New IoT Malware Targets 100,000 IP Cameras Via Known Flaw

Researcher Pierre Kim has found a new malware, called Persirai, that has been infecting over 100,000 Chinese-made, internet-connected cameras. According to Trend Micro, the malware has been active since last month and works by exploiting flaws in the cameras that Kim reported back in March. CSO Online reports: At least 1,250 camera models produced by a Chinese manufacturer possess the bugs, the researcher went on to claim. Over a month later in April, Trend Micro noticed a new malware that spreads by exploiting the same products via the recently disclosed flaws. The security firm estimates that about 120,000 cameras are vulnerable to the malware, based on Shodan, a search engine for internet-connected hardware. The Persirai malware is infecting the cameras to form a botnet, or an army of enslaved computers. These botnets can launch DDoS attacks, which can overwhelm websites with internet traffic, forcing them offline. Once Persirai infects, it'll also block anyone else from exploiting the same vulnerabilities on the device. Security firm Qihoo 360 has also noticed the malware and estimated finding 43,621 devices in China infected with it. Interestingly, Persirai borrows some computer code from a notorious malware known as Mirai, which has also been infecting IoT devices, such as DVRs, internet routers, and CCTV cameras, but by guessing the passwords protecting them.

Re:Do NOT allow IP cameras to be accessed from ine

[Alain Williams]

you know that, I know that. However the people who buy these things do not know that and do not read reports of security issues; they probably would not even know if one of their IoT devices were used in a DDOS or something. The Chinese manufacturer loses interest once he has sold it to a distributor; the distributor and retailer just want to buy something as cheaply as possible to maximise profits.

The only way of getting this under control is to make the retailer responsible for any problems. They will rapidly realise that this will cost them a lot and so seek better (more secure) devices. I cannot see this happening for a long time.

Re: Do NOT allow IP cameras to be accessed from in

[majorcrash]

That's a lofty approach. A lot of merit for sure but unattainable none the less.

Re:Do NOT allow IP cameras to be accessed from ine

[bill_mcgonigle]

simple as that. Access cams from a local server, and access that server from the internet. ALL IP cameras are shit for security, just like Trump is shit.

No, it's not that simple - if your lightbulb is on the same LAN as the camera it can pass on an infection.

Now then, it's a _problem_ that IoT devices seem to now require MAC-level isolation. I already have my [wired] Chinese camera on its own VLAN with ingress and egress firewall rules, but my WiFi devices are behind Ubiquiti gear which is nice but only allows for four SSID's.

AP Isolation would help, but then things like Chromecast will all break (and maybe some lightbulb meshes?).

AFAICT, the threats are now ahead of the defenses and that's a real problem we don't have a solution for.

Re:

[geekmux]

...AFAICT, the threats are now ahead of the defenses and that's a real problem we don't have a solution for.

Common F. Sense has a solution; don't fucking use insecure shit you don't need.

I know this may come as a shock to gadget-addicted Millennials, but humans used to use these things called light switches to control a light bulb. They're pretty damn secure. Yes, I know this requires people to move more than a smartphone finger (and thus qualifies as hard labor for the do-it-for-me generation), but your doctor does recommend physical movement from time to time in order to maintain good health.

Known Flaw

[Mr D from 63]

The problem with this flaw is that it is a known flaw. If we keep all flaws unknown the Chinese won't use them.

Re:

[onceuponatime]

A lot of these cameras enable upnp by default. If you are in Belgium and have a bbox2 router as the interface to the world then this router has upnp enabled by default and you cannot turn it off on the router. So if you connect a upnp enabled camera to your internal internet thinking "i'll deal with port forwarding or not later", then you may be surprised to find that you may just as well have connected it directly outside your firewall as all the ports will be forwarded by default.

Re:

[thegreatbob]

At the very least, their scheme appears to protect the data fairly well. One can infer some level of truth to this statement from the absence of available information on what is actually being sent. Don't confuse this with Microsoft's previously released explanation of things that *may* be sent.

No way

[AndyKron]

Keep that shit out of my house. I don't want it. My X10 works fine. Usually.

The top secret list of affected cameras is

[DRJlaw]

Since nobody is naming the affected cameras, and the researcher inexplicably folded and removed his list on March 16, 2017, here's is a list courtesy of the internet archive [archive.org]. The list is also included here so that robots.txt cannot be used to eliminate it from view.

3G+IPCam Other,3SVISION Other,3com CASA,3com Other,3xLogic Other,3xLogic Radio,4UCAM Other,4XEM Other,555 Other,7Links 3677,7Links 3677-675,7Links 3720-675,7Links 3720-919,7Links IP-Cam-in,7Links IP-Wi-Fi,7Links IPC-760HD,7Links IPC-770HD,7Links Incam,7Links Other,7Links PX-3615-675,7Links PX-3671-675,7Links PX-3720-675,7Links PX3309,7Links PX3615,7Links ipc-720,7Links px-3675,7Links px-3719-675,7Links px-3720-675,A4Tech Other,ABS Other,ADT RC8021W,AGUILERA AQUILERA,AJT AJT-019129-BBCEF,ALinking ALC,ALinking Other,ALinking dax,AMC Other,ANRAN ip180,APKLINK Other,AQUILA AV-IPE03,AQUILA AV-IPE04,AVACOM 5060,AVACOM 5980,AVACOM H5060W,AVACOM NEW,AVACOM Other,AVACOM h5060w,AVACOM h5080w,Acromedia IN-010,Acromedia Other,Advance Other,Advanced+home lc-1140,Aeoss J6358,Aetos 400w,Agasio A500W,Agasio A502W,Agasio A512,Agasio A533W,Agasio A602W,Agasio A603W,Agasio Other,AirLink Other,Airmobi HSC321,Airsight Other,Airsight X10,Airsight X34A,Airsight X36A,Airsight XC39A,Airsight XX34A,Airsight XX36A,Airsight XX40A,Airsight XX60A,Airsight x10,Airsight x10Airsight,Airsight xc36a,Airsight xc49a,Airsight xx39A,Airsight xx40a,Airsight xx49a,Airsight xx51A,Airsight xx51a,Airsight xx52a,Airsight xx59a,Airsight xx60a,Akai AK7400,Akai SP-T03WP,Alecto 150,Alecto Atheros,Alecto DVC-125IP,Alecto DVC-150-IP,Alecto DVC-1601,Alecto DVC-215IP,Alecto DVC-255-IP,Alecto dv150,Alecto dvc-150ip,Alfa 0002HD,Alfa Other,Allnet 2213,Allnet ALL2212,Allnet ALL2213,Amovision Other,Android+IP+cam IPwebcam,Anjiel ip-sd-sh13d,Apexis AH9063CW,Apexis APM-H803-WS,Apexis APM-H804-WS,Apexis APM-J011,Apexis APM-J011-Richard,Apexis APM-J011-WS,Apexis APM-J012,Apexis APM-J012-WS,Apexis APM-J0233,Apexis APM-J8015-WS,Apexis GENERIC,Apexis H,Apexis HD,Apexis J,Apexis Other,Apexis PIPCAM8,Apexis Pyle,Apexis XF-IP49,Apexis apexis,Apexis apm-,Apexis dealextreme,Aquila+Vizion Other,Area51 Other,ArmorView Other,Asagio A622W,Asagio Other,Asgari 720U,Asgari Other,Asgari PTG2,Asgari UIR-G2,Atheros ar9285,AvantGarde SUMPPLE,Axis 1054,Axis 241S,B-Qtech Other,B-Series B-1,BRAUN HD-560,BRAUN HD505,Beaulieu Other,Bionics Other,Bionics ROBOCAM,Bionics Robocam,Bionics T6892WP,Bionics t6892wp,Black+Label B2601,Bravolink Other,Breno Other,CDR+king APM-J011-WS,CDR+king Other,CDR+king SEC-015-C,CDR+king SEC-016-NE,CDR+king SEC-028-NE,CDR+king SEC-029-NE,CDR+king SEC-039-NE,CDR+king sec-016-ne,CDXX Other,CDXXcamera Any,CP+PLUS CP-EPK-HC10L1,CPTCAM Other,Camscam JWEV-372869-BCBAB,Casa Other,Cengiz Other,Chinavasion Gunnie,Chinavasion H30,Chinavasion IP611W,Chinavasion Other,Chinavasion ip609aw,Chinavasion ip611w,Cloud MV1,Cloud Other,CnM IP103,CnM Other,CnM sec-ip-cam,Compro NC150/420/500,Comtac CS2,Comtac CS9267,Conceptronic CIPCAM720PTIWL,Conceptronic cipcamptiwl,Cybernova Other,Cybernova WIP604,Cybernova WIP604MW,D-Link DCS-910,D-Link DCS-930L,D-Link L-series,D-Link Other,DB+Power 003arfu,DB+Power DBPOWER,DB+Power ERIK,DB+Power HC-WV06,DB+Power HD011P,DB+Power HD012P,DB+Power HD015P,DB+Power L-615W,DB+Power LA040,DB+Power Other,DB+Power Other2,DB+Power VA-033K,DB+Power VA0038K,DB+Power VA003K+,DB+Power VA0044_M,DB+Power VA033K,DB+Power VA033K+,DB+Power VA035K,DB+Power VA036K,DB+Power VA038,DB+Power VA038k,DB+Power VA039K,DB+Power VA039K-Test,DB+Power VA040,DB+Power VA390k,DB+Power b,DB+Power b-series,DB+Power extcams,DB+Power eye,DB+Power kiskFirstCam,DB+Power va033k,DB+Power va039k,DB+Power wifi,DBB IP607W,DEVICECLIENTQ CNB,DKSEG Other,DNT CamDoo,DVR DVR,DVS-IP-CAM Other,DVS-IP-CAM Outdoor/IR,Dagro DAGRO-003368-JLWYX,Dagro Other,Dericam H216W,Dericam H502W,Dericam M01W,Dericam M2/6/8,Dericam M502W,Dericam M601W,Dericam M801W,Dericam Other,Digix Other,Digoo BB-M2,Digoo MM==BB-M2,Digoo bb-m2,Dinon

Re:

[Anonymous Coward]

Since nobody is naming the affected cameras, and the researcher inexplicably folded and removed his list on March 16, 2017, here's is a list courtesy of the internet archive [archive.org].

It was trivial to find out that the manufacturer threatening with legal action was Foscam.

From their About us page:
Mission
To make life more secure for people all around the world by providing security products with higher quality and more competitive price.

Captcha: impeach

Re:

[MrLogic17]

That's a reassuringly small list.

Re:

[__aaclcg7560]

555

OMG! The Chinese compromised the venerable 555 [wikipedia.org] chip. I got two dozen spying away in my parts box. I'll have to drown them in flux paste when I get home.

Re:

[__aaclcg7560]

Come on Creimer, nuke it from orbit, it's the only way to be sure.

I would like to keep my home office intact.

Re:

[110010001000]

My God. I didn't know there were so many IP camera models. And they all have such terrible names. "Coolead"? "vstarcam"?

Re:

[Anonymous Coward]

If you looked them all up (disclaimer, I didn't bother) you'll find about 5 unique designs. Many of them will be the exact same item from the same factory with a different brand printed on them, others will be clones made in other factories.

Re:

[OffaMyLawn]

That is an awesome list. It's also a great way to get a headache if you're not expecting it. Dear lord, that's a lot of text all at once.

Re:

[geekmux]

Since nobody is naming the affected cameras, and the researcher inexplicably folded and removed his list on March 16, 2017, here's is a list...

You know, perhaps it would have been easier to make a list of the devices not affected next time. Just sayin'...

Re:

[kaizendojo]

Bless you, Sir!

Re:

[K. S. Kyosuke]

APKLINK Other [slashdot.org] Apparently not!

Re:

[__aaclcg7560]

I've decided o stop being a dickhead, honest -creimer

FTFY - :P

Early Adopters

[zifn4b]

Thanks for finding those critical defects! No good deed goes unpunished.

Two words:

[davidwr]

Product recall.

Re:

[Gravis Zero]

I think product recalls require a safety component. You could argue this qualifies but I have two better words: brick them.

Rule #1 with Chinese gear: Firewall

[LS1 Brains]

I don't have many (couple IP cams, outlets, etc.) but I put them all on a separate VLAN with no access to the outside world. I allow ridiculously restricted access to the inside host(s), although I haven't had any instances of them trying anything funny there - yet. But, EVERY Chinese IoT widget I've bought immediately attempts to phone home. EVERY Chinese IoT widget I've bought will also continue the attempts after the related (e.g. "cloud") features are turned off. Kinda like Windows 10.

Perhaps open source replacement firmware is key

[Lady Galadriel]

What is this, the 100th IoT device with security flaws?
Or is that the 1,000th IoT device?

Recently I have been thinking about this, (I know, no one is supposed to THINK any more), and perhaps using open source replacement firmware would be the saving of many of these devices. Similar to DD-WRT is today. With clear, open software, developers could make suggestions and submit bug fixes to get this stuff fixed.

Plus, there could be usability flaws in the IoT devices as well.

We can leave the cheap hardwar

How do we update BrickerBot

[Doke]

So where can we submit suggestions or updates to BrickerBot?