Indeed. My mom got an internet connected "security camera" kit (for cheap from one of the big wholesalers, can't remember the manufacturer) and asked me to set it up.
The hardware was nice, cameras did a reliable 1080p full color, but the whole reason my mom wanted it was so she could check in while she and my dad were traveling (and also sneak a peek at her bird feeders while she was away; avid birder, that one).
So, I hooked that thing up to the network and did a port scan on it... First noticed - it's listening to port 22, auth is a googleable default password. It supports UPnP to punch a hole through the NAT and serve up video on another port. OS on the server box is some slightly customized version of linux with an _old_ kernel.
So I said, "Sure mom, I can set this up for you. We're going to need to get you a new firewall, it'll probably be easiest to put a *nix box in front of your wifi access point, then we can set up a tunnel between the isolated camera server and a locked down outside server that only you have access to so we can be sure that no one else is looking at those cameras. Should only take me a few hours, and we'll need to buy a box to run the firewall, and then a small monthly fee to keep the internet accessible server running"
Her response, "but it says on the box that it's easy to setup for outside access!". Mine: "It's easy to setup for everyone to access, much more involved if you want to make sure it's only you who has access".
Admittedly, it did have some authentication for accessing the video streams, but I didn't trust that thing as far as I could throw it; I'm glad she decided not to go through the trouble of getting it working (but mostly because I'm lazy and didn't want to have to setup and support that damn thing).
I can only imagine that the people who bought that device and didn't have a security paranoid person to help them set it up are all contributing to this most recent DDoS attack.
Her response, "but it says on the box that it's easy to
setup for outside access!". Mine: "It's easy to setup for
everyone to access, much more involved if you want to
make sure it's only you who has access"
well that was a pretty clever answer, I needed to laught about that :D
Basically the commercial was right :D "easy to setup for outside access" that didn' implied a single person ^^
The problem here is there's nearly zero incentive to do it right. I mean, ok, let's say the worst - somebody breaks in the box. For a regular person, worst thing somebody would get access to their DVR. As long as it keeps working as DVR, they couldn't care less. Yes, this DVR would also serve as botnet bot, but the owner doesn't care. It doesn't hurt them - except when Twitter goes down but they don't make the link between them not configuring the DVR properly and Twitter going down. Until we find a way to make the incentives work in right direction, nothing really would change...
It may not have been over HTTP, so possible to be sniffed. Or, even if it did have HTTPS, it might not generate keys in a secure way (or might use the same certificate as other devices). And you don't know if there are hidden backdoor accounts that might be found eventually...
So, yeah, it makes sense to block it - personally I block IOT devices from the Internet entirely (and don't let them initiate requests to my local network even) and use a VPN (IPSEC/IKEv2). That wouldn't work for devices that connect to cloud services, so I'd have to set up new firewall rules if I got one of them.
Late response, but yes - there was no https support whatsoever on this thing. Authentication was some custom shit and intended to be passed over the internet in clear text.
The hardware was nice, cameras did a reliable 1080p full color, but the whole reason my mom wanted it was so she could check in while she and my dad were traveling (and also sneak a peek at her bird feeders while she was away; avid birder, that one).
So, I hooked that thing up to the network and did a port scan on it... First noticed - it's listening to port 22, auth is a googleable default password. It supports UPnP to punch a hole through the NAT and serve up video on another port. OS on the server box is some slightly customized version of linux with an _old_ kernel.
So I said, "Sure mom, I can set this up for you. We're going to need to get you a new firewall, it'll probably be easiest to put a *nix box in front of your wifi access point, then we can set up a tunnel between the isolated camera server and a locked down outside server that only you have access to so we can be sure that no one else is looking at those cameras. Should only take me a few hours, and we'll need to buy a box to run the firewall, and then a small monthly fee to keep the internet accessible server running"
Her response, "but it says on the box that it's easy to setup for outside access!". Mine: "It's easy to setup for everyone to access, much more involved if you want to make sure it's only you who has access".
Admittedly, it did have some authentication for accessing the video streams, but I didn't trust that thing as far as I could throw it; I'm glad she decided not to go through the trouble of getting it working (but mostly because I'm lazy and didn't want to have to setup and support that damn thing).
I can only imagine that the people who bought that device and didn't have a security paranoid person to help them set it up are all contributing to this most recent DDoS attack.