Surveillance Cameras Sold On Amazon Found Infected With Malware (zdnet.com) 78
An anonymous reader shares a report on ZDNet: Security researcher Mike Olsen has warned that some products sold through the Amazon marketplace are harboring a dark secret -- malware. Olsen said in a blog post that while scouring Amazon for a decent set of outdoor surveillance cameras for a friend, he came across a deal for 6 PoE cameras and recording equipment. The seller, Urban Security Group, had generally good reviews and was offering a particular Sony setup on sale. After purchasing the kit, Olsen started setting up the surveillance system, logging into the administrator panel to configure it. [...] Upon investigation, Olsen found that the device was talking to a server with hostname Brenz.pl, which is linked to malware distribution. If the device's firmware links to this domain, malware can be downloaded and installed, potentially leading to unlawful surveillance and data theft.Perhaps the company which made the device didn't realize its source code was compromised. While the aforementioned incident should serve as a reminder to people on why they need to be wary of the product they are purchasing, this isolated occurrence doesn't prove in any way that "plenty" of cameras on Amazon are also infected, as the article and the original blog post are subtly trying to imply.
Reasons why I don't like the Internet of Things. (Score:2, Funny)
Here's a list of reasons why I don't like the Internet of Things:
1) Internet of Things devices could watch me while I sleep.
2) Internet of Things devices could watch me while I pee.
3) Internet of Things devices could watch me while I make kaka.
4) Internet of Things devices could watch me while I pleasure myself.
5) Internet of Things devices could watch me while I wash my body in the shower.
6) Internet of Things devices could watch me while I relax in the tub.
7) Internet of Things devices could watch me whil
Re:Reasons why I don't like the Internet of Things (Score:5, Funny)
1) Internet of Things devices could do things I don't want them to.
FTFY.
Re:Reasons why I don't like the Internet of Things (Score:4, Funny)
But what about the Internet of Thongs?
I guess that already exists - I bet all you need to do is search for it.
Re: (Score:2)
Re: (Score:2)
34) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pleasure myself.
Re: (Score:2)
Can someone tell me where this meme came from? I obviously missed it's inception and google is failing me...
Re: (Score:2)
It probably fell out the back end of a cow.
made in china (Score:2)
made in china.
And there they can slip someone say $1000 to plant code on the system (that may be running on a unlicensed windows xp os) That is used to load the firmware on the systems.
Re:made in china (Score:5, Insightful)
If the CPU, flash/etc ICs are made in China then you can't trust made-in-not-China devices either.
Re: made in china (Score:2)
Don't be an alarmist. China doesn't fab that many flash chips and even if they did the most likely vector is at the programming stage. Embedding a vulnerable ROM in the flash or CPU would require significantly more technical sophistication. Not only would it need to be implemented at great cost, but it would also have to escape detection when someone tries to upgrade the software.
Re: (Score:2)
That is why real companies have a secure boot loader and provide signed and encrypted images.
The trick is getting the bootloader on and then having to deal with the end users that want to hack the device and put on custom firmware.
Re: (Score:2)
and if they hack the loader at the factory that may just jtag or some other system to do the base load that does not need an signed image to load?
or it shows up as an usb disk and there is auto run Malware that just copy's to it?
Re:made in china (Score:4, Informative)
On MCUs you often have fuses that you can blow to prevents jtag. BTW that is a bear to test because you end up with at least a few bricked devices. If you are doing large numbers of devices you can often have the MCU maker provide the chips to your manufacture with the bootloader installed and the fuses blown.
The downside to locking the bootloader like that is that the device is no longer hackable by the end user.
Re: (Score:1)
That's Mr. Fuse to you. And keep blowing!
Re: (Score:2)
At my old company we used to provide basic firmware to the CM that would just test the hardware (i.e. push each button, verify that the screen says button was pressed). The devices would be wiped and flashed with the actual firmware in house.
There's only one way to be sure (Score:2)
No, what do you mean "nuke them from orbit"? WTF?
I'm saying that the only way to be sure these days is by using open-source software on single board computers, such as the Raspberry Pi. But even then, you need to trust all the ICs on the damn thing but at least there's only a few of them to test.
Re: (Score:2)
Re: (Score:2)
Open-source compiler?
Re: (Score:3)
Although I don't think, say, GCC has been "Ken Thompson hack infected," the attack a) has been used before, and b) illustrates broader principles of trust. https://news.ycombinator.com/i... [ycombinator.com]
Re: (Score:2)
It's compilers all the way down...
Re: (Score:2)
Re: (Score:2)
What? (Score:4, Insightful)
An editorial comment that actually LESSENS the alarmism in the submission, rather than adding to it?
This is... nearly unheard of on slashdot! What is happening???
Re: (Score:2)
An editorial comment that actually LESSENS the alarmism in the submission, rather than adding to it?
This is... nearly unheard of on slashdot! What is happening???
Clearly, this new development is quite alarming.
Re: (Score:2)
It's doing me a frighten!
Re: (Score:2)
Yep. Sounds about right! :3
Where is my slashdot? (Score:2)
How dare maniacs bring common sense and rational thinking into TFS! I want my old click bait slashdot back /s
While the aforementioned incident should serve as a reminder to people on why they need to be wary of the product they are purchasing, this isolated occurrence doesn't prove in any way that "plenty" of cameras on Amazon are also infected, as the article and the original blog post are subtly trying to imply.
The truth must be that he's a shill for the Urban Security Group. Yeah that's it, you insensitive clod. Net craft confirms it. So take your hot grits and a beowulf cluster of Natalie Portmans and let Soviet Russia shove you.
Re: (Score:2)
Oops .. damn auto correct. That should be maniacs. On the other hand "maniacs" does fit just as well!
And its 2016 for dogs sake. Why can't I edit my posts and correct stupid typos? And yeah I DO know all the arguments for and against. And the against ones are pretty weak sauce.
Re: (Score:2)
Oops .. damn auto correct. That should be maniacs. On the other hand "maniacs" does fit just as well!
And its 2016 for dogs sake. Why can't I edit my posts and correct stupid typos? And yeah I DO know all the arguments for and against. And the against ones are pretty weak sauce.
Sing it, brother. I've been asking for this for a while, but as yet my dream is unfulfilled.
Re: (Score:2)
"And its 2016 for dogs sake. Why can't I edit my posts and correct stupid typos?"
Like every other site in the known universe. You can even edit posts on Salon.com .
Re: (Score:1)
Six cameras were bought. That is plenty.
Ain't Amazon Amazing... (Score:2)
Re: (Score:2)
Re: (Score:2)
Fulfilled by Amazon a sign of anything? (Score:2)
I usually filter by "Amazon Prime" which cuts out a lot of the weird third party sellers. I have noticed this does get you a certain amount of "Sold by Acme Widgets, fulfilled by Amazon".
My assumption is that if the product is some kind of actual brand name you might find somewhere besides Amazon and the fulfillment is by Amazon, the "seller" part is some kind of electronic arbitrage and the product itself is the same thing you might get if you bought it from Amazon as the seller.
It's like the "seller" bou
Re: (Score:2)
Wasn't such a big deal when Amazon just sold books. Do you think they put malware on my Game of Thrones Blu-Rays?! The horror!
surprising (Score:1)
Just a quick google on the brenz.pl domain and I see that its been tied to malware distribution since 2009! What the hell does it take to get that domain yanked off the Internet? Is Poland a haven for malware creators?
ALL chips are made by Chinese (Score:1)
Re: (Score:2)
As in ALL.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Except for those that aren't.
Re: (Score:1)
Not a new story, just an Amazon warning (Score:3)
Krebs and others have been talking about these kinds of Chinese surveillance products for awhile: https://news.slashdot.org/stor... [slashdot.org]
Here's another: http://news.softpedia.com/news... [softpedia.com]
The catch with *this* story is that it is about a product available through Amazon. That's it, in a nutshell.
Sony? (Score:2)
Editors doing their job? (Score:2)
you want cheap, you get cheap (Score:2)
Re: (Score:2)
SubjectIsSubject (Score:2)
I remembered about hearing about sketchy IoT devices, especially cameras and it's just not worth the risks. Most have no reviews or 1 or 2 reviews from someone with very poor English (hmmmm).
Even the
Re: (Score:1)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
A friend of mine uses a bunch of old cell phones and a "universal" car mount to hold them in place. They work reasonably well for him. I bought my system and did my own installation but they were significantly more than $40 each. I get to view my own streams. In fact, unless the data request comes from a specific IP address, the streams can't be viewed by anyone else.
Re: (Score:1)
Network separation? (Score:5, Insightful)
Why would you actually hook these up to a network that has Internet access? Of course you make a separate VLAN or network for your "security" devices and other monitoring, ^H^H^H^H^H IoT devices that can only talk to preapproved connections. That is what a firewall is for.
Re: (Score:2)
what about the server / dvr? That may need the web for updates / drm / maybe some kind of vender run system where you don't need an fixed IP to get to from the outside?
Re: (Score:2)
Then only allow those addresses.
Re: (Score:3)
Why would you actually hook these up to a network that has Internet access? Of course you make a separate VLAN or network for your "security" devices and other monitoring, ^H^H^H^H^H IoT devices that can only talk to preapproved connections. That is what a firewall is for.
I put all my untrusted, sketchy IoT devices on their own isolated VLAN [hobo.house] via Tomato "Shibby" firmware on an ASUS router. It's fairly trivial to do and worth the effort so they at least can't attack your internal trusted networks. You can also whitelist outbound traffic for an added level of protection.
Re: (Score:2)
Nice write up.
Software challenge (Score:2)
Devise a generally applicable antivirus for IoT devices.
Undoubtedly any such software would be OS-specific, which would quickly lead to pressure to standardize the operating systems on these devices.
Classic Sony (Score:1)
Does not worry me (Score:1)
Is this the NSA via CERT? (Score:1)