06 May 2014
A regular digital video recorder can be transformed into a Bitcoin-mining bot, according to a blog post by SANS Institute.
The researchers installed a new EPCOM Hikvision S04 DVR, connected it to a “honeypot” and exposed it to IP requests from unknown sources for a few days. In the first 24 hours, six attackers managed to break the device’s default credentials, username “root” and password “12345”.
One attacker uploaded a bitcoin-mining app to produce new virtual coins.
"Throughout the day, the server periodically pushes parameters to the miner, but I haven't seen the miner return anything yet, which probably underscores the fact that these miners are pretty useless due to their weak CPUs," researcher Johannes Ullrich wrote. "The DVR did get infected multiple times, but none of the attackers changed the default password, or removed prior bitcoin miners."
The device does not ask users to change the default password during setup, nor does it include a firewall, despite being IPv6-compatible.
This one of the latest examples of home appliances taking center stage in targeted cyber-attacks: home routers, cars and even light bulbs have been hijacked to spy on users’ privacy.