Skip to main content

Extra care should now be taken when buying security electronics from online retailers such as Amazon, as they could end up infecting your network.

Recently, an independent security researcher discovered that some of the CCTV surveillance devices sold online came with pre-installed malware.

The security researcher discovered the harmful malware after they had bought a set of outdoor CCTV surveillance cameras from Amazon for a friend.

They ordered a Sony Chip HD 6 Camera 1080P PoE IP CCTV surveillance camera kit sold by the Urban Security Group (USG) on Amazon, as it had some good reviews and was relatively cheap for a set of 6 cameras with all the necessary equipment included.

While helping set up the cameras, the researcher logged into the administrator control panel to configure the security system and found unusual controls and settings.

Assuming that it was the result of incorrect programming, the researcher opened up the browser’s developer tools and was shocked to discover a hidden iFrame within the bottom of the body tag, accessing content from the website Brenz.pl.

After a quick search on Google, the researcher revealed that the Brenz.pl domain was primarily used in the distribution of malware campaigns, according to an article written in 2011 by cyber-security vendor Sucuri.

Simply put, the security kit could easily be infected with malware at any time, or whenever the Brenz.pl operator decided to push the malicious code to the DVR’s backend using the hidden iFrame as a gateway. Once the CCTV camera’s operator then accessed that page, the harmful malware would be downloaded and installed. This would then potentially lead to unlawful spying and data theft.

The malware distributed by the security cameras can have the ability to hijack video feeds or make the camera’s part of a DDoS Botnet, something that happened almost five years ago.

So be very careful when buying any security equipment, if possible get the advice from a professional before purchasing, even from a trusted website.