
New security camera compromised by worm within minutes of installation - bpierre
https://twitter.com/ErrataRob/status/799556482719162368
======
Desustorm
This is absolutely fascinating - and stunning that it only took ~90 seconds to
be infected. Turns out the source code is... open source:

[https://github.com/jgamblin/Mirai-Source-
Code/blob/6a5941be6...](https://github.com/jgamblin/Mirai-Source-
Code/blob/6a5941be681b839eeff8ece1de8b245bcd5ffb02/mirai/bot/scanner.c)

~~~
arkadiyt
Just to clarify it's not published by the author - the author got hacked and
their source leaked.

------
bsenftner
As a person just starting to explore ip cameras, can anyone suggest any
resources to tell if my cameras are already infected? If so, what to do? If
they are only accessible locally, within the home's local intranet, it that
safer?

~~~
jlgaddis
Watch the traffic coming out of it.

~~~
notheguyouthink
Any tips on how to do this (for those of us not educated in monitoring
traffic)?

I'm writing personal home automation stuff and will be wiring up a handful of
IoT SmartPlugs.

With all this IoT stuff i'm starting to wonder if buying a 2nd router to
isolate the IoT, or perhaps a "really good" router with features designed for
monitoring IoT.

Regardless, this is a problem i won't be able to ignore. So any advice is
appreciated :)

~~~
nitrogen
Bridge two network interfaces on a computer, then run Wireshark on the bridged
interface. Connect one side of the bridge to the main network, the other side
to the IoT network.

Or, if you have a non-switching hub, you can use that instead of a PC with two
NICs.

------
digi_owl
Note that this was a deliberate setup.

The safest thing to do for home routers is to kill UPNP, so that random
devices on the inside can't open listening ports to the outside.

~~~
mixedCase
>The safest thing to do for home routers is to kill UPNP

No no no!!!! This is going about it completely the wrong way and is setting us
up for failure come IPv6 (if it's not already a thing for you).

We need half-decent security practices not a temporary workaround that
requires user intervention.

In this case a randomly generated password printed somewhere inside the
device's box or on the device itself is enough to stop Mirai and similar dumb
botnets.

~~~
nat4ever
Yes. Yes. Yes.

An internet that requires devices to be publicly exposed to the entire
internet, and directly addressable at all times, is not an internet I want to
participate in.

You _WILL_ negotiate a firewall, before learning anything about the devices I
use.

 _ESPECIALLY_ if I am prevented from knowing their internals, whether by
willful disclosure or unlawful reverse engineering.

 _I_ control The Spice.

 _I_ control the universe.

~~~
deathanatos
I wouldn't/don't mind better research/work into better permission systems for
OS's/processes; allowing the user control over what gets exposed to incoming
connections _and_ what is allowed to make outgoing connections is fine and
good.

NAT, and uPnP, is not that. In the case of uPnP: if uPnP was SOP, wouldn't the
camera (needing to be "remotely accessible" because the Internet of Crap) just
make the requisite uPnP calls, likely making everything accessible?

NAT, in particular, is terrible. Trying to explain to a normal user how to
establish NAT port-forwarding for devices or applications is a UX _nightmare_.
NAT, in particular, kills off entire classes of protocol design, necessitating
hacking around NAT by routing traffic through untrustable third-party servers.

NAT is further not a firewall: one anything inside your NAT gets remotely
exploited, and everything else is wide open. (And that's at best; depending on
the protocol in use, you might not even need remote code execution.)

(And uPnP's support in my experience has been utterly pathetic.)

~~~
nat4ever
Of course, I'm being a little cheeky, but ah, my sentiment of digging a moat
around a house with an unlocked door is an idea I'll always keep in my back
pocket, and show no hesitation in applying a ridiculous solution to a
ridiculous problem.

Obscurity and inscrutability certainly will never supplant the Objective
Ideological Truth that "Security" tries to be, but it's often useful as a
source of leverage when all other leverage would be denied to you.

You could never ever claim to endorse obscurity for its own sake during a
daily stand-up or a conference call, because people woud rip you to shreds for
any number of valid reasons, but when push comes to shove, and you find
yourself on the losing side of someone else's moral hazard, being able to
throw a smoke screen up, where a brick wall would be preferred, is sometimes
all you can do.

------
libria
This is why the appliance market - Dropcam in this case - is often safe from
the DIY enthusiast market. Setting these up is one hurdle. After that's done
there's any combination of: network maintenance, security patches, updates,
hosting a local server, DNS, troubleshooting etc.

For some people, it's just worth $150 + 10/mo to not have something else to
think about.

~~~
59nadir
Setting one of these up is considered "DIY"? Wouldn't actually making the
backend for it, at the very least, be DIY?

------
kdragon
So I'm in the business of wheeling and dealing in these things.

It's common knowledge in the industry that all of these devices likely have
government backdoors or (likely deliberate) critical security flaws at any
moment.

Virtually all CCTV hardware comes from ruthless and unregulated Chinese
markets where the goal is to obfuscate the price (and source) as much as
possible, to prevent price discovery by the end user and allow 2-4x markups on
the equipment by the integrator.

Usually these manufacturers will sell to separate companies for their name
brand, off-brand, and offer custom branding to distributors.

Due to the obfuscstion of manufacturing source, and at the same time a desire
to "stand out" amonst the rest, the industry is rife with knockoffs, third-
shift products, stolen technology, unauthorized distribution, you name it.

As an example: Every single Hikvision camera on amazon.com is an illegal sale
and void of any official support from Hikvision. Go ahead and try to call them
with a serial number for a product you bought on amazon and see what happens.
It doesn't matter that the company selling the product on amazon is also named
Hikvision (its an imposter).

Point being, the surveillance camera market is so rife with corruption that
you generally accept that everything is compromised.

But none of it matters, because as long as the features work and the equipment
is reliable, you simply throw it all behind an isolated network and call it a
day.

------
lobo_tuerto
Does anyone have a recommendation on a secure brand/type of security camera to
get?

~~~
jenamety
Nest was acquired by google. They've got a lot of reputation to lose if they
get breached/hacked.

------
hellofunk
I don't understand how the bot net found his camera so instantly when he
turned it on or installed it. Within moments/seconds, it was attempting to
infiltrate a brand new device.

~~~
rasz_pl
You might be too young to remember Blaster Worm. There was a time in 2003-2004
you couldnt install Windows XP/2000 when directly connected to the internet
(no nat/firewall), you got infected (= reboot after 60 seconds) as soon as
install process fired up RPC service.

~~~
mentat
Those were bad times. Trying to get someone updated when you didn't have a
firewall to put in front of a friend's box was really hard.

------
homero
So you're saying these get instantly infected when anyone plugs them in?
That's insane

------
awqrre
You can have the same problem with any OS that you install that is connected
to the Internet before the updates are applied (ie: getting a compromised
computer in a a few minutes, being Windows or Linux)

~~~
witty_username
I thought that is only with old (like 1 year or older) OS versions?

Aren't remote exploits quite rare?

~~~
DashRattlesnake
I don't think a rule of thumb like that is really valid. Someone could be
scanning for hosts with zero days right now.

~~~
witty_username
Yes, but aren't zero day remote exploits very rare?

~~~
DashRattlesnake
Every security bug, at some point, could have been a zero day.

------
mbrookes
Slightly off topic, but could anyone suggest how my laptop on my home network
could get portscanned by my router?

I've had the same router (D-Link DSL) with the same config for a few years and
never had that happen... can the be infected?!

~~~
icebraining
How do you know your laptop is being portscanned?

~~~
mbrookes
Symantec Endpoint Protection has portscan detection & blocking, but this is a
managed instance on a corporate laptop, so I don't have access to the logs to
drill in to what was intercepted.

Having traffic from the router blocked was a PITA though!

------
k_sze
And that's why I'd rather build my own security camera using an RPi and its
infrared camera module. I can even make it weather-resistant by
picking/3D-printing the correct enclosure.

------
draw_down
Reminds me of Windows XP!

------
p0la
those tweets are very cool. It's very funny to see it happening.

------
woliveirajr
TL;DR: Guy bought a webcam, installed it, and within one and a half minute it
was already infected and even kicked him off his telnet connection.

The twitter stream narrates what he configured before turning the webcam on,
and give details on how things unfolded.

~~~
jandrese
It's like the old days of installing XP from a CD and then putting it online
to get patches. You would have half a dozen viruses on the box before you
finished connecting to Windows Update.

------
Eun
Why is this on the frontpage? :o

~~~
vincnetas
Have you read followup tweets?

------
sickbeard
Why do people connect their security camera to the internet? You shouldn't
connect security anything to the internet

~~~
ceejayoz
They do it so they can view the camera remotely, like when they're on
vacation.

~~~
dimman
Take a look at Axis Secure Remote Access solution for a way to avoid port
forwarding (with its issues) and still get remote access, basically no
configuration at all except from actually initially adding the camera to your
site.

Only works on Axis cameras though with Axis client software I should mention.

~~~
icebraining
That's essentially using their servers as a middle-man. Which raises the
question: why would one trust Axis to build servers that withstand attacks but
not to build cameras that do the same?

~~~
dimman
It's still end-to-end encrypted though. Going through their servers it is in
case peer-to-peer isn't possible to setup, otherwise it's a direct encrypted
link between you and your camera (with client+server certificate validation)
without any mediator servers.

Regarding servers vs cameras: To oversimplify; servers can have exponentially
more capacity. Either how, in this case, the traffic is encrypted in each end
so there's nothing to be done by "the middle man servers", they can't decrypt
anything cause they don't possess the keys.

