IoT security camera infected within 98 seconds of plugging it in

One and a half minutes is all it took after plugging in an internet-connected security camera for the camera be infected with malware.

Unlike the average Jane or Joe Doe who would not want their security camera to be immediately infected with malware, Rob Graham, CEO of Errata Security, called it “fun” to watch the infection happen. He tweet-documented his experience.

Graham purchased an inexpensive device—this $55 IoT security camera made by JideTech.

It supports Universal Plug and Play (UPnP), not a secure feature but easy for non-techies to setup because basically a person plugs a UPnP device in and it works. The average user would not likely do this, but Graham said he isolated the camera from his home network by setting it up behind a Raspberry Pi router.

And just 98 seconds later, Graham’s camera was infected with malware.

His security camera ended up with multiple malware infections. Mirai malware was not the first infection; he said it was “something else similar to it.”

It wasn’t long before the security camera had two active infections, one of those being Mirai. Then he got a good look at how Mirai works. He explained that after the first stage of Mirai got a toehold on the device, it downloaded the full Mirai malware.

Mirai, he said, “infects things via Telnet, not the web.” The malware sends out “a burst of 150 Telnet packets looking for new victims.” It waits a second for any responses before continuing to hunt for new victims.

Graham noted, “On my Mirai-infected camera, Telnet has a hardcoded password so you can reset your changeable web interface password.” At one point, he said, “One of the infections killed the Telnet daemon and kicked” him off.

The next day he added a command that can be run so you don’t get locked out of your Mirai-infected device.

If you plan on buying someone an IoT security camera, or you receive one as a gift for the upcoming holidays, please do try to set it up correctly, since an infection can occur crazy-fast—within 98 seconds! No one, except maybe some security researchers, would want their IoT device to become part of a DDoS botnet.

Although changing the default password before connecting an IoT device to the internet is frequently advised, Graham said that would not help in the case of his Mirai-infected camera.

The correct mitigation, Graham said, is to “put these devices behind your firewall” because “many of the Mirai passwords can’t be changed.”

Z-Wave certified devices to be ‘hacker-proof’

While it certainly won’t resolve all IoT security issues, the Z-Wave Alliance did announce mandating “hacker-proof security on their smart devices.” That’s a bold claim made in an email about the announcement. However, it’s a step in the right direction to reduce security and privacy risks. All smart devices with Z-Wave that are certified after April 2, 2017, will be required to meet specific security requirements.

Certified Z-Wave devices will have to include a new security framework, dubbed S2. The Z-Wave Alliance said:

[S2] completely removes the risk of devices being hacked while they are included in the network. By using a QR or pin-code on the device itself, the devices are uniquely authenticated to the network as well. Common hacks such as man in the middle and brute force are virtually powerless against the S2 framework through the implementation of the industry-wide accepted secure key exchange using Elliptic Curve Diffie-Hellman (ECDH). Finally, Z-Wave also strengthened its cloud communication, enabling the tunneling of all Z-Wave over IP (Z/IP) traffic through a secure TLS 1.1 tunnel, removing vulnerability.