145,000 DVRs Compromised

Several articles, including one by the Wall Street Journal, have recently reported that approximately 145,000 hacked DVRs and cameras were used to create some of the largest denial of service attacks ever seen on the Internet.

Attackers used hijacked security cameras and DVRs to launch several massive Internet attacks prompting fresh concern about the vulnerability of devices connected to the Internet. According to Level3, of the identifiable devices participating in these attacks, almost 96 percent were IoT devices, of which 95 percent were cameras and DVRs.

Security camera DVRs often come configured with telnet and web interfaces enabled, allowing users to configure the devices and view their security footage over the Internet making them vulnerable to attacks. This compromise can be used by hackers to get access to the customers’ local network and obtain sensitive corporate information, which is a potentially dangerous liability for the Reseller or VAR.  In order to patch or upgrade these DVRs they will have to be manually upgraded or replaced.

Checking DVRs to determine if they have been compromised and fixing them can be extremely complex and difficult.  Not all vendors provide firmware updates.  Updating the firmware, furthermore, will only clean up an infection in some circumstances.  A factory reset, if provided, may clear up the infection, but again only in a small percentage of circumstances.

Detecting and determining if a DVR is comprised can be accomplished with some network investigation or the application of security appliances that analyze all the Internet traffic.  The Barracuda Web Security Gateway is one such product, but an expert can do it with more primitive tools as well.  There is no easy answer to determine if a DVR is compromised if the vendor does not provide a solution on their website.

Details:
The infection that was identified was labeled “MIRAI”.  The MIRAI code has built into it a large number of default cameras and DVR passwords.  If you are using DVR’s from one of these manufacturers and didn’t change the passwords it is likely that you are infected.   If you recognize these passwords you are probably in trouble as well.  These DVR’s are sold under many different brands.

Lessons:
1) Don’t put DVRs or cameras directly on the Internet.
2) Do not open inbound ports to DVRs, NVRs or VMSs to the Internet – even with a firewall.  A firewall would not protect against these attacks.

The Eagle Eye Cloud Security Camera VMS separates the cameras from the Internet onto an isolated, protected network so they can’t be compromised or used maliciously.  Furthermore, the Eagle Eye Bridges are actively managed devices, which get firmware updates without having to send someone on site.  This allows security patches and general updates to be deployed in a timely manner.

Detailed Information:
http://blog.level3.com/security/attack-of-things/
http://www.wsj.com/articles/hackers-infect-army-of-cameras-dvrs-for-massive-internet-attacks-1475179428
http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever/
http://arstechnica.com/security/2016/06/large-botnet-of-cctv-devices-knock-the-snot-out-of-jewelry-website/
https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack