In a day, low-end digital video recorders connected to internet are infected with malware that stealthily mined Bitcoins on behalf of attackers.

Researchers at the security-training outfit Sans institute published a blog post which was very impressive, because there are no interface in DVR to download software from the internet. It was challenging for the attackers that there are no Wget, ftp or Kermit applications. The attackers worked around the limitations and effectively uploaded and executed Wget package using a list of Unix commands; then it was used to retrieve the Bitcoin miner from a server connected to the internet.

Last Monday’s observation from Sans Chief Technology Officer Hohannes Ullrich, these are part of ongoing increase in vulnerability of the internet-connected appliances to malware attack. In this scenario, he setup a “honeypot” in a laboratory with an EPCOM Hikvision S04 DVR. On day one, 13 different IP addresses probed it and six of them were successfully able to logon with the default “root” username and its password “12345”.

Out of the six attackers, one continued ever further. The hacker gained root access of the DVR and used Unix command “echo” through telnet interface to install a Bitcoin-mining app. The complex cryptographic problems for the operator to mint new digital coins were theoretically solved by the DVR now.

Ullrich wrote, “Throughout the day, the server periodically pushes parameters to the miner, but I haven’t seen the miner return anything yet, which probably underscores the fact that these miners are pretty useless due to their weak CPUs.” “The DVR did get infected multiple times, but none of the attackers changed the default password, or removed prior bitcoin miners,” he added.

EPCOM Hikvision S04 DVR - Password Change Screen

EPCOM Hikvision S04 DVR – Password Change Screen

Now the Hikvision DVR joins the group of other devices such as Android Smarphones, Linksys, D-Link and Asus routers with Bitcoin-mining malware. Ullrich note says, “The stripped-down hardware contained in these devices makes them an unlikely host for such demanding apps. It’s possible attackers are targeting the devices deliberately under the theory that even low-powered devices will deliver results if enough of them are enslaved at one time. It’s also possible attackers are indiscriminately taking control of large numbers of devices for laughs or simply because they can.”

The DVR designers need to make it easier for the device owners to setup strong password during the initial setup and make the device more secure to withstand the increasing vulnerability.