Some infosec pros dismiss worries about the Internet of Things if many devices don’t store or transmit personal information. But there are other ways attackers can leverage devices connected to the Internet — as sources for distributed denial of service (DDoS) attacks.
Security vendor Securi Inc. described the latest use on Monday, one that used thousands of Web-connected CCTV cameras with over 25,000 unique IP addresses in 105 countries. Described by the company as a variation of the HTTP flood and cache bypass attack, 24 per cent of the IP addresses were in Taiwan and 12 per cent in the U.S.
Combined the botnet threw out 50,000 HTTP requests per second over several days. Securi came across the attack from one of the victims, a small jewelry store.
The majority of the cameras (48 per cent) had the default H.264 DVR logos, says Securi, but the others had modified branding to match the company that built or sold it. All these devices are based on BusyBox, a Linux OS for embedded devices.
Securi speculates the cameras were attacked using a remote code execution vulnerability first discovered in late 2104 that affected 70 camera makers. In the fall of that year Incapsula reported a botnet of some 900 CCTV cameras from around the world had been discovered targeting what was described as a “rarely-used asset of a large cloud service, catering to millions of users worldwide.” Again, all devices were running BusyBox.
Securi researchers said attackers used random search referrers from sites including Google, USA Today and Engadget and user-agent combinations in an effort to emulate normal browser behavior.
Sucuri CTO and founder Daniel Cid urges online camera users and vendors to make sure their devices are fully patched and isolated from the Internet. “Actually,” he adds, “not just your online camera, but any device that has Internet access (from DNS resolvers, to NTP servers, and so on).”
In its blog Incapsula reminded infosec pros on the importance of changing default passwords of Internet-connected devices.