14 DAY TRIAL // Independent security researcher Mike Olsen discovered last week that CCTV surveillance rigs sold on Amazon came with pre-installed malware.
He made the discovery while visiting a friend and helping him install and fine tune his new outdoor surveillance tech. The CCTV rig comprised six Power Over Ethernet (PoE) Sony cameras, a DVR, and a PoE switch, all bought from a reliable Amazon store, which had customer ratings.
While trying to access the rig's admin panel, Mr. Olsen discovered that the backend configuration panel was blank, except for a video feed received from the connected cameras, with no other settings.
Thinking there was a problem with the CSS files which prevented the admin controls from showing, he opened the browser's developer tools and was surprised to find that there was a hidden iframe loaded at the bottom of the page, retrieving content from the Brenz.pl domain.
It's safe to say the device's firmware has been compromised
A quick Google search revealed a blog post from 2011 by cyber-security vendor Sucuri, who described how the Brenz.pl domain was used in malware distribution campaigns.
Apparently, the domain was live since 2009 and was actively being used to host dangerous trojans, which would be downloaded on the computers of infected users.
This meant that the freshly bought, off-the-shelf surveillance camera kit could be at any point infected with malware, if the Brenz.pl operator decided to push malicious code to his DVR's backend via the hidden iframe. Once the camera's operator accessed that page, he would be infected with malware.
But if the Breza.pl domain was already on the firmware, it's probably safe to say that there might also be other more dangerous malware included in the firmware, that doesn't rely on the rig's owner to access the backend. This malware can hijack video feeds or use the user's devices as part of a DDoS botnet, something that has happened before.