Researcher says he found a link to malware on home security cameras from Amazon, but the seller says its cameras are clean.

Mike Olsen wanted to set up a home security camera system for a friend. But the education technology company co-founder said the system set-up he saw on the computer screen was perturbing.

“Something about it didn’t seem right,” Olsen told Archer News. “The normal configuration options you see in these types of cameras were missing. Started digging around to see if they were just hidden and stumbled across this.”

“This,” he said, was a connection to malware buried inside the very system that was supposed to protect his friend’s home.

He wrote a blog post about the camera system—a Sony Chip HD 6-camera 1080p Power over Ethernet IP CCTV system purchased on Amazon through Urban Security Group—alerting the public to his discovery.

Urban Security Group said the blog post and subsequent news stories have been a disaster.

“Out of the thousands of cameras we have sold in the past 2.5 years, we’ve NEVER anyone accuse of this spreading malware because it has NEVER happened, not to Mike not to any of our customers,” Urban Security Group’s Max Globin told Archer News in an e-mail.

What happened?

Olsen said he opened up the camera’s developer tools and found an unusual ‘iframe’—a line of code used to embed something, like a web page, within a document.

“The host name was very strange and an iframe with a height of 1px is usually something to investigate,” Olsen said.

He said the host name, or domain name, was Brenz.pl. He did a search of the name, and said researchers at cybersecurity company Sucuri had identified it as a site used to distribute malware in the past.

“Brenz.pl is back with malicious iframes,” wrote Sucuri’s David Dede in a blog post in 2011, saying the site had also been used to distribute malware in 2009.

“VirusTotal [a site that analyzes suspicious files and URLs] recognizes the web domain as a malicious source and scans reveal that Trojans and viruses may be hosted by Brenz.pl,” reported ZDNet in an article about Olsen’s discovery.

Secret door

In this case, it appears the camera itself was not yet infected with malware, said researcher Daniel Lance with cybersecurity company Archer Security Group, which is not affiliated with Urban Security Group.

“The iframe they used isn’t malware, but its intent is to distribute malware,” Lance said. “Malicious code in this case isn’t already on the device. It makes a call to a website and it hands off what appears to be a Trojan.”

If the camera did make the call to the website, what could happen?

“Depending on the malware loaded onto the system, an attacker could turn off the system at will and make the owner think that it was still operational,” said Patrick Coyle with Chemical Facility Security News.

“Depending on how the malware was loaded onto the system, it could be anything from relatively easy to nearly impossible to get the malware off the system,” he added. “The more experienced the attacker, the harder it will be to remove the malware.”

Seller’s view

The company that sold Olsen the cameras said it tests its products for infections.

“All of our products and websites are thoroughly analyzed for ANY malware, spyware or viruses,” said Globin.

Globin said that Olsen brought the iframe onto the system himself.

“The kit purchased by Mike Olsen was our kit,” he wrote. “But the cameras we sent him were spyware free. The issue with Mike arose when he applied another firmware having some iframe link to a ads page. Again all of our products are thoroughly scanned on an ongoing bases.”

However, Olsen said he did not apply anything to the system.

“I didn’t,” he said. “It came on the cameras out of the box!”

Do not buy?

Olsen wrote “Warning, do not buy this item!” on his blog post.

But the seller argues that the iframe could have gotten onto the system another way, rather than through its product.

“We have been doing further investigating and again can confirm NO camera that we ever mailed out had the firmware that Mike is accusing us of infecting with a link to the www<dot>bronze<dot>pl site,” Globin said. “There could be numerous reasons why his computers had the iframe in their web browser.”

“Out of the 2,500+ cameras we have sold on the past 2.5 years not one has ever had any or links to spyware, malware, or viruses. You can check any of our cameras and confirm with every single customer this fact,” he said.

Other cameras

Olsen pointed out that other security camera buyers are reporting similar problems on user forums.

Globin said those people did not buy from Urban Security Group.

A user on IPcamtalk said he found a malicious iframe leading to Brenz.pl in his camera system in March.

“After a quick google, it seems that whoever wrote the firmware has a virus that infects all webpages on their computer. Or (hopefully not) they are intentionally doing this. I have contacted the seller anyway and hopefully he will rectify this,” the user wrote.

Later, the user reported that the seller sent him a link to new firmware.

He recommended that people updating their firmware check to see if the downloaded file actually matches the size it says it should be, as it could be a clue to problems.

Also in March, a user on Forums.whirlpool.net.au reported finding malicious iframes in firmware for another camera. The iframes lead to the site Brenz.pl, the user said.

“The site is recognised by Chrome’s malware detection, so you get a big warning not to proceed,” the user wrote. “It has also been taken over by CERT PL [computer emergency response team in Poland], so i presume it can’t cause any harm now.”

Security holes?

Cybersecurity experts say there are a number of ways that security problems can end up on security cameras.

For example, the people who develop the system or write the firmware can have poor security on their computers. Or the site where you go to download updated firmware can be vulnerable, leaving a hole for attackers.

“That is what’s great about attacking the web server, from the attackers’ point of view,” said Lance. “They know they can insert an iframe—the line of code that allowed this attack—and not compromise the firmware to the point where they will need to have the device in hand or the environment the device was developed in.”

Supply chain

There could also be a problem with “supply chain cybersecurity,” suggested Coyle.

“‘Supply chain cybersecurity’ describes the means that we have for ensuring that the electronic equipment that we buy has the same—and only that—software/firmware that was installed by the manufacturer,” he explained.

“The average consumer has no way of knowing if or what changes have been made to the device’s software or firmware before they buy the device,” he said.

You may buy something in a sealed package, but can you verify it is the same seal that the manufacturer put on your package?

“And if the bad guys have found out a way to get around the particular type of ‘tamper resistant’ seal on the package, then even that is worthless,” he said.

This kind of attack does not happen often, but will likely grow in the future, Coyle said.

“The fringe manufacturers and the fringe vendors will be the first to experience this on a large scale—to maintain their tight margins they have a tendency to cut corners in non-productive areas like security,” he said.

“As it becomes more obvious to the bad guys that it is more effective to infect devices before they are bought than to try to trick buyers into infecting their own devices, we will see this become much more widespread,” he added.

Mike’s cameras

Urban Security Group advertises on Amazon that its cameras are made in China and shipped directly from its factory.

“Eliminate Middlemen = Save Money,” the company says.

Olsen said in a Twitter post that his cameras did not come with security seals.

“The boxes didn’t have any security stickers, the cameras were in a pre-formed bubble wrap but uplink cable was exposed outside it,” he wrote.

Not always secure

There have been problems with security camera systems in the past.

Hackers used malware to infect security camera DVRs in 2014, reported WIRED. The malware spread from system to system, and also mined for bitcoin in the process, likely causing the system to slow down, according to the article.

Last year, researchers found that body cams for police departments across the U.S. came with malware pre-installed, reported SC Magazine. 

“This sort of problem exists because factories in China are running pirated copies of XP [Windows operating system] that haven’t been patched in forever!” cybersecurity company F-Secure’s Sean Sullivan told SC Magazine.

Malicious hackers used malware to turn almost a thousand security cameras into a botnet in 2015, and then used the botnet to attack other sites, reported Engadget.

“The intruders compromised cameras from multiple brands, all of which had lax out-of-the-box security—in some cases, they’d been hacked by more than one person,” Engadget said. “Closed-circuit security cameras are supposed to make you safer, but some malware is turning them into weapons.”

Next step

Olsen recommended that everyone check their security cameras system for suspicious items—did your camera come with a malicious iframe? Did someone—maybe even you—“update” your firmware and bring a malicious iframe on board?

“I actually do not think USG [Urban Security Group] knew about it but their reaction to the situation has been concerning,” he said in an e-mail.

Urban Security Group said the controversy has caused the company big problems, and Amazon has now suspended their account.

“Mike, with one blogpost, has single handedly DESTROYED my, my partner’s and our families’ hopes, dreams and LIVES! Again ONE customer out of thousands in the past years post a LIE online and leads to our devastation,” Globin wrote.

Amazon will now test the cameras to verify his claims, Olsen said.

Until then, the case of the telltale iframe continues, and with so much—your security, a company’s reputation, your ability to trust any new technology you buy—at stake.