Researchers have found that it took just one day for a low-end, internet connected digital video recorder (DVR) to become infected with multiple malicious bitcoin miners.
Cited in a blog post on Monday, researchers at the security-training outfit Sans Institute, were impressed to find a DVR that contained no interface for downloading software online, could be easily infected. With no Wget, FTP, or kermit applications installed, attackers still found ways to execute their malware on the DVR. To work around the limits of the DVR, hackers used a series of Unix commands that uploaded and executed a Wget package, and then used it to retrieve the malicious bitcoin miner from the Internet.
Researcher and Sans CTO, Johannes Ullrich, are performing an ongoing series showing the vulnerabilities and dangers of Internet connected devices. Showing that the Internet appliances are vulnerable to multiple sets of attacks. Ullrich wanted to test the vulnerability of a DVR, so he bought an EPCOM Hikvision S04 DVR off ebay, in what was labeled as factory new condition. Connecting it to a laboratory “honeypot” where it would be susceptible to various online attackers. By the first day the DVR has already been phoning home to 13 different IP addresses, and six of those IP addresses accessed the admin panel with “root” and “12345” as the username and password combination.
One attacker took it even further. After gaining root control of the DVR, the hacker executed a standard Unix “echo” command entered through the telenet interface. Once executed a Bitcoin mining application was installed. Now the low end DVR was solving algorithms required to mine Bitcoins. Using a packet sniffing software to monitor the data the infected box was sending over the Internet, Ullrich found the mining server the DVR was connected to relies on a large number of infected machines to carry out the work.
“Throughout the day, the server periodically pushes parameters to the miner, but I haven’t seen the miner return anything yet, which probably underscores the fact that these miners are pretty useless due to their weak CPUs,” Ullrich wrote in his post. “The DVR did get infected multiple times, but none of the attackers changed the default password, or removed prior bitcoin miners.”
DVR’s are now joining the growing list of devices that can be infected with Bitcoin mining malware. Ullrich notes that even the stripped down hardware of these devices is essentially useless to mine Bitcoin on, even in high numbers. Some researchers noted that attackers may be taking control of a large numbers of devices for laughs or because they can.
Ullrich notes that the Hikvision DVR did not ask him to change the default password during setup, and even if users want to change the password, the DVR only allows for number combinations to be submitted as a passcode. The experiment clearly shows that all internet connected devices are becoming susceptible to real world attacks.