Security comes in many forms, and they’re not always compatible with one another.
That’s what a security researcher named Mike Olsen found when he went to set up an outdoor surveillance system that he had purchased on Amazon from a seller called Urban Security Group. As Olsen writes in a blog post, he found himself frustrated by the cameras’ configuration interface, so he looked at their administrative settings. What he found was a link to Brenz.pl, a site that has infected thousands of domains with malware.
Brenz.pl, as one recent post on Cyberconflict News explains, “is used by cybercriminals to infect unaware users with malware and Trojans which allow the cybercriminals to gain full control of the infected device.” In this case, the site appears to be accessed through iframe injection, a technique that loads elements of another webpage within the one a user has deliberately accessed. While this method is widely used across the web for legitimate purposes, it also has a wide range of malicious applications.
Though it’s not yet clear how the link to Brenz.pl showed up in the cameras’ firmware, Olsen isn’t the first person to have noticed it. As he points out, a Whirlpool Forums commenter discussed the troublesome redirect back in March, having found it in the firmware of a different model of camera. In an email to Slate, Olsen wrote that though it “looks like … some Chinese sites are hosting the [malicious] file,” it’s hard to know where and how it found its way onto the specific set of cameras that he purchased. “Since the distribution path of the device is unknown, it could have easily happened in transit,” he told me.
ZDNet’s Charlie Osborne, who called attention to Olsen’s post, writes, “The take-home from this is that any device, especially when it contains networking or Internet capabilities, can harbour threats to personal safety and data security. …” That’s long been true for the so-called Internet of Things more generally. As Slate’s Lily Hay Newman has repeatedly reported, all sorts of devices are hackable these days—tea kettles, baby monitors, and more. Those vulnerabilities may be even more meaningful, however, when they crop up in products meant to make us safer.
Olsen, for his own part, tells me that after he noticed the problem he reached out to Amazon, which hasn’t yet provided any “resolution or comment.” Meanwhile the seller has only “offered up a download to a replacement firmware file.”
By his own reckoning, Olsen was “lucky” to have noticed the troublesome redirect in the first place. But he has few recommendations for those looking to avoid such problems, apart from being careful about the source of your purchases. As he points out, the Amazon label may offer users a false sense of security, since any number of devices shipped through its fulfillment service can be subject to modification by malicious third-party sellers. “My suggestion is simple,” he told me. “retail stores are still more trustworthy than online [merchants]. They have solid product distribution networks and quality control on inventory.”
When I contacted the Brooklyn-based Urban Security Group, a representative assured me that none of its products have “spyware, viruses, or malware of any sort.” “We’ve sold about 200x cameras since the beginning of the year (we are a 2 person small business selling on Amazon) and NONE have had any issues,” he wrote. He pointed out that the forum posts Olsen referenced referred to cameras made by different companies and distributed by other merchants.
If that light, the problem may actually be more widespread, an issue with security cameras more generally rather than with those sold by Urban Security Group in particular. Though Olsen still argues that the seller should take responsibility, he agrees that the malware probably originates with the manufacturer or manufacturers producing these cameras. That’s a disquieting possibility, not least of all because it might mean that the very devices we use to keep ourselves safe may be making us less so.