Over 25,000 IoT-based CCTV cameras were used.
In the latest example of just how bad IoT security can be, researchers at security firm Sucuri discovered that what looked like a run of the mill DDoS attack on a small jewelry store’s website was actually the work of a massive botnet powered completely by IoT-based CCTV cameras. Approximately 25,513 cameras in 105 countries were part of the botnet. The largest concentration of cameras was found in Taiwan and the United States.
“It is not new that attackers have been using IoT devices to start their DDoS campaigns,” Sucuri wrote in a post on their website, “However, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long.”
The cameras were able to pummel the site with 50,000 HTTP requests per second, far more than any server can handle, and kept up the attack for days. All of the devices were running “Cross Web Server” and had the same default HTTP page with a “DVR Components” title. The researchers were also able to determine the manufacturers of the cameras involved:
- H.264 DVR (46 percent)
- ProvisionISR (8 percent)
- QSee (5 percent)
- QuesTek (5 percent)
- TechnoMate (3 percent)
- LCT CCTV (2 percent)
- Capture CCTV (2 percent)
- Elvox (2 percent)
- Novus (1 percent)
- MagTec CCTV (1 percent)
The company stated they think the devices might have fallen victim to a recently discovered RCE vulnerability in CCTV-DVR, but have not been able to confirm it yet. There is little website owners can do to prevent these attacks, but Sucuri said they are reaching out to the affected camera manufacturers and urge owners to make sure their cameras are fully updated and isolated from the internet.