According to IHS, in 2014 there were more than 245 million video cameras in the world with a growth rate of about 13.7%. It turns out that today there are more than 360 million video cameras used in security in the world. Of these, about 20% are connected to the Internet, which gives 72 million potential targets for an attack, or a fairly voluminous resource for further attacks.

In particular, the IP camera as another one of the elements of IoT (Internet of Things) includes a Unix computer, and this is quite powerful and fairly widespread due to several factors:

Simplify video surveillance systems and increase flexibility with the development of cloud and p2p technologies with access via mobile devices.

Reducing the average price of an IP camera from $ 500 in 2010 to $ 130 in 2015, but not today dropping below $ 80.

The widespread introduction of video surveillance, not only in industry, but also in public security, small business and the private sector, partly as a result of lower prices.

That is, in the world today there is a huge number of stand-alone computers, a significant part of which is connected to the Internet. In this case, there are three potential consequences of the threat of hacking your IP camera:

First, an attacker can gain access to the information that the camera is recording, and receive images and confidential information about the company or private life without revealing itself.

Secondly, the IP camera can be hacked in order to broadcast a fake image or stop transmitting video to the security system at the right time.

Thirdly, it can be hacked to cause harm to third parties, since other IP devices and IP cameras are vulnerable to special malicious programs.

The third paragraph actually describes the idea of ​​a more sophisticated way to use your resources. Even if your personal life (video camera image) is not interesting to an attacker, you are still in the risk zone. The probable goal may be not video, but the software and hardware resources of your IP camera or NVR, which with the help of some tools turn into a means for further attacks or monetization or some other kind of unlawful actions (for example, to attack the site). third-party company).


One of the options for the use of your IP camera by attackers is to create a botnet network.

I propose to consider this topic in more detail, in order to understand how it works and why attackers need it – this will help you understand what actions need to be taken to protect yourself. To begin, we define the terms.

Botnet (English, botnet, comes from the words robot and network) – a network consisting of a number of computers running bots. Most often, a bot in a botnet is a program that is secretly installed on the victim’s device and allows an attacker to perform certain actions using the resources of the infected computer. Usually used for illegal or disapproving activities: spamming, brute force on a remote system, denial of service attacks (DoS and DDoS attacks).

So, what is a botnet, we understand what spam sending and password picking are – quite obvious even to the average man, and what is a DoS and DDoS attack?

DoS(Denial of Service – denial of service) – a hacker attack on a computer system to bring it to failure, i.e. create conditions under which conscientious users of the system cannot access the system resources (servers) provided or this access is difficult . The refusal of an “enemy” system can be a step towards mastering this system (if in an emergency situation the software issues any critical information, for example, version, part of program code, etc.). But more often it is a measure of economic pressure: the loss of a simple income-generating service, for example, stopping transactions or blocking the payment page of a service provider and measures to avoid an attack, significantly hit the target. Currently, DoS and DDoS-attacks are the most popular, as they allow to bring almost any system to failure,

If an attack is performed simultaneously from a large number of computers, they are talking about a DoS attack (from the English Distributed Denial of Service, a distributed denial of service attack). Such an attack is carried out in the event that a denial of service is required to cause a well-protected large company or government organization.


As a rule, the implementation follows some of the three known methods for organizing a DoS attack.

By bandwidth – this type of attack implies that a large number of HTTP requests are sent to the website and, thus, completely fill its bandwidth, thus causing a denial of service to ordinary visitors to this Internet resource.

Based on the server protocol – this type of attack is aimed at specific server services. It can be performed using Internet protocols. Often, such attacks are called SYN-flood, the meaning of which is to send a large number of SYN requests to the web server, to which the server must respond with an ASK request. Due to the large number of such requests, the server often does not cope with processing large amounts of data and “falls”, i.e. fails.

On the basis of errors of a particular website – this type of attack is the most difficult in terms of execution and is used, as a rule, by highly professional hackers. Its essence lies in the fact that the victim site contains vulnerabilities that exploit a high server load and receive a denial of service.

How do hackers organize such attacks?

In order to conduct a DDoS attack, you need to create a botnet by infecting the device. That is why you need to choose a password for a S-device, such as a game console, smart printer, your IP camera or NVR. In this case, the type of device needed by attackers only in order to get a tool for further attack. Let’s try to understand how this happens.

To gain control over the IP video camera, you need to know at least two entry points: IP address and account login / password. However, in practice, IP addresses can hardly be called a secret. They are easily detected by network scanners, and cameras also respond to requests from search robots. In this case, even with a configured login and password, access to the camera can often be obtained via a direct link such as /index.htm and then change the login / password without authorization.

So, first you need to find these same IP-camcorders or NVR, you can do this either by special requests in popular search engines or in special search engines for IoT.

Once you have found a potential victim, you need to access, usually several options are applied:

Manufacturer’s flaw – a password is not set at all on the IP camera, some manufacturers allow such use of their equipment.

Negligence – the user simply did not change the factory login and password. This is the most common way to capture device control.

Using IP Video Firmware Vulnerability – This method stems from the fact that most IP video cameras have a holey web server, GoAhead, on board.

The next stage after gaining control of the device is to inject program code to remotely control this host. After repeating this sequence of actions N the number of times you get your personal botnet consisting of N devices controlled by you.

Of course, it is necessary to understand that all methods and resources are presented here for informational purposes only, in no case are they a guide to action and are solely for a better understanding of the methodology of the attack process and the possibility of building high-quality defense against such an attack.


In September 2016, after publishing an article about groups selling botnet services for DDoS attacks, the site of journalist Brian Krebs (Brian Krebs) fell victim to a DDoS attack, whose traffic reached 665 Gb / s at the peak, DDoS attacks. The site had to close for a while. As it turned out later, the attack was carried out by a botnet of infected IP video cameras, which are a subset of the Internet of things. In October of the same year, the attackers published the source code of the used malware, now known as Mirai.

Studies have shown that as of September 23, when the attack reached a peak of intensity, more than 560,000 devices could be found on the Internet that are vulnerable to attacks in order to create a botnet.

Further, in a month, according to ESET NOD32, a noticeable part of the global Internet for several hours worked intermittently. Many users had problems with access to the most famous services for downloading and viewing video and social networks. The question arises: who implemented such a large-scale DDoS-attack and to whom was it directed? One of the first information about the incident was published again by journalist Brian Krebs, stating that the reason for such a large-scale failure was the DDoS attack on the well-known American company Dyn, which provides DNS service for key American organizations. Later, experts found out that the DDoS attack was organized using the same largest Mirai botnet.


Why, in principle, need a DDoS attack? DDoS attacks are one of the most effective and popular methods of unfair competition. For example, before the holidays and depending on the season, various areas of online business are subject to DDoS attacks. In the fall and spring, online tire shops are being attacked, and on February 14 and March 8 – flower shops. And the periods of election campaigns and elections for organizers of DDoS-attacks becomes the golden time. During such periods, news and political resources are attacked.

DDos attack :

Cybercriminals who conduct DDoS attacks always aim to bring down the site under attack. In doing so, they use a botnet network, which can combine network servers, desktop computers and other devices connected to the Internet. They are always looking for easily accessible objects, usually desktop computers, to which they will be able to access, and then attack you.

In some cases, attackers use combined types of attacks in order to overcome the potential defense of a potential victim with a high degree of probability.

How to protect against cyber attacks?

Even in the case of such low-level devices as IP-cameras, you should always change the factory logins and access passwords, as well as change the standard access ports. Although we have not yet known cases of infection by a network of networks from smart refrigerators, over the years of observation botnets based on the Internet of Things have come across. Surveillance cameras are one of the most popular devices and often become a means of attack.

Of course, logins / passwords for your different services and devices should be different and not be the simplest ones like “12345” or “QWERTY”.

At least set up the standard tools of any home marc router, namely filtering external connections by MAC address, the same username and password to restrict access “from / to” to your internal network.

Timely update the firmware of both network devices and your existing equipment. After all, when vulnerabilities are detected, manufacturers, as a rule, quite quickly implement new firmware with the vulnerability eliminated.