Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Privacy Software Hardware

Surveillance Cameras Sold On Amazon Found Infected With Malware (zdnet.com) 78

An anonymous reader shares a report on ZDNet: Security researcher Mike Olsen has warned that some products sold through the Amazon marketplace are harboring a dark secret -- malware. Olsen said in a blog post that while scouring Amazon for a decent set of outdoor surveillance cameras for a friend, he came across a deal for 6 PoE cameras and recording equipment. The seller, Urban Security Group, had generally good reviews and was offering a particular Sony setup on sale. After purchasing the kit, Olsen started setting up the surveillance system, logging into the administrator panel to configure it. [...] Upon investigation, Olsen found that the device was talking to a server with hostname Brenz.pl, which is linked to malware distribution. If the device's firmware links to this domain, malware can be downloaded and installed, potentially leading to unlawful surveillance and data theft.Perhaps the company which made the device didn't realize its source code was compromised. While the aforementioned incident should serve as a reminder to people on why they need to be wary of the product they are purchasing, this isolated occurrence doesn't prove in any way that "plenty" of cameras on Amazon are also infected, as the article and the original blog post are subtly trying to imply.
This discussion has been archived. No new comments can be posted.

Surveillance Cameras Sold On Amazon Found Infected With Malware

Comments Filter:
  • by Anonymous Coward

    Here's a list of reasons why I don't like the Internet of Things:

    1) Internet of Things devices could watch me while I sleep.

    2) Internet of Things devices could watch me while I pee.

    3) Internet of Things devices could watch me while I make kaka.

    4) Internet of Things devices could watch me while I pleasure myself.

    5) Internet of Things devices could watch me while I wash my body in the shower.

    6) Internet of Things devices could watch me while I relax in the tub.

    7) Internet of Things devices could watch me whil

  • made in china.

    And there they can slip someone say $1000 to plant code on the system (that may be running on a unlicensed windows xp os) That is used to load the firmware on the systems.

    • Re:made in china (Score:5, Insightful)

      by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Monday April 11, 2016 @02:21PM (#51886043)

      If the CPU, flash/etc ICs are made in China then you can't trust made-in-not-China devices either.

      • Don't be an alarmist. China doesn't fab that many flash chips and even if they did the most likely vector is at the programming stage. Embedding a vulnerable ROM in the flash or CPU would require significantly more technical sophistication. Not only would it need to be implemented at great cost, but it would also have to escape detection when someone tries to upgrade the software.

    • by LWATCDR ( 28044 )

      That is why real companies have a secure boot loader and provide signed and encrypted images.
      The trick is getting the bootloader on and then having to deal with the end users that want to hack the device and put on custom firmware.

      • and if they hack the loader at the factory that may just jtag or some other system to do the base load that does not need an signed image to load?

        or it shows up as an usb disk and there is auto run Malware that just copy's to it?

        • Re:made in china (Score:4, Informative)

          by LWATCDR ( 28044 ) on Monday April 11, 2016 @02:50PM (#51886309) Homepage Journal

          On MCUs you often have fuses that you can blow to prevents jtag. BTW that is a bear to test because you end up with at least a few bricked devices. If you are doing large numbers of devices you can often have the MCU maker provide the chips to your manufacture with the bootloader installed and the fuses blown.
          The downside to locking the bootloader like that is that the device is no longer hackable by the end user.

          • by Anonymous Coward

            That's Mr. Fuse to you. And keep blowing!

      • At my old company we used to provide basic firmware to the CM that would just test the hardware (i.e. push each button, verify that the screen says button was pressed). The devices would be wiped and flashed with the actual firmware in house.

  • No, what do you mean "nuke them from orbit"? WTF?

    I'm saying that the only way to be sure these days is by using open-source software on single board computers, such as the Raspberry Pi. But even then, you need to trust all the ICs on the damn thing but at least there's only a few of them to test.

  • What? (Score:4, Insightful)

    by Chmarr ( 18662 ) on Monday April 11, 2016 @02:21PM (#51886039)

    An editorial comment that actually LESSENS the alarmism in the submission, rather than adding to it?

    This is... nearly unheard of on slashdot! What is happening???

    • by sinij ( 911942 )

      An editorial comment that actually LESSENS the alarmism in the submission, rather than adding to it?

      This is... nearly unheard of on slashdot! What is happening???

      Clearly, this new development is quite alarming.

  • How dare maniacs bring common sense and rational thinking into TFS! I want my old click bait slashdot back /s

    While the aforementioned incident should serve as a reminder to people on why they need to be wary of the product they are purchasing, this isolated occurrence doesn't prove in any way that "plenty" of cameras on Amazon are also infected, as the article and the original blog post are subtly trying to imply.

    The truth must be that he's a shill for the Urban Security Group. Yeah that's it, you insensitive clod. Net craft confirms it. So take your hot grits and a beowulf cluster of Natalie Portmans and let Soviet Russia shove you.

    • by OzPeter ( 195038 )

      Oops .. damn auto correct. That should be maniacs. On the other hand "maniacs" does fit just as well!

      And its 2016 for dogs sake. Why can't I edit my posts and correct stupid typos? And yeah I DO know all the arguments for and against. And the against ones are pretty weak sauce.

      • Oops .. damn auto correct. That should be maniacs. On the other hand "maniacs" does fit just as well!

        And its 2016 for dogs sake. Why can't I edit my posts and correct stupid typos? And yeah I DO know all the arguments for and against. And the against ones are pretty weak sauce.

        Sing it, brother. I've been asking for this for a while, but as yet my dream is unfulfilled.

      • "And its 2016 for dogs sake. Why can't I edit my posts and correct stupid typos?"

        Like every other site in the known universe. You can even edit posts on Salon.com .

    • by Anonymous Coward

      Six cameras were bought. That is plenty.

  • I buy as much stuff off Amazon as anyone but I have learned one thing. Pay careful attention to who is actually selling the product. Amazon is full of brand-names you've never heard of (and might never again), ditto vendors. If it isn't a recognized name brand and sold by Amazon itself I don't buy it. More often lately, I am trying to be a lot less lazy and actually going to the various manufacturer or big-name vendor's web sites directly. With security camera systems there seems to be a lot of product
    • Amazon is craigslist for strip center stores and off shore knock-off dumpers. I have to be hard up to look at Amazon for anything. I have to already looked EVERY where else first. Usually just for strange parts that can't be located locally. I would never buy electronics from Amazon. There are too many reputable places to take that risk.
    • I usually filter by "Amazon Prime" which cuts out a lot of the weird third party sellers. I have noticed this does get you a certain amount of "Sold by Acme Widgets, fulfilled by Amazon".

      My assumption is that if the product is some kind of actual brand name you might find somewhere besides Amazon and the fulfillment is by Amazon, the "seller" part is some kind of electronic arbitrage and the product itself is the same thing you might get if you bought it from Amazon as the seller.

      It's like the "seller" bou

    • Wasn't such a big deal when Amazon just sold books. Do you think they put malware on my Game of Thrones Blu-Rays?! The horror!

  • by Anonymous Coward

    Just a quick google on the brenz.pl domain and I see that its been tied to malware distribution since 2009! What the hell does it take to get that domain yanked off the Internet? Is Poland a haven for malware creators?

  • Krebs and others have been talking about these kinds of Chinese surveillance products for awhile: https://news.slashdot.org/stor... [slashdot.org]

    Here's another: http://news.softpedia.com/news... [softpedia.com]

    The catch with *this* story is that it is about a product available through Amazon. That's it, in a nutshell.

  • WTF does this have to do with Sony? That isn't a "Sony setup"
  • An editor actually trying to defuse a potentially mediatic, attention grabbing, clickbaiting article and being reasonable? Just checked, it's really Slashdot... Mind, blown! (Irony aside, great work!)
  • half the crap on amazon isn't sold by amazon but by no name fly by night operations or direct from china. be wary of buying anything on the internet but then this is how name brands got started almost 100 years ago and stupid millenials are figuring it all out again
  • Funny enough, I was just looking around Amazon Canada for a cheap IP camera. There are lots of $40-$50 cameras and not a single one comes from a company I've ever heard of and they all seem to require some sort of account to view the stream. I just want one I can watch from my laptop with only local access.

    I remembered about hearing about sketchy IoT devices, especially cameras and it's just not worth the risks. Most have no reviews or 1 or 2 reviews from someone with very poor English (hmmmm).
    Even the
    • You're not alone! Your story sounds EXACTLY what I was doing last week. I was mostly concerned with support for the camera being dropped after hearing about Google shutting off a product last week. I even doubt this WiFi thermostat I got a month ago will be supported in 5+ years time. I decided to bite the bullet and order a Raspberry Pi 3 along with the Camera module and try my hand at using one of the many online tutorials.
      • by worf_mo ( 193770 )

        I have set up a few of these (Raspberry Pi 2 Model B with the camera module), and they work quite well and reliable.

        You may want to install mjpg-streamer [github.com], which can be used to stream JPEG files over an IP-based network. That alone will already allow you to watch the camera's images as a stream over the local network. Make sure you limit access either by using mjpg-streamer's settings or by setting up a firewall/iptables.

        You can then install motionEye [github.com], which is a web-based frontend for motion. There you can

      • by KGIII ( 973947 )

        A friend of mine uses a bunch of old cell phones and a "universal" car mount to hold them in place. They work reasonably well for him. I bought my system and did my own installation but they were significantly more than $40 each. I get to view my own streams. In fact, unless the data request comes from a specific IP address, the streams can't be viewed by anyone else.

    • Not that I want to go down this road, but I had the same experience, and finally settled on this one: Sharx Security, made in New Hampshire, my adoptive state. Nice people, at least so far. They actually answered my email within an hour. They sent me a custom firmware that does not even ping 8.8.8.8 to find out if it is "properly connected." And yes, it was deployed in its own VLAN--I just didn't want clutter in the pfSense logs.
  • by Nethead ( 1563 ) <joe@nethead.com> on Monday April 11, 2016 @03:52PM (#51886777) Homepage Journal

    Why would you actually hook these up to a network that has Internet access? Of course you make a separate VLAN or network for your "security" devices and other monitoring, ^H^H^H^H^H IoT devices that can only talk to preapproved connections. That is what a firewall is for.

    • what about the server / dvr? That may need the web for updates / drm / maybe some kind of vender run system where you don't need an fixed IP to get to from the outside?

    • by Sadsfae ( 242195 )

      Why would you actually hook these up to a network that has Internet access? Of course you make a separate VLAN or network for your "security" devices and other monitoring, ^H^H^H^H^H IoT devices that can only talk to preapproved connections. That is what a firewall is for.

      I put all my untrusted, sketchy IoT devices on their own isolated VLAN [hobo.house] via Tomato "Shibby" firmware on an ASUS router. It's fairly trivial to do and worth the effort so they at least can't attack your internal trusted networks. You can also whitelist outbound traffic for an added level of protection.

  • Devise a generally applicable antivirus for IoT devices.

    Undoubtedly any such software would be OS-specific, which would quickly lead to pressure to standardize the operating systems on these devices.

  • Sony: Malwares Are Okay, Because No One Knows What They Are
  • I assume that all cameras from China a spying on me, does not bother me though they are on a specially setup vlan and cannot get on the internet.
  • The domain is registered to CERT's Polish subsidiary...???

Bell Labs Unix -- Reach out and grep someone.

Working...