Robert Graham is a well-known hacker and CEO of Errata Security, who blogs frequently on cyber-security and cyber-rights issues at blog.erratasec.com. He is famous for having created BlackICE, sidejacking and masscan. He, and others using his tools, regularly scans the entire Internet, so you’ll see his name in your server logs.
Obviously, Graham wasn’t so naive as to do this without protecting himself. He setup a Raspberry Pi as a router/firewall/NAT to isolate it from his home network, and rate limit outgoing stuff. The camera was walled off from the rest of the network and rate-limited so it couldn’t participate in any DDoS attacks. He monitored its traffic carefully, expecting to see — as others have — attempts to take over the device. But even the most jaded among us probably wouldn’t have guessed it would take less than two minutes.
Ninety-eight seconds after it jumped on the WiFi, the camera was attacked by a worm that knew the default login and password. The worm (its advance agent, really) checked the specs of its new home and then downloaded the rest of itself onto the device. Within 5 minutes, it was compromised by a Mirai-like botnet/worm and, had Graham not locked it down beforehand, would then be ready to participate in all manner of online shenanigans.
The camera, made by a cheap off-brand company that sells smartwatches for $12, isn’t exactly best-in-class. But, you might want to order one to tinker with at home if you’re interested in security, or you might want to prevent purchasing one if you were in the market for WiFi connected security cameras.
This type of thing could be fixed with a firmware update or, in some cases, by simply changing the default password, but not everyone knows to do that, and even the most tech-savvy people might not get that done in two minutes. Better-quality devices will almost certainly be better protected against this kind of thing, and may for example block all incoming traffic until they’re paired with another device and set up manually. Still, this is a good reminder that it really is a jungle out there and there is still work to be done regarding the security of Internet of Things (IoT) devices.
Main lesson to be learned: Always change the default username and (at least) the default password for any new network-enabled device you purchase. And do this by connecting the device to your laptop using a cross-cable and with Internet-sharing switched off, because otherwise the device might already be infected before you even have had a chance to log in.