Back when the internet was relatively new and essentially unspoiled, there was a great deal of hype around the “connected home” which was to include every major appliance, all of your entertainment electronics, home lighting, environmental controls, and security. Everything it would seem, including toilets, which some manufacturers are still trying to make happen in 2018. One thing that had zero trouble becoming extremely popular is the internet-connected security camera, which has exploded in growth (as predicted) and shows no signs of stopping as the devices become more affordable and easy to install. The downside, of course, is that the low-cost comes at a price, which is most often achieved through poor quality control. Back before the days of solid-state everything, this used to mean shoddy wiring and terrible video resolution, but now, unfortunately, it seems to be coming at the cost of proper security.
Peekaboo, I hack you!
Once again, an overseas firmware manufacturer in Taiwan has announced that a recent version of its firmware used in an undetermined number of camera models has two significant bugs that, when exploited, can lead to complete root-level control of the device, which, in laymen terms means, “all your cameras are belong to us!” Any device, inside your network, that can be compromised and controlled by an outside, unauthorized agent is the very definition of bad news. Early estimates put the number of affected cameras at 180,000 to 800,000, which is really shorthand for “we don’t really know how many devices are impacted,” and is based on the list of partners the company released that might be affected by this vulnerable firmware. While the firmware maker was quick to issue a fix, the patch itself would need to be applied manually, and it’s not clear how that fix would be distributed, nor how the camera owner would be notified.
At the moment, there is no list of affected camera models, so unless your specific IP camera actually tells you what firmware it is using in the built-in web interface (most of them don’t), you can’t even check for yourself. You will have to wait to see if your camera manufacturer issues an update for your device. And let’s be frank, most folks, even yours truly, aren’t watching for firmware updates for our IP cameras, and I would hazard a guess that most owners of the consumer-grade IP cameras likely affected by this vulnerability haven’t even registered their ownership with the camera manufacturer, so unless you (1) know the model of the installed camera and (2) go look up on the manufacturer’s website to see if an update even exists, it’s likely you will never know if your camera is vulnerable until after it’s been hacked. Unfortunately, we have enough trouble keeping our computers and mobile devices up to date without having to keep track of the growing Internet of Things, but sadly, it looks like this is exactly what our next challenge will be.
One month ago we wrote about a wave of attacks powered by compromised security appliances – mostly Asian-manufactured network video recorders – that disabled popular internet services for several days in late October. Despite the growing awareness of the problem due to this incident, this infected segment of the Internet of Things (IoT) is still active and wreaking havoc on a new front. Security researchers are reporting active attacks on routers used primarily by ISP’s Deutsche Telekom (Germany) and Eircom (Ireland) to service their internet customers. The attacks, powered by a new variant of the Mirai malware that was behind the previous IoT attacks in October, exploit a recently discovered weakness in Zyxel and Speedport routers, and a remote management protocol known as TR-069 which ISP’s traditionally use to manage equipment distributed to their customers. According to Deutsche Telekom, nearly one million of their customers may be affected by this exploit, and security researchers have cause to believe that over 40 million devices on the internet may be vulnerable to exploits of TR-069.
What this means for you:
Data is still being gathered on how widespread this problem may be, so it’s not immediately clear if anyone here in the States is directly impacted by this particular exploit. I can guarantee that if we aren’t affected by this one, there are probably several others we haven’t yet discovered. One of the great conundrums tech service providers (like C2) face is that we must rely on the internet to provide support to our clients, and in doing so have to make devices like routers “visible” on the internet, which in turn opens them to attack. As is typically the advice in the face of unknown threats, preparation is your best defense: change default passwords to strong, unique ones. Shield critical devices from the internet where possible through isolation, control and firewalls, and most importantly, understand and document what devices in your organization have contact with the internet so that when an attack does surface, we can quickly root out the source and hopefully prevent further damage. We are to the point now that a malware infection is a certainty in almost any environment, and the difference comes from how well prepared you are to recover from it.