Surveillance Cameras Sold On Amazon Found Infected With Malware

An anonymous reader shares a report on ZDNet: Security researcher Mike Olsen has warned that some products sold through the Amazon marketplace are harboring a dark secret -- malware. Olsen said in a blog post that while scouring Amazon for a decent set of outdoor surveillance cameras for a friend, he came across a deal for 6 PoE cameras and recording equipment. The seller, Urban Security Group, had generally good reviews and was offering a particular Sony setup on sale. After purchasing the kit, Olsen started setting up the surveillance system, logging into the administrator panel to configure it. [...] Upon investigation, Olsen found that the device was talking to a server with hostname Brenz.pl, which is linked to malware distribution. If the device's firmware links to this domain, malware can be downloaded and installed, potentially leading to unlawful surveillance and data theft.Perhaps the company which made the device didn't realize its source code was compromised. While the aforementioned incident should serve as a reminder to people on why they need to be wary of the product they are purchasing, this isolated occurrence doesn't prove in any way that "plenty" of cameras on Amazon are also infected, as the article and the original blog post are subtly trying to imply.

Reasons why I don't like the Internet of Things.

Here's a list of reasons why I don't like the Internet of Things:

1) Internet of Things devices could watch me while I sleep.

2) Internet of Things devices could watch me while I pee.

3) Internet of Things devices could watch me while I make kaka.

4) Internet of Things devices could watch me while I pleasure myself.

5) Internet of Things devices could watch me while I wash my body in the shower.

6) Internet of Things devices could watch me while I relax in the tub.

7) Internet of Things devices could watch me while I brush my teeth.

8) Internet of Things devices could watch me while I make passionate love to my wife.

9) Internet of Things devices could watch me while I brush my hair.

10) Internet of Things devices could watch me while I read a book.

11) Internet of Things devices could watch me while I read Slashdot.

12) Internet of Things devices could watch me while I bake cake.

13) Internet of Things devices could watch me while I put in my contact lenses.

14) Internet of Things devices could watch me while I get ready to play golf.

15) Internet of Things devices could watch me while I do my laundry.

16) Internet of Things devices could watch me while I think about rugby.

17) Internet of Things devices could watch me while I tie my shoes.

18) Internet of Things devices could watch me while I celebrate the 4th of July.

19) Internet of Things devices could watch me while I water my flowers.

20) Internet of Things devices could watch me while I eat ham.

21) Internet of Things devices could watch me while I use my stapler to staple documents.

22) Internet of Things devices could watch me while I chew bubble gum.

23) Internet of Things devices could watch me while I check the oil in my car.

24) Internet of Things devices could watch me while I look for my TV remote.

25) Internet of Things devices could watch me while I blow my nose.

26) Internet of Things devices could watch me while I rearrange my stamp collection.

27) Internet of Things devices could watch me while I listen to the Backstreet Boys.

28) Internet of Things devices could watch me while I do my calisthenics.

29) Internet of Things devices could watch me while I search for a paper clip.

30) Internet of Things devices could send information about me to advertisers.

31) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I sleep.

32) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pee.

33) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make kaka.

34) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I pleasure myself.

35) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I wash my body in the shower.

36) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I relax in the tub.

37) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my teeth.

38) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I make passionate love to my wife.

39) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I brush my hair.

40) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read a book.

41) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I read Slashdot.

42) Internet of Things devices could let advertisers use the data unsuspectingly collected about me while I bake cake.

43) Internet of Things devices could let advertisers use the data unsuspectingly coll

Re:Reasons why I don't like the Internet of Things

[U2xhc2hkb3QgU3Vja3M]

1) Internet of Things devices could do things I don't want them to.

FTFY.

What?

[Chmarr]

An editorial comment that actually LESSENS the alarmism in the submission, rather than adding to it?

This is... nearly unheard of on slashdot! What is happening???

Re:made in china

[U2xhc2hkb3QgU3Vja3M]

If the CPU, flash/etc ICs are made in China then you can't trust made-in-not-China devices either.

Ain't Amazon Amazing...

[mschwanke97402]

I buy as much stuff off Amazon as anyone but I have learned one thing. Pay careful attention to who is actually selling the product. Amazon is full of brand-names you've never heard of (and might never again), ditto vendors. If it isn't a recognized name brand and sold by Amazon itself I don't buy it. More often lately, I am trying to be a lot less lazy and actually going to the various manufacturer or big-name vendor's web sites directly. With security camera systems there seems to be a lot of product on offer through 3rd parties rather than manufacturer direct.

Not a new story, just an Amazon warning

[Freshly+Exhumed]

Krebs and others have been talking about these kinds of Chinese surveillance products for awhile: https://news.slashdot.org/stor...

Here's another: http://news.softpedia.com/news...

The catch with *this* story is that it is about a product available through Amazon. That's it, in a nutshell.

Re:Reasons why I don't like the Internet of Things

[toonces33]

But what about the Internet of Thongs?

I guess that already exists - I bet all you need to do is search for it.

Re:made in china

[LWATCDR]

On MCUs you often have fuses that you can blow to prevents jtag. BTW that is a bear to test because you end up with at least a few bricked devices. If you are doing large numbers of devices you can often have the MCU maker provide the chips to your manufacture with the bootloader installed and the fuses blown.
The downside to locking the bootloader like that is that the device is no longer hackable by the end user.

Re:There's only one way to be sure

[by+(1706743)]

But do you trust the compiler used to compile the compiler?

Although I don't think, say, GCC has been "Ken Thompson hack infected," the attack a) has been used before, and b) illustrates broader principles of trust. https://news.ycombinator.com/i...

Network separation?

[Nethead]

Why would you actually hook these up to a network that has Internet access? Of course you make a separate VLAN or network for your "security" devices and other monitoring, ^H^H^H^H^H IoT devices that can only talk to preapproved connections. That is what a firewall is for.

Re:Network separation?

[Sadsfae]

Why would you actually hook these up to a network that has Internet access? Of course you make a separate VLAN or network for your "security" devices and other monitoring, ^H^H^H^H^H IoT devices that can only talk to preapproved connections. That is what a firewall is for.

I put all my untrusted, sketchy IoT devices on their own isolated VLAN via Tomato "Shibby" firmware on an ASUS router. It's fairly trivial to do and worth the effort so they at least can't attack your internal trusted networks. You can also whitelist outbound traffic for an added level of protection.

Re:SubjectIsSubject

[worf_mo]

I have set up a few of these (Raspberry Pi 2 Model B with the camera module), and they work quite well and reliable.

You may want to install mjpg-streamer, which can be used to stream JPEG files over an IP-based network. That alone will already allow you to watch the camera's images as a stream over the local network. Make sure you limit access either by using mjpg-streamer's settings or by setting up a firewall/iptables.

You can then install motionEye, which is a web-based frontend for motion. There you can set up a number of IP cameras and define when and where you want the streams to be recorded. For example record camera1 between 22h and 06h, record camera2 whenever motion is detected, 24/7.

You can connect one camera module to each Raspberry, and a motionEye setup can - depending on the hardware it is installed on - support multiple cameras.

To the GP: It's true, the cost is slightly higher than going with a cheap IP cam, but the hardware can be used for other services, too. The video stream stays local (unless you open up your router or connect via VPN), and you are not depending on a 3rd party, which may or may not be available next year. The setup is straightforward and doesn't take much time.

I wouldn't use this solution in a professional environment, but it is more than enough to keep an eye on my garage, should the bastard who stole my bike ever decide to give it a second try.