Rob Graham π¦ on Twitter: “1/x: So I bought a surveillance camera https://t.co/HbmPzrZgFK”
Posted by jpluimers on 2016/11/20
Conclusions:
- Always put your IoT devices behind a firewall
- Isolate each IoT device into it’s own “world” that can communicate as little with the rest of your networks as possible
- Preferably isolate each set of IoT devices that do need to communicate in their LoT (Lan of Things)
- Use Ad-Blockers
β1/x: So I bought a surveillance cameraβ:Β [WayBack]Β Rob Graham π¦ on Twitter: “1/x: So I bought a surveillance camera https://t.co/HbmPzrZgFK”
Interesting:Β [WayBack]Β Errata Security: Configuring Raspberry Pi as a router
Via: [WayBack]Β Plugging in a new IP webcam. 98 seconds. infected. Wow. https://twitter.com/E… – G+ Jan Wildeboer
Interesting:Β [WayBack]Β Errata Security: Configuring Raspberry Pi as a router
Of course Rob tried many webcams to find a vulnerable one. And putting telnet port 23 to the open is not the best idea, but people do that or get an indirect infection by some piece of JavaScript from an Ad-Network that searches for local vulnerable devices. That’s how the internet works!
Since Twitter and other social media ten to show the non-interesting part of a stream, here is the full one (no time to edit out the superfluous stuff):
2/x: I setup a RPi as a router/firewall/NAT to isolate it from my home network, and rate limit outgoing stuff http://blog.erratasec.com/2016/10/configuring-raspberry-pi-as-router.htmlΒ β¦
5/x: looks for ‘wget’ or ‘tftp’ in order to download binaries the easy way
6/x: that doesn’t work, so has to download the virus binary the hard way
7/x: And when it’s done, it runs the binary, and the box is now officially infected:
9/x: but by something that isn’t Mirai, but something else similar to it
10/x: This camera I got off http://Amazon.comΒ for $55:
11/x: Bah, I’ve got my isolation rules setup wrong, blocking outbound TCP, so I’ve been inadvertently preventing further infection
12/x: Ignore that last tweet. It appears that connecting to those ports is difficult anyway, even from another machine.
13/x: So I’ve got what appears to be two active infections (the shells with PID greater than 2000).
14/x: so after it loads the first stage Mirai, it then connects out to download the full virus, like from here: http://89.248.172.173/arm
15/x: once it downloads that, it runs it and starts spewing out SYN packets at a high rate of speed, looking for new victims
16/x: It appears to send out a burst of 150 Telnet packets looking for victims, then wait a second for any responses, then continues
17/x: I think I’ve got my firewall configured correctly, blocking outbound port 23, so these shouldn’t be hitting the Internet.
@ErrataRob What make/model of camera was this ?
@ErrataRob@747Captain There’s a “Software” link pointing to Mediafire. The rar has a program “ResetUser.exe”. This was in the strings:
@jw_sec@747Captain where is that link? I’d like to download this program.
@jw_sec@747Captain Ah! nvm, I found it. It was text I needed to copy/paste instead of click on
@ErrataRob@747Captain Nothing says official like hosting your docx docs and exe tooling on mediafire.
@ErrataRob what’s up with the /bin/busybox ECCHI/IHCCE?
@parrotgeek1 to cause known error messages at the end of commands, so that they know for sure once the end of output has been reached
@ErrataRob oh. you should confuse them by making it a real command
@ErrataRob this one looks like the ones build on Shenzhen Videosurveillance Market in the upper floors
@n0wl1 interesting
@ErrataRob interesting tweets Rob, is it used Dynamic DNS when it is initially setup? If no , how is it exposed to internet?
@alhayani_ I had to map the external port 23 on the firewall to the device.
@ErrataRob why did you do that?Is it becoz u suspect Mirai scan 4 23 If so how IoT got infected by Mirai if users change the default values?
@alhayani_@ErrataRob yes, he wanted it to get infected. Yes, Mirai (and many others) scan 22,23,80 and try default creds.
@ErrataRob hikvision?
@breaktoprotect that’s the underlying chip
Rob Graham 
Rob Graham 
Jordan Wright β
Giant Meteor 2016 β
n0wl β β
Ψ³Ψ§ΩΩ
Salem ο£Ώ
Adrian Sanabria β
Jeremy S. β–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment