Thousands of web-connected CCTV cameras and webcams have been taken over by hackers to carry out cyber attacks on government department websites and online banks.
The network of compromised cameras was uncovered by researchers at security firm Arbor Networks, who reported that large scale distributed denial of service (DDoS) attacks took down websites by flooding them with traffic.
The botnet has been assembled by the notorious hacker collective Lizard Squad, best known for taking down the Xbox Live and Playstation gaming networks, as well as knocking North Korea’s Internet offline in 2014 using its LizardStresser DDoS tool. “A set of threat actors behind LizardStresser have focussed on targeting Internet of Things (IoT) devices [devices that can connect to the Internet] using default passwords that are shared amongst entire device classes,” Arbor Network's report explains.
“Utililizing the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites worldwide, Brazilian financial institutions, ISPs and government institutions.” Hackers have increasingly targeted IoT devices in recent years due to their relative lack of security compared to computers and smartphones. Earlier this year, a U.S. consumer watchdog launched an investigation into four baby monitor companies after dozens of devices were hacked.
Many security experts say that the fault often lies with the devices' manufacturers, who too often consider the security of a product as an afterthought. “The problem is that many Internet of Things devices are horribly broken security-wise because it costs money to ensure a reasonable standard of protection on a product,” Chris Boyd, an analyst at the security firm Malwarebytes, told in an interview earlier this year. “The fault like with the vulnerable products.”