Flaws in firmware commonly used by Closed Circuit TV (CCTV) devices worldwide have been exploited to create a powerful IoT-based botnet, according to one security firm.
On Monday, Securi published a blog about a customer, a small jewelry shop, that was seeing a large amount of network traffic through its CCTV cameras. Investigating further, the researchers discovered a global botnet that leveraged known vulnerabilities on more than 25,000 compromised CCTV systems worldwide running Cross Web Server. This builds on earlier research by Rotem Kerner who found a population of over 1,000 infected CCTV DVR devices all sporting HTTP servers that were listening on ports 81, 82, and 8000, identifying themselves as “Cross Web Server”.
In this current instance the CCTV devices that are part of the botnet were nearly all the same: all were BusyBox based and ran the Cross Web Server software.
Securi found the botnet was particularly strong, generating a layer 7 attack (HTTP Flood) close to 35,000 HTTP requests per second (RPS) which was more than the jewelry store’s web servers could handle. These attacks peaked at almost 50,000 HTTP requests per second. Securi found the botnet was leveraging only IoT (Internet of Things) CCTV devices.
Kerner had traced the compromised CCTV devices in his research back to an Israeli company selling CCTVs, but soon discovered the same component was present in CCTVs produced by 70 vendors. “They may have different logo, or slightly different plastics, but they share the same vulnerable software,” Kerner wrote last March. “This is basically what they call “white labeling”. Probably China’s most common business model. Eventually I’ve located the real manufacturer, a company called TVT.”
The problem is common, especially in the Internet of Things. Companies buy existing components to get their products to market without checking the quality of the product. “I’d say too many cooks are stirring the same rotten pot,” Kerner wrote. “This makes it really hard to mitigate the problem and leaving a lot of potential vulnerable end users (and) businesses. ”
The Securi report concludes, “as website owners, there is not much you can do to get those 25,000+ CCTVs fixed and protected. You also can’t do much to fix the millions of vulnerable devices on the internet that can be used as botnets and DDoS amplification methods.” They call upon the vendors to address the issues identified, and do it soon.