Hacked CCTV devices are being used for DDoS attacks against small websites
More than 25,000 digital video recorders and some CCTV cameras were compromised by cyber attackers and they have been using them to begin distributed denial of service attack campaigns on several websites.
On one occasion, an attack was made and the researchers at Web security firm, Sucuri, discovered it. The attack was targeted towards one of their customers which is how they managed to notice it. The company that was being targeted was a small brick and mortar jewelry shop.
The DDoS attack managed to flood the website with close to 50,000 HTTP requests per second. This was the peak of the attack, and it is believed it was targeting the application layer, otherwise known as ‘layer 7’. Any attack of this magnitude is capable of crippling any small websites because of the infrastructure that small websites usually have. Their infrastructure is such that they can only handle a few hundred or thousand connections at the same time.
The Sucuri researchers managed to see that the traffic was being directed from a closed circuit television (CCTV) device. The devices used were digital video recorders in particular since most of them were responding to HTTP requests which had a page that was named the ‘DVR Components Download.’ Almost at least half of the devices involved gave a display which had a generic H.264 DVR logo on the page. Other devices had more specific branding such as ProvisionISR, QSee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, Elvox, Novus, and the MagTec CCTV.
The botnet involved in the process might have a global distribution system. The countries that are mostly compromised in the process are Taiwan (24 percent), the U.S. (16 percent), Indonesia (9 percent), Mexico (8 percent), Malaysia (6 percent), Israel (5 percent), and Italy (5 percent).
At the moment it is still unclear how the devices were hacked, but the CCTV DVRs are mostly known for their poor security. A security researcher found a remote code execution vulnerability in the DVRs back in March. The DVRs affected were from more than 70 vendors. Also in February, some researchers from the security firm, Risk Based Security said that more than 45,000 DVRs from various and different vendors all used the same hard coded root password.
Hackers, of course, know about all the flaws that are involved in these devices and at times even before they are disclosed to the public. Security vendors reported that they had seen DDoS attacks in October last year which were launched from a botnet of 900 CCTV cameras which ran the embedded versions of the Linux and the BusyBox toolkit.
Sadly, at this moment, CCTV camera owners can’t do much about the problem. Most vendors do not fix the problems, especially the older devices. One good thing however would be to avoid directly connecting the devices to the internet but rather using a firewall and a router.