UPDATE: On reddit there were some comments about newer axis IP cameras. It turns out that they put a lot of effort in securing the newer models and keeping them up to date. This means that the attacks described below won’t work on them. What a pleasant surprise.

Introduction

With every passing year DDoS attacks seem to become more common and more powerful than in the year before. The attacks on krebsonsecurity.com and DynDNS were probably the events that drew the most media attention to the topic in 2016 and led to a sudden awareness of how fragile modern internet infrastructure actually is.

But how on earth was it possible for a single group of attackers to build a botnet so massive that it could easily take down almost any web site and even bring well known DDoS protection services to their limits? The answer is IoT. For a long time internet of things devices like IP cams were pretty low level targets for hacking as they either had standard credentials or were awfully coded and easily exploitable. I decided to take a look at one of those cams to see if it was as bad as most of us think.

Continue reading