knew the rise of cheap CMOS-based surveillance cameras would lead to
DDOS attacks?

------
mmagin
Are most of these things spread via random IPv4 address probes? Are we going
to be a somewhat safer when networks are IPv6-only due to the size of the
address space vs the used addresses?

------
batrat
a tech industry veteran - Internet-scanning(his hobby) - cheap camera - no
firewall - wannabe famous -> make your pick. 100% he infected it himself.

------
funkyy
It almost looks like the camera producer/someone from an internal team was
responsible for either giving out backdoor or actually infecting the camera...

