IoT Botnet Can DDoS Your Webserver

Ok it happened as some predicted last year:

A botnet was found¹ (a collection of computers or in this case devices that are controlled by another computer) controlling a number of IoT (Internet of Things). These IoT devices were then told to attack a website thus causing a DDoS (Dynamic Denial of Service).  The website then crashed as it was too busy.

image from valuewalk.com²

Botnets_valuewalk

So let’s back up a bit what are IoT’s? http://iotlist.co/ has a list.

An IoT can be many things – camera is one, espresso machines, samsung VR headset, indoor night light,wifi smart plug, speakers, indoor air quality monitor, samsung galaxy connected screen, keypad, oven, watch, light switches, and many more.

Director of National Intelligence (DNI) James Clapper Feb 25 hearing in congress:

“I want to briefly comment on both technology and cyber specifically. Technological innovation during the next few years will have an even more significant impact on our way of life. This innovation is central to our economic prosperity, but it will bring new security vulnerabilities,” he said. “The Internet of things will connect tens of billions of new physical devices that could be exploited. Artificial intelligence will enable computers to make autonomous decisions about data and physical systems and potentially disrupt labor markets.”

threat_hearings_3

 

So our esteemed leaders are keeping an eye on IoT’s but what are they really?

The attack happened from CCTV devices connected to the Internet (which have a specific bug noted below that can be exploited by criminal hackers).

KerneronSecurity³ wrote about this in March 22, 2016.   70 CCTV vendors have a remote code execution bug. And apparently this has been going on since 2014.

So this is a big problem and will continue to be one it looks like will not be fixed until the vendors of most CCTV devices fix this issue.

 

goldeneyeIRcamera

GoldenEye IR camera http://www.goldeyecctv.com/

technomate

http://www.technomate.com/categories/Products/Security/Cameras/

 

Above are just 2 of the supposed 70 according to KerneronSecurity that are susceptible to this big Cybersecurity problem.

This blog post does not imply that the above 2 vendors (GoldenEye and Technomate) have the bug as i have not independently verified these 2 models with  that specific remote code execution.

I imagine the criminal hackers are working on new attack angles with this many potential attack points.

In fact according to Google – 5.9 mil in Britain CCtv’s and 245 million in world. Likely most of them are susceptible to this attack.

securitycamerasinworld

As it seems that over 25,000 attack points came into the website DDOS attack. There seems to be a potential for much bigger mischief.

You may not realize this, but the hackers also have problems with their software, especially since it is custom built, and thus they cannot come into controlling hundreds of thousands of devices, first have to control 25,000.

So what to do if we know a major Cyberstorm is coming?

According to Kerneron Security these devices all are white label devices coming from TVT a Chinese company.

TVT  5F,North Block,CE Lighting House, Hi-Tech Park, Nanshan District, Shenzhen,GuangDong,P.R.China

And I have found an actual CVE 2013-6023 that explains this Cross Web Server vulnerability(4)

And specifically check Exploit-db.com

Which discusses the directory traversal vulnerability.

 

Now if we try to find the actual market share of TVT devices (H.265) then we find:

chinatvttakeslead

from https://technology.ihs.com/api/binary/520143

It looks like most vendors are coming from China and the market in 2013 was $13.5Billion  for professional video surveillance.  So as usual Security not as important as sales.

 

My recommendation? If you have TVT video camera – REPLACE it. with a technology that is different than this one. As it seems the TVT devices are not security tested.Run your own security tests.

It looks like you have to test and fix this problem.

Contact me to discuss

This is what I do as a security vulnerability analyst among others… https://fixvirus.com/sigma-service/

 

 

1)https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html

2)http://www.valuewalk.com/2015/12/iot-based-botnets-will-be-major-problem-by-2017-iid/

3)http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

4) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6023

Advertisements