Embedded malware shipped on surveillance system sold via Amazon

Buying on Amazon or receiving a freebie product at a security conference does not guarantee the lack of embedded malware on the device.

There’s nothing particularly new about new products being shipped with malware, but if you are in the market for surveillance cameras and are looking for a good deal, then a security researcher warned that even products sold on Amazon come with embedded malware.

Security researcher Mike Olsen found a decent deal on an outdoor surveillance CCTV setup, specifically six Sony HD IP cameras and recording equipment that are being sold on Amazon by a seller with “great ratings.”

USG Sony Chip HD 6 Camera 1080P PoE IP CCTV Kit Urban Security Group

But when Olsen went to setup the system for a friend, he noticed something fishy after logging into the admin page to configure the system. Olsen explained that he originally thought it was fouled up CSS that was hiding the normal settings and controls. After opening the developer tools, he found “an iframe linking to a very strange looking host name.” He ran a search on that domain, brenz.pl, and discovered it has a history of being linked to skeevy tactics such as spreading malware.

Although he warned that embedded malware can even be found in products sold via Amazon, Olsen also found the same issue was discussed about a month ago regarding embedded malware on waterproof IP cameras sold at Kmart. This type of situation probably happens more often than most people realize. After all, as Olsen said, the Amazon seller had great ratings, and those are rarely left by people who are aware they purchased malware-infected products. Or maybe Olsen was the unlucky first?

Tainted supply chains have haunted DHS for years and worried the U.S. military, but many incidents of malware-infected products have nothing to do with adversaries’ dirty tricks aimed at national security. Some incidents, however, were particularly ironic as they involved USBs pre-loaded with malware and handed out at security conferences. Computerworld reported:

In 2008, at AusCERT security conference, Telstra handed out free USBs with AutoRun malware. Also in 2008, Hewlett-Packard Security Response Team issued a warning to AusCert after HP shipped a batch of USBs loaded with malware that could allow an attacker to take over Proliant servers. In May of 2010, IBM had to own up to all AusCERT security conference attendees that IBM's complimentary USB drives had also included two free extras in the form of malware. IBM pulled a similar accidental stunt in 2002 when its USB drives contained a rare boot sector virus, but at least it wasn't aimed at the AusCERT security conference this time.

Regular consumers like Olsen have ended up buying malware-infected products, including digital photo frames that attempt to hijack PCs, NAS drives, printers, webcams (pdf), cameras, battery chargers, iPods, GPS devices, several smartphones, hard drives, motherboards and more. It's unlikely those were all NSA malware implants added after the items shipped.

It is doubtful that you may ever purchase a malware-infected techy device. If you do, and you're an average consumer, you might never know the device is problematic unless it does something obviously shady or is flagged by anti-malware products. Olsen isn’t an average consumer, so you might want to steer clear of the “great deal” on the surveillance system. Buying on Amazon or receiving a freebie product at a security conference does not guarantee the lack of embedded malware on the device.

Cybersecurity market research: Top 15 statistics for 2017