Crooks are hijacking CCTV cameras in shopping malls to launch denial-of-service attacks, datacenter security firm Imperva warns.

The abuse is possible because camera operators are taking a lax approach to security and failing to change default passwords on the devices.

CCTV equipment are common Internet-of-Things (IoT) device. Imperva first warned about CCTV botnets in March, 2014. In this latest attack, Imperva uncovered that a CCTV botnet in a shopping centre just five minutes from their offices (in the Tel Aviv area of Israel) was partly to blame for cyber-mischief that its security researchers had stumbled upon.

The otherwise run-of-the-mill assault consisted of HTTP GET floods that peaked at around 20,000 requests per second, with its traffic originating from roughly 900 CCTV cameras spread around the globe. The target of the resulting packet flood was a rarely-used asset of a large cloud service, catering to millions of users worldwide. Imperva is not naming the firm targeted.

The attack itself was nothing out of the ordinary. The surprise came later when, upon combing through the list of attacking IP addresses, Imperva discovered that some of the originating devices were located down the road.

A blog post (extract below) by Imperva explains the mechanism of the attack in more depth.

All compromised devices were running embedded Linux with BusyBox – a package of stripped-down common Unix utilities bundled into a small executable, designed for systems with limited resources. The malware we found inside them was an ELF binary for ARM named (.btce), a variant of the ELF_BASHLITE (AKA Lightaidra and GayFgt) malware that scans for network devices running on BusyBox, looking for open Telnet/SSH services that are susceptible to brute force dictionary attacks.

The compromised cameras monitored by Imperva were logged into from multiple locations in almost every case. This suggests that multiple hackers were abusing the same easily abused computing resource.

Fun and selfies with insecure CCTV systems. Context https://t.co/L1nL1SnpSQ Pic via @ZigZag_IL pic.twitter.com/RVMoX9uzc0 — The Register (@TheRegister) October 22, 2015

Imperva is drawing attention to the incident in order to raise awareness about the importance of basic security practices – as well as the threat posed by unsecured connected devices. Whether it be a router, a Wi-Fi access point, or a CCTV camera, default factory credentials always need to be changed after installation. ®