The Dyn attack should be heard loud and clear
On Friday Dyn, a domain name service provider, suffered a distributed denial of service attack.
This was noticed by the world at large as it impacted Twitter and Spotify amongst others. It was the wider world which had unknowingly provided the weapons for this attack, as hackers took over unsecured devices connected to the public internet using malware, Mirai. A large number of the devices used to create the botnet were compromised webcams and CCTV devices, still using default passwords.
Self installed cameras have become a trend amongst those wishing to monitor their homes and offices remotely on their mobile phones and are happy to carry out a bit of DIY to do so. This trend is doing more than threatening the livelihood of traditional alarm installers, it is providing the resources for massive botnets and could be damaging the reputation of the entire CCTV sector, including the alarm monitoring companies.
After this attack, a spotlight has been thrown on the manufacturers of the cameras and one of them, Hangzhou Xiongmai Technology, has admitted that their products running the older version of their firmware would have been vulnerable to being compromised. These cameras are used by security installers, who then bring them on line at customer sites to be monitored by the Alarm Receiving Centres and Remote Video Receiving Centres. The customer then owns the camera but who owns the security? Who is checking that the default passwords are changed? Who is making sure that the firmware is updated regularly? If this doesn’t happen, that camera can be used to take part in large scale attacks like the one which hit Dyn.
When the Financial Times is stating in an article on this topic that “even businesses are finding that well meaning suppliers or facilities managers have accidentally created holes in their corporate networks by adding connected devices” it is time for the security sector to listen. The professional monitoring companies need to be able to differentiate themselves from those who would connect a CCTV network to a corporate LAN and to make sure that their reputations are not in the hands of installers, who do not see the point in changing a password. Beaming has products developed specifically for alarm monitoring companies and their corporate clients to protect them. Contact us.