• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’

2

U.S. companies have finally gotten $71 billion in tariff refunds, but they’re using it to offset inflation caused by the Iran war

3

Buffett says AI giants are ‘playing a game they don’t want to play’ in the AI race, reveals he was behind Berkshire’s $31 billion bet on Google

1

FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’

2

U.S. companies have finally gotten $71 billion in tariff refunds, but they’re using it to offset inflation caused by the Iran war

3

Buffett says AI giants are ‘playing a game they don’t want to play’ in the AI race, reveals he was behind Berkshire’s $31 billion bet on Google
TechCybersecurity

‘Security’ Cameras Are Dry Powder for Hackers. Here’s Why

Robert Hackett
By
Robert Hackett
Robert Hackett
Down Arrow Button Icon
Robert Hackett
By
Robert Hackett
Robert Hackett
Down Arrow Button Icon
September 19, 2019, 7:19 PM ET
Add Fortune on Google for similar content.

Researchers have long bemoaned the insecurity of certain “security” cameras. Ostensibly installed to deter and thwart intruders, many actually can be transformed into an arsenal that hackers use for Web warfare.

The latest cause for concern: A vulnerability that enables hackers to summon a firehose of network traffic from hundreds of thousands of such devices for “distributed denial of service” attacks, also known as “DDoS” attacks, that aim to knock targets offline—sometimes just for kicks and giggles, other times until a victim pays ransom. In a report published Wednesday, security researchers at “cloud” network firm Akamai called attention to the recently identified flavor of attack, warning that instances of it are likely to worsen, in coming weeks, in terms of severity and frequency.

“It’s just so easy to abuse,” says Chad Seaman, an Akamai engineer who worked on the report. “We know there’s an active marketplace for it where people are selling these [DDoS] services via stressors and booters,” industry jargon for hacking-for-hire, he says.

The new attack uses a novel method to achieve old aims. Previous victims of DDoS attacks include Github, the code collaboration site, which got hit with the largest ever recorded one last year. In 2016, an attack targeting Dyn, an Internet infrastructure firm, since absorbed by Oracle, suffered a DDoS strike, leading to widespread Internet outages.

How it works

This is a new type of digital cudgel. Observed since May, the attack involves misuse of a device-pinpointing protocol—called “web services dynamic discovery,” or “WS-Discovery”—which helps identify the whereabouts of machines on a network. PCs running Windows Vista software, or later versions of Microsoft’s operating system, come equipped with the technology, as do HP printers since 2008.

Many makers of closed-circuit television cameras, or CCTV cameras, use the protocol to allow them easily to establish connections on customers’ networks. Chinese manufacturers Hikvision and Dahua, and Brazil’s Intelbras, are among the makers of camera models vulnerable to exploitation, Seaman says.

When the devices, intended to remain on local area networks, become exposed to the public Internet, perhaps unintentionally through misconfigurations, that’s when problems arise. Hackers can send signals to vulnerable devices, provoking outsized responses, and then redirect the resulting data at targets, overwhelming them.

Because most makers of these security cameras have no way to update their products remotely, fixing the issue is complicated.

What’s so bad about the new attack

The new attack is troubling because it is unusually powerful and, moreover, it can tap the collective power of many exploitable devices.

In this case, one byte of inbound traffic, when routed to a vulnerable device, can generate 153 bytes of firepower directed toward a target of attackers’ choice. This “reflective” DDoS attack, so called because it reflects from a vulnerable device to another target, acts like a lever, amplifying small forces into far larger ones.

Compared to a list of other top DDoS methods published by US-CERT, a cybersecurity-focused subdivision of the U.S. Department of Homeland Security, this new method ranks fourth overall in relative strength.

“Memcached,” the most powerful DDoS method known, can amplify the strength of attacks by tens of thousands. “NTP,” the No. 2 method, can multiply the force of attacks by more than 500. One of the most popular DDoS approaches, called “LDAP,” is weaker, magnifying attacks by about 50-times.

Scanning the Internet for devices vulnerable to “LDAP” hacking using Shadowserver, a search tool provided by a nonprofit security group of the same name, reveals nearly 15,000 devices ready for abuse. For WS-Discovery, the newly discovered attack method, more than 800,000 vulnerable devices appear to be open to abuse.

The size of that arsenal, plus the strength of the attack, worries security researchers. “What we’re really seeing here is that this has the potential to hit as hard, or harder [than LDAP attacks], but with a much larger pool” of vulnerable devices, Seaman says.

“That’s the point we’re trying to make here,” Seaman adds. “There’s a new kid on the block and you need to be aware of it because, chances are, it will be used against you in the near future.”

Hardik Modi, head of threat intelligence at NetScout, a cybersecurity firm that observed an early instance of the attack earlier this year, says his team has seen roughly 1,000 attacks using the method over the past three months. The issue “appears powerful and might yet grow legs,” he says.

What can be done about it

Perhaps the best way to fix this problem—not to mention, past, present, and future “botnet” threats—would be for device manufacturers to add an auto-update capability to their products. Then, as issues arise (as they inevitably do), companies can push out patches.

That’s not likely to happen anytime soon—and even if it does, there are still too many vulnerable devices already in circulation. Something else that could help: Manufacturers designing their products correctly, restricting devices’ responses to data packets originating only from trusted sources on local networks, rather than from anywhere online.

As word of this new kind of attack spreads, security-minded groups will likely look to persuade businesses and consumers in possession of vulnerable devices to update them (for the technically minded, that means blocking communications to “port 3702”). They may also recommend applying firewalls, or removing devices from the public Internet entirely. Ultimately, if the problem gets out of hand, Internet Service Providers could be drawn in, blocking suspicious traffic.

Seaman already sees hackers developing and posting tools related to the attack online. Because of that, he says you can expect an uptick in these kinds of attacks soon.

“Once open source tools pop up, that means even not very technical users can begin to build their lists of vulnerable boxes and leverage them for attacks,” he says.

More must-read stories from Fortune:

—Netflix killer? Here’s what analysts say about Apple TV+
—WeWork’s latest idea to save its troubled IPO? Major governance changes
—‘Skype mafia’ backs A.I. startup automating contract negotiations
—Jingles all the way: Sonic branding is helping voice computing companies get heard
—In breakthrough, company uses quantum physics to protect data over telecom networks
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.

About the Author
Robert Hackett
By Robert Hackett
Instagram iconLinkedIn iconTwitter icon
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Tech

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Tech

The AI boom is increasingly built on debt, but investor demand is plunging just as hyperscalers ramp up their bond blitz
AIBonds
The AI boom is increasingly built on debt, but investor demand is plunging just as hyperscalers ramp up their bond blitz
By Jason MaJuly 17, 2026
2 hours ago
xi
AIChina
Xi offers AI olive branch to the world, calling for ‘symphony of global cooperation’
By Han Guan Ng, Chan Ho-Him and The Associated PressJuly 17, 2026
2 hours ago
Alex Karp gestures
SuccessWealth
With a $15 billion net worth, Palantir CEO Alex Karp predicts he will get 20x richer from AI—but that middle-class workers will get just modest raises
By Preston ForeJuly 17, 2026
3 hours ago
The Netflix logo is displayed on a smartphone screen featuring a color gradient in the background.
Big TechCFO Daily
Netflix stock hits a 52-week low after earnings—but analysts say investors are missing the bigger picture
By Sheryl EstradaJuly 17, 2026
5 hours ago
Esther Perel speaks on stage during a panel discussion at SXSW in London.
Workplace Culturecorporate culture
Esther Perel has a warning for executives: your workforce is suffering from social atrophy and AI is making it worse 
By Sam BirchallJuly 17, 2026
5 hours ago
shelton
Commentarydisruption
Former Obama official on AI anxiety and the depression nobody remembers — and the training model that gives him hope
By Jim SheltonJuly 17, 2026
5 hours ago

Most Popular

FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’
C-Suite
FedEx CEO says we are in the middle of the biggest supply chain shift he’s seen in 35 years: ‘We are the referendum’
By Fortune EditorsJuly 15, 2026
2 days ago
U.S. companies have finally gotten $71 billion in tariff refunds, but they’re using it to offset inflation caused by the Iran war
Economy
U.S. companies have finally gotten $71 billion in tariff refunds, but they’re using it to offset inflation caused by the Iran war
By Sasha RogelbergJuly 17, 2026
11 hours ago
Buffett says AI giants are ‘playing a game they don’t want to play’ in the AI race, reveals he was behind Berkshire’s $31 billion bet on Google
Big Tech
Buffett says AI giants are ‘playing a game they don’t want to play’ in the AI race, reveals he was behind Berkshire’s $31 billion bet on Google
By Mia OsmonbekovJuly 16, 2026
23 hours ago
26 Meta employees accuse Mark Zuckerberg of using AI to target 8,000 layoffs against workers on medical, parental or family leave
Law
26 Meta employees accuse Mark Zuckerberg of using AI to target 8,000 layoffs against workers on medical, parental or family leave
By Barbara Ortutay, Alexandra Olson and The Associated PressJuly 15, 2026
2 days ago
JPMorgan CEO Jamie Dimon says 300,000 workers are needed to rebuild American shipbuilding—with jobs paying $100,000 without a college degree
Success
JPMorgan CEO Jamie Dimon says 300,000 workers are needed to rebuild American shipbuilding—with jobs paying $100,000 without a college degree
By Preston ForeJuly 16, 2026
1 day ago
Trump's 'American Flag Blue' in the Lincoln Memorial pool is already gray — and the Olympic canoer 'vandal' is fighting his arrest
Politics
Trump's 'American Flag Blue' in the Lincoln Memorial pool is already gray — and the Olympic canoer 'vandal' is fighting his arrest
By Matthew Daly and The Associated PressJuly 16, 2026
1 day ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.