Security researchers have spotted that malware is being used to hijack CCTV cameras all over the world into botnets so that hackers can use them to launch Distributed Denial of Service (DDoS) cyber attacks.

According to research firm IHS Technology, in 2014 there were 245 million video surveillance cameras installed and active globally, and of course, most of these devices are now wirelessly connected, which makes them part of the Internet of Things (IoT).

However, while CCTVs might be providing security to physical locations by recording video footage, researchers from Incapsula have discovered that many Linux-based cameras with poor cybersecurity are quietly being hijacked by malware to serve a more sinister purpose.

Malware attacks CCTV cameras running on BusyBox

The researchers discovered that a botnet made up of about 900 CCTV cameras from countries all over the world were repeatedly attacking a "large cloud service, catering to millions of users worldwide". The researchers will not reveal who, but are certain people could imagine a few companies that fitted the bill.

The researchers found that the compromised CCTV cameras were running on Linux together with BusyBox, which is a package of common striped-down Unix utilities designed for systems with limited resources. The malware attacked by scanning for all network devices running on BusyBox that had failed to secure the telnet protocol, attacking and hijacking them to join the botnet, which then instructed the compromised cameras to send out successive HTTP flooding attacks to a chosen target.

While the compromised cameras were located all over the world, more HTTP flooding attacks originated from hijacked surveillance cameras in India, Peru, Thailand, Vietnam, Egypt, Turkey, Indonesia and Colombia, showing that cybersecurity practices was particularly weak in these nations.

However, the researchers also found a compromised camera down the road from them in a store in California, which showed that anyone could make this mistake. Similar to internet routers, once surveillance cameras are installed and they work, people tend to leave them alone with the same default admin passwords they came out of the box with unless the internet goes down or the camera stops recording, which gives hackers an easy way in.

Cameras hacked by multiple individuals at the same time

Interestingly, the researchers found that the compromised cameras were not just in one single botnet – they had been hacked by multiple individuals and were being instructed to carry out attacks from several different locations in the world at the same time, and all the cameras were different camera models and by different manufacturers.

"We hope our story will raise awareness about the importance of basic security practices—as well as the threat posed by unsecured connected devices. Even as we write this article, we are mitigating another IoT DDoS attack, this time from a network-attached storage (NAS)-based botnet. And yes, you guessed it, those were also compromised by brute-force dictionary attacks," the researchers wrote in a blog post.

"Whether it is a router, a Wi-Fi access point or a CCTV camera, default factory credentials are there only to be changed upon installation. Please do so—or else you too may get a visit from the Incapsula team."