This past weekend security researcher and “artful hacker” Mike Olsen discovered that surveillance cameras he purchased through Amazon were embedded with malware. Olsen had purchased the USG Sony Chip HD 6 Cameras, marketed as “Affordable High Definition CCTV Video Surveilance” to provide outdoor surveillance for a friend’s home. In keeping with the marketing pitch, he thought the 6 cameras and recording equipment were a good deal.
In a blog post, Olsen describes how he received the cameras and experienced trouble as soon as he tried logging into the administrator page to configure the system. “First of all something seemed a bit off, the interface showed the camera feed but none of the normal controls or settings were available.” Since Olsen is a software engineer, he began to investigate the underlying CSS code of the page which is supposed to contain the camera’s settings. He thought a simple flaw was hiding the settings he required to configure the surveillance system. Instead, he found an iframe emedded linking to a suspicious website.
The website in question was brenz.pl which has been associated with distributing malware for years. Accordingly the site was being used to distribute malware as far back as 2009. Since this surveillance system has the malware link embedded in its administrator page, malware targeting the system could potentially be used to steal data from the device or infect the user’s computer in other ways.
The method of infecting users with malware by hiding it inside devices is not wholly unexpected, though most of us would expect a purchase from Amazon to be relatively safe. In this case one of the people who purchased the device, Mike Olsen, had the necessary skills to uncover the problem with the device. As more people integrate internet-connected devices into their homes, more cybercriminals will use it as an opportunity to compromise home networks.