'Security' Cameras Are Dry Powder for Hackers. Here's Why

Researchers have long bemoaned the insecurity of certain “security” cameras. Ostensibly installed to deter and thwart intruders, many actually can be transformed into an arsenal that hackers use for Web warfare.

The latest cause for concern: A vulnerability that enables hackers to summon a firehose of network traffic from hundreds of thousands of such devices for “distributed denial of service” attacks, also known as “DDoS” attacks, that aim to knock targets offline—sometimes just for kicks and giggles, other times until a victim pays ransom. In a report published Wednesday, security researchers at “cloud” network firm Akamai called attention to the recently identified flavor of attack, warning that instances of it are likely to worsen, in coming weeks, in terms of severity and frequency.

“It’s just so easy to abuse,” says Chad Seaman, an Akamai engineer who worked on the report. “We know there’s an active marketplace for it where people are selling these [DDoS] services via stressors and booters,” industry jargon for hacking-for-hire, he says.

The new attack uses a novel method to achieve old aims. Previous victims of DDoS attacks include Github, the code collaboration site, which got hit with the largest ever recorded one last year. In 2016, an attack targeting Dyn, an Internet infrastructure firm, since absorbed by Oracle, suffered a DDoS strike, leading to widespread Internet outages.

How it works

This is a new type of digital cudgel. Observed since May, the attack involves misuse of a device-pinpointing protocol—called “web services dynamic discovery,” or “WS-Discovery”—which helps identify the whereabouts of machines on a network. PCs running Windows Vista software, or later versions of Microsoft’s operating system, come equipped with the technology, as do HP printers since 2008.

Many makers of closed-circuit television cameras, or CCTV cameras, use the protocol to allow them easily to establish connections on customers’ networks. Chinese manufacturers Hikvision and Dahua, and Brazil’s Intelbras, are among the makers of camera models vulnerable to exploitation, Seaman says.

When the devices, intended to remain on local area networks, become exposed to the public Internet, perhaps unintentionally through misconfigurations, that’s when problems arise. Hackers can send signals to vulnerable devices, provoking outsized responses, and then redirect the resulting data at targets, overwhelming them.

Because most makers of these security cameras have no way to update their products remotely, fixing the issue is complicated.

What’s so bad about the new attack

The new attack is troubling because it is unusually powerful and, moreover, it can tap the collective power of many exploitable devices.

In this case, one byte of inbound traffic, when routed to a vulnerable device, can generate 153 bytes of firepower directed toward a target of attackers’ choice. This “reflective” DDoS attack, so called because it reflects from a vulnerable device to another target, acts like a lever, amplifying small forces into far larger ones.

Compared to a list of other top DDoS methods published by US-CERT, a cybersecurity-focused subdivision of the U.S. Department of Homeland Security, this new method ranks fourth overall in relative strength.

“Memcached,” the most powerful DDoS method known, can amplify the strength of attacks by tens of thousands. “NTP,” the No. 2 method, can multiply the force of attacks by more than 500. One of the most popular DDoS approaches, called “LDAP,” is weaker, magnifying attacks by about 50-times.

Scanning the Internet for devices vulnerable to “LDAP” hacking using Shadowserver, a search tool provided by a nonprofit security group of the same name, reveals nearly 15,000 devices ready for abuse. For WS-Discovery, the newly discovered attack method, more than 800,000 vulnerable devices appear to be open to abuse.

The size of that arsenal, plus the strength of the attack, worries security researchers. “What we’re really seeing here is that this has the potential to hit as hard, or harder [than LDAP attacks], but with a much larger pool” of vulnerable devices, Seaman says.

“That’s the point we’re trying to make here,” Seaman adds. “There’s a new kid on the block and you need to be aware of it because, chances are, it will be used against you in the near future.”

Hardik Modi, head of threat intelligence at NetScout, a cybersecurity firm that observed an early instance of the attack earlier this year, says his team has seen roughly 1,000 attacks using the method over the past three months. The issue “appears powerful and might yet grow legs,” he says.

What can be done about it

Perhaps the best way to fix this problem—not to mention, past, present, and future “botnet” threats—would be for device manufacturers to add an auto-update capability to their products. Then, as issues arise (as they inevitably do), companies can push out patches.

That’s not likely to happen anytime soon—and even if it does, there are still too many vulnerable devices already in circulation. Something else that could help: Manufacturers designing their products correctly, restricting devices’ responses to data packets originating only from trusted sources on local networks, rather than from anywhere online.

As word of this new kind of attack spreads, security-minded groups will likely look to persuade businesses and consumers in possession of vulnerable devices to update them (for the technically minded, that means blocking communications to “port 3702”). They may also recommend applying firewalls, or removing devices from the public Internet entirely. Ultimately, if the problem gets out of hand, Internet Service Providers could be drawn in, blocking suspicious traffic.

Seaman already sees hackers developing and posting tools related to the attack online. Because of that, he says you can expect an uptick in these kinds of attacks soon.

“Once open source tools pop up, that means even not very technical users can begin to build their lists of vulnerable boxes and leverage them for attacks,” he says.