Could the so-called Internet of Things go bad, really bad? Could a globally connected network of CCTVs become infected with a strain of malware that results in a botnet swarming across as many as 25,000 malware-riddled CCTV cameras?
American website security and web application firewall (WAF) specialist Sucuri thinks that this scenario is plausible because it has already happened. The Delaware-headquartered firm said it found the CCTV botnet during analysis it carried out in relation to an online assault against a ‘bricks & mortar' jewelry store.
Layer 7-tsunami
The shop contacted Sucuri to help protect their site from a DDoS attack which had crippled its operations. Upon switching the customer's DNS to the Sucuri Network, researchers found a Layer 7 attack (HTTP Flood) generating close to 35,000 HTTP requests per second (RPS), more than the shop's web servers could handle.
According to Sucuri's own account of events, “normally, this would be the end of the story. The attack would be mitigated, the attackers would move on after a few hours and the website owner would be happy. In this case however, after the site came back up, the attacks increased their intensity, peaking to almost 50,000 HTTP requests per second. It continued for hours, which turned into days.”
The requests were traced to a network of Internet-connected CCTV cameras.
While it is not yet known exactly how the cameras were compromised, industry commentators have suggested that the route of the issue may lie in vulnerabilities in the cameras' digital video recorder (DVR) boxes.
Sucuri details the flow of events and says that as it extracted the geo-location from the IP addresses generating the DDoS, it noticed that they were coming from all over the world, different countries and networks. A total of 25,513 unique IP addresses came within a couple of hours.
Deeper contextualisation
The attack itself is unusual. Firstly, for the fact that it is a DDoS attack on the IoT that only targeted CCTV devices and secondly, for its uncommonly lengthy duration.
In light of this attack and others of a similar shape, vendors have called for baked-in security and, specifically that camera manufacturers provide better routes to patch the firmware used in their own systems.
Cesare Garlati, chief security strategist, prpl Foundation spoke to SCMagazineUK.com directly on this story to say, “The very fact that patching isn't high on the priority list for admins is testament to why security in devices like CCTV cameras needs to be ‘baked in' at the chip or hardware layer. If we don't take steps now to improve security within devices at the development level, the results could be catastrophic, especially when they can be hijacked and directed at critical infrastructure.”
Igal Zeifman, senior digital strategist at Imperva flagged a similar type of predicament in an email to SC which he detailed on his firm's own website. “Security cameras are among the most prevalent and least protected IOT devices. Moreover, many have high upload connections, meant to support their remote streaming functionality,” he said.
Zeifman continued, “for these reasons security cameras are prime targets for botnet herders, who are always looking to add more devices to their ‘flock'. In the past few years, we have seen several examples of CCTV botnets being used for high profile DDoS attacks. With millions of new cameras being installed on a yearly basis, often by non professionals, these botnets are not going anywhere anytime soon.”
CISO for EMEA region at cloud security company Zscaler, Chris Hodson asserts that IoT botnets are increasing because IoT-enabled devices are everywhere and the security development lifecycle for IoT devices is often expedited or bypassed due to strict deadlines around time to market or the cost of the hardware.
In an energetic exchange with SC editorial staff this week, Hodson said, “until consumers demand that security is embedded into the hardware development lifecycle, manufacturers would feel no pressure to change their methods. As in the Sucuri case, IoT devices are often geographically dispersed which is a substantial benefit to cyber-criminals. When you're hit with a DDoS attack from a specific geography, blocking the offending connections is trivial.”
Hodson concluded, “In the case of CCTV, price-point is also imperative. Manufacturers are looking for hardware components which are affordable and increase profit margins. Cheap, lightweight components in IoT devices often lack the capability to provide fundamental security services, such as encryption, as its hardware simply cannot support it. How many anti-malware products have been released for our IoT devices? Very few, if any.”
