Security researcher finds malicious code embedded within cameras offered for sale on Amazon
Last week, independent security researcher Mike Olsen discovered that CCTV surveillance rigs sold on Amazon came with pre-installed malware. He said in a blog post that he made the discovery while visiting a friend and helping him install and fine tune his new outdoor surveillance tech.
Olsen said that he was searching for “a simple set of good outdoor surveillance cameras” for a friend, when he found what he thought was a good deal for 6 Sony Chip HD PoE cameras and recording equipment.
The seller, Urban Security Group, had mostly good reviews, so Olsen made the purchase.
After purchasing the kit, Olsen started setting up the surveillance system, logging into the administrator panel to configure it. When trying to set up the camera kit, Olsen said that “something seemed a bit off.”
According to the researcher, while the page hosted the camera feed, no “normal controls or settings were available.”
Olsen considered that a bad style could be hiding these controls and opened up developer tools, only to discover “an iframe linking to a very strange looking hostname.” He googled the name and found that the host name, Brenz.pl, is linked to malware distribution. Further investigation revealed the host name, Brenz.pl, is linked to malware distribution.
This is not the first time Brenz has been found spreading malware. According to cybersecurity firm Sucuri, it was first spotted distributing malware in 2009, before being shut down. However, Brenz did not stay down; the host re-emerged in 2011. Compromised domains link to the address through malicious iFrames for the purpose of distributing malware hosted on the website.
VirusTotal recognizes the web domain as a malicious source and scans disclose that Brenz.pl may be hosting Trojans and viruses.
If the device’s firmware links to this domain, malware can be downloaded and installed, possibly leading to unlawful surveillance and data theft.
The problem was also recently brought up in a forum post on the SC10IP firmware, which is used in commercial products and also links to Brenz.pl.
After finding the malware, Olsen said he contacted Amazon who subsequently told him they would contact USG. However, as of now, neither vendor has taken action yet. The surveillance kit is still available for sale on Amazon.
It’s unclear how the kits became infected but Olsen pointed out that the device wasn’t delivered directly from China where the product is supposedly made.
Any device, especially when it contains networking or Internet capabilities, can pose danger to personal safety and data security, and while the average person is unlikely to do a full-scale code search, checking reviews and alerts for such products online is worthwhile even if the platform is trusted.
“Amazon stuff can contain malware,” Olsen said.
Last month, a Whirlpool enthusiast cautioned users in a forum that they came across a version of the camera’s firmware which had malware embedded in the HTML pages.