Surveillance Cameras Sold On Amazon Found Infected With Malware

An anonymous reader shares a report on ZDNet: Security researcher Mike Olsen has warned that some products sold through the Amazon marketplace are harboring a dark secret -- malware. Olsen said in a blog post that while scouring Amazon for a decent set of outdoor surveillance cameras for a friend, he came across a deal for 6 PoE cameras and recording equipment. The seller, Urban Security Group, had generally good reviews and was offering a particular Sony setup on sale. After purchasing the kit, Olsen started setting up the surveillance system, logging into the administrator panel to configure it. [...] Upon investigation, Olsen found that the device was talking to a server with hostname Brenz.pl, which is linked to malware distribution. If the device's firmware links to this domain, malware can be downloaded and installed, potentially leading to unlawful surveillance and data theft.Perhaps the company which made the device didn't realize its source code was compromised. While the aforementioned incident should serve as a reminder to people on why they need to be wary of the product they are purchasing, this isolated occurrence doesn't prove in any way that "plenty" of cameras on Amazon are also infected, as the article and the original blog post are subtly trying to imply.

Reasons why I don't like the Internet of Things.

[Anonymous Coward]

Here's a list of reasons why I don't like the Internet of Things:

1) Internet of Things devices could watch me while I sleep.

2) Internet of Things devices could watch me while I pee.

3) Internet of Things devices could watch me while I make kaka.

4) Internet of Things devices could watch me while I pleasure myself.

5) Internet of Things devices could watch me while I wash my body in the shower.

6) Internet of Things devices could watch me while I relax in the tub.

7) Internet of Things devices could watch me whil

Re:Reasons why I don't like the Internet of Things

[U2xhc2hkb3QgU3Vja3M]

1) Internet of Things devices could do things I don't want them to.

FTFY.

Re:Reasons why I don't like the Internet of Things

[toonces33]

But what about the Internet of Thongs?

I guess that already exists - I bet all you need to do is search for it.

Re:

[whoever57]

Rule 34 says it exists.

Re:

[GNious]

34) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pleasure myself.

Re:

[Plus1Entropy]

Can someone tell me where this meme came from? I obviously missed it's inception and google is failing me...

Re:

[OolimPhon]

It probably fell out the back end of a cow.

made in china

[Joe_Dragon]

made in china.

And there they can slip someone say $1000 to plant code on the system (that may be running on a unlicensed windows xp os) That is used to load the firmware on the systems.

Re:made in china

[U2xhc2hkb3QgU3Vja3M]

If the CPU, flash/etc ICs are made in China then you can't trust made-in-not-China devices either.

Re: made in china

[WarJolt]

Don't be an alarmist. China doesn't fab that many flash chips and even if they did the most likely vector is at the programming stage. Embedding a vulnerable ROM in the flash or CPU would require significantly more technical sophistication. Not only would it need to be implemented at great cost, but it would also have to escape detection when someone tries to upgrade the software.

Re:

[LWATCDR]

That is why real companies have a secure boot loader and provide signed and encrypted images.
The trick is getting the bootloader on and then having to deal with the end users that want to hack the device and put on custom firmware.

Re:

[Joe_Dragon]

and if they hack the loader at the factory that may just jtag or some other system to do the base load that does not need an signed image to load?

or it shows up as an usb disk and there is auto run Malware that just copy's to it?

Re:made in china

[LWATCDR]

On MCUs you often have fuses that you can blow to prevents jtag. BTW that is a bear to test because you end up with at least a few bricked devices. If you are doing large numbers of devices you can often have the MCU maker provide the chips to your manufacture with the bootloader installed and the fuses blown.
The downside to locking the bootloader like that is that the device is no longer hackable by the end user.

Re:

[Anonymous Coward]

That's Mr. Fuse to you. And keep blowing!

Re:

[Plus1Entropy]

At my old company we used to provide basic firmware to the CM that would just test the hardware (i.e. push each button, verify that the screen says button was pressed). The devices would be wiped and flashed with the actual firmware in house.

There's only one way to be sure

[U2xhc2hkb3QgU3Vja3M]

No, what do you mean "nuke them from orbit"? WTF?

I'm saying that the only way to be sure these days is by using open-source software on single board computers, such as the Raspberry Pi. But even then, you need to trust all the ICs on the damn thing but at least there's only a few of them to test.

Re:

[Caesar Tjalbo]

So you trust your compiler. Interesting...

Re:

[U2xhc2hkb3QgU3Vja3M]

Open-source compiler?

Re:

[by (1706743)]

But do you trust the compiler used to compile the compiler? [c2.com]

Although I don't think, say, GCC has been "Ken Thompson hack infected," the attack a) has been used before, and b) illustrates broader principles of trust. https://news.ycombinator.com/i... [ycombinator.com]

Re:

[Plus1Entropy]

It's compilers all the way down...

Re:

[TWX]

This is news for nerds because first, it took a nerd to find it (most people don't have the ability to check where a device is attempting to open ports to) and because it's more news of a pre-hacked piece of equipment that most people would trust to be secure out-of-the-box from arguably the largest retailer in the world. If this was fulfilled by Amazon then it's more evidence that Amazon needs to do more quality control when they agree to stock something. They need at least SQCs and if it's widespread en

Re:

[110010001000]

You must be kidding. Amazon sells millions of products. They aren't going to test them out for you. Plus: woooossshh

What?

[Chmarr]

An editorial comment that actually LESSENS the alarmism in the submission, rather than adding to it?

This is... nearly unheard of on slashdot! What is happening???

Re:

[sinij]

An editorial comment that actually LESSENS the alarmism in the submission, rather than adding to it?

This is... nearly unheard of on slashdot! What is happening???

Clearly, this new development is quite alarming.

Re:

[Chmarr]

It's doing me a frighten!

Re:

[Chmarr]

Yep. Sounds about right! :3

Where is my slashdot?

[OzPeter]

How dare maniacs bring common sense and rational thinking into TFS! I want my old click bait slashdot back /s

While the aforementioned incident should serve as a reminder to people on why they need to be wary of the product they are purchasing, this isolated occurrence doesn't prove in any way that "plenty" of cameras on Amazon are also infected, as the article and the original blog post are subtly trying to imply.

The truth must be that he's a shill for the Urban Security Group. Yeah that's it, you insensitive clod. Net craft confirms it. So take your hot grits and a beowulf cluster of Natalie Portmans and let Soviet Russia shove you.

Re:

[OzPeter]

Oops .. damn auto correct. That should be maniacs. On the other hand "maniacs" does fit just as well!

And its 2016 for dogs sake. Why can't I edit my posts and correct stupid typos? And yeah I DO know all the arguments for and against. And the against ones are pretty weak sauce.

Re:

[JustAnotherOldGuy]

Oops .. damn auto correct. That should be maniacs. On the other hand "maniacs" does fit just as well!

And its 2016 for dogs sake. Why can't I edit my posts and correct stupid typos? And yeah I DO know all the arguments for and against. And the against ones are pretty weak sauce.

Sing it, brother. I've been asking for this for a while, but as yet my dream is unfulfilled.

Re:

[Applehu Akbar]

"And its 2016 for dogs sake. Why can't I edit my posts and correct stupid typos?"

Like every other site in the known universe. You can even edit posts on Salon.com .

Re:

[Anonymous Coward]

Six cameras were bought. That is plenty.

Ain't Amazon Amazing...

[Marlin Schwanke]

I buy as much stuff off Amazon as anyone but I have learned one thing. Pay careful attention to who is actually selling the product. Amazon is full of brand-names you've never heard of (and might never again), ditto vendors. If it isn't a recognized name brand and sold by Amazon itself I don't buy it. More often lately, I am trying to be a lot less lazy and actually going to the various manufacturer or big-name vendor's web sites directly. With security camera systems there seems to be a lot of product

Re:

[zenlessyank]

Amazon is craigslist for strip center stores and off shore knock-off dumpers. I have to be hard up to look at Amazon for anything. I have to already looked EVERY where else first. Usually just for strange parts that can't be located locally. I would never buy electronics from Amazon. There are too many reputable places to take that risk.

Re:

[zenlessyank]

** have to have already looked ...... grrrr

Fulfilled by Amazon a sign of anything?

[swb]

I usually filter by "Amazon Prime" which cuts out a lot of the weird third party sellers. I have noticed this does get you a certain amount of "Sold by Acme Widgets, fulfilled by Amazon".

My assumption is that if the product is some kind of actual brand name you might find somewhere besides Amazon and the fulfillment is by Amazon, the "seller" part is some kind of electronic arbitrage and the product itself is the same thing you might get if you bought it from Amazon as the seller.

It's like the "seller" bou

Re:

[Plus1Entropy]

Wasn't such a big deal when Amazon just sold books. Do you think they put malware on my Game of Thrones Blu-Rays?! The horror!

surprising

[Anonymous Coward]

Just a quick google on the brenz.pl domain and I see that its been tied to malware distribution since 2009! What the hell does it take to get that domain yanked off the Internet? Is Poland a haven for malware creators?

ALL chips are made by Chinese

[ole_timer]

As in ALL.

Re:

[twotacocombo]

As in ALL.

https://en.wikipedia.org/wiki/... [wikipedia.org]

Except for those that aren't.

Re:

[ole_timer]

Note they give start dates, but not end dates. Note that I said made by Chinese, but I did not incorrectly say in China.

Not a new story, just an Amazon warning

[Freshly Exhumed]

Krebs and others have been talking about these kinds of Chinese surveillance products for awhile: https://news.slashdot.org/stor... [slashdot.org]

Here's another: http://news.softpedia.com/news... [softpedia.com]

The catch with *this* story is that it is about a product available through Amazon. That's it, in a nutshell.

Sony?

[110010001000]

WTF does this have to do with Sony? That isn't a "Sony setup"

Editors doing their job?

[carvalhao]

An editor actually trying to defuse a potentially mediatic, attention grabbing, clickbaiting article and being reasonable? Just checked, it's really Slashdot... Mind, blown! (Irony aside, great work!)

you want cheap, you get cheap

[known_coward_69]

half the crap on amazon isn't sold by amazon but by no name fly by night operations or direct from china. be wary of buying anything on the internet but then this is how name brands got started almost 100 years ago and stupid millenials are figuring it all out again

Re:

[bobbutts]

Correct. For bonus points you can create a linked in page and various other bogus crap so people who take 30 seconds to "vet" you via google search will be satisfied.

SubjectIsSubject

[p0p0]

Funny enough, I was just looking around Amazon Canada for a cheap IP camera. There are lots of $40-$50 cameras and not a single one comes from a company I've ever heard of and they all seem to require some sort of account to view the stream. I just want one I can watch from my laptop with only local access.

I remembered about hearing about sketchy IoT devices, especially cameras and it's just not worth the risks. Most have no reviews or 1 or 2 reviews from someone with very poor English (hmmmm).
Even the

Re:

[expert464]

You're not alone! Your story sounds EXACTLY what I was doing last week. I was mostly concerned with support for the camera being dropped after hearing about Google shutting off a product last week. I even doubt this WiFi thermostat I got a month ago will be supported in 5+ years time. I decided to bite the bullet and order a Raspberry Pi 3 along with the Camera module and try my hand at using one of the many online tutorials.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[p0p0]

That's a lot of good info. Thanks.

Re:

[KGIII]

A friend of mine uses a bunch of old cell phones and a "universal" car mount to hold them in place. They work reasonably well for him. I bought my system and did my own installation but they were significantly more than $40 each. I get to view my own streams. In fact, unless the data request comes from a specific IP address, the streams can't be viewed by anyone else.

Re:

[Kant_resistor]

Not that I want to go down this road, but I had the same experience, and finally settled on this one: Sharx Security, made in New Hampshire, my adoptive state. Nice people, at least so far. They actually answered my email within an hour. They sent me a custom firmware that does not even ping 8.8.8.8 to find out if it is "properly connected." And yes, it was deployed in its own VLAN--I just didn't want clutter in the pfSense logs.

Network separation?

[Nethead]

Why would you actually hook these up to a network that has Internet access? Of course you make a separate VLAN or network for your "security" devices and other monitoring, ^H^H^H^H^H IoT devices that can only talk to preapproved connections. That is what a firewall is for.

Re:

[Joe_Dragon]

what about the server / dvr? That may need the web for updates / drm / maybe some kind of vender run system where you don't need an fixed IP to get to from the outside?

Re:

[Nethead]

Then only allow those addresses.

Re:

[Sadsfae]

Why would you actually hook these up to a network that has Internet access? Of course you make a separate VLAN or network for your "security" devices and other monitoring, ^H^H^H^H^H IoT devices that can only talk to preapproved connections. That is what a firewall is for.

I put all my untrusted, sketchy IoT devices on their own isolated VLAN [hobo.house] via Tomato "Shibby" firmware on an ASUS router. It's fairly trivial to do and worth the effort so they at least can't attack your internal trusted networks. You can also whitelist outbound traffic for an added level of protection.

Re:

[Nethead]

Nice write up.

Software challenge

[Applehu Akbar]

Devise a generally applicable antivirus for IoT devices.

Undoubtedly any such software would be OS-specific, which would quickly lead to pressure to standardize the operating systems on these devices.

Classic Sony

[The_Revelation]

Sony: Malwares Are Okay, Because No One Knows What They Are

Does not worry me

[netsys]

I assume that all cameras from China a spying on me, does not bother me though they are on a specially setup vlan and cannot get on the internet.

Is this the NSA via CERT?

[Joel Emmett]

The domain is registered to CERT's Polish subsidiary...???