CCTV botnets proliferate due to unchanged default factory credentials

Incapsula researchers have uncovered a botnet consisting of some 9,000 CCTV cameras located around the world, which was being used to target, among others, one of the company’s clients with HTTP floods.


“The attack was run of the mill, peaking at 20,000 requests per second (RPS). The surprise came later when, upon combing through the list of attacking IPs, we discovered that some of the botnet devices were located right in our own back yard,” the researcher noted.

Some of the compromised cameras were found in a nearby mall, and the researchers helped store owners to clean them and secure them against future attacks.

“All compromised devices were running embedded Linux with BusyBox—a package of striped-down common Unix utilities bundled into a small executable, designed for systems with limited resources,” they noted.

“The malware we found inside them was an ELF binary for ARM named (.btce) a variant of the ELF_BASHLITE (a.k.a. Lightaidra and GayFgt) malware that scans for network devices running on BusyBox, looking for open Telnet/SSH services that are susceptible to brute force dictionary attacks.”

Botnets powered by compromised IoT devices are not unusual, and among thusly compromised devices (often by several different attackers) it’s common to find CCTV cameras.

As the researchers noted, in 2014 there were 245 million professionally installed surveillance cameras operating around the world – and who knows how many there were installed by individuals who know nothing about keeping them secure.

The greatest problem is that those who install them often forget or simply don’t bother changing the default factory authentication credentials, or choose new ones who are easy to brute-force. This allows attackers to easily take over the devices, infect them with malware, and use them for their own ends.