Rarely does one story run such a gamut of security threats, encapsulating in this case, Internet of Things risks, supply chain infiltration and some circa-2008 malware for good measure.
But that’s what we have with this week’s saga of the body cameras, marketed for police use, that were shipped already infected with the Conficker worm.
IT integrator Jarrett Pavao, owner of iPower Technologies of Boca Raton, Fla., told Threatpost on Tuesday that he still hasn’t heard an explanation from Martel Electronics of California, makers of the Martel Frontline Camera. Two of the $499 cameras were bought and shipped to iPower last week; the integrator bought the cameras to test a cloud service being developed by iPower to host police body camera video.
“We plugged the first one in, and our antivirus and firewall went nuts detecting Conficker,” Pavao said. “We thought it was a false positive, that there was no way a new camera would have this embedded in it. We submitted the sample to VirusTotal and was run through 40 filters, all of them said it was Conficker. We said ‘This is crazy.’”
Pavao decided to test the second camera, but did so on a virtual machine in a lab setting running Wireshark.
“Out of the box it started hitting other machines on our lab network, breaking into network shares, trying brute-force attacks,” Pavao said. “It reached out to IPs in China and Brazil as well.”
The Wireshark session was recorded and is in the video below. Pavao then reached out to Martel Electronics via email and a phone call to a low-level support technician, but the manufacturer, which has been in business for three decades, did not believe Pavao.
“They said: ‘There’s no way this can happen,’” Pavao said. “They didn’t think there was any software in the camera.”
In fact, Martel ships its software separately in a CD that helps facilitate file transfers between the camera and PCs. Pavao said that he explained that the problem was indeed software embedded in the camera.
“Martel claims they make all their cameras themselves,” Pavao said. “But I’ve got to guess it has something to do with the storage media in the cameras. They’re probably made somewhere with no quality control.”
There have been claims of supply chain interdiction in a number of high-profile attack campaigns where hardware is infected somewhere during shipping to specific targets. But given that this infection is Conficker, a seven-year-old piece of malware that has had its heyday and has largely been contained, this is likely not quite so sinister.
“Probably the storage medium in these things, wherever they’re sourcing parts from, was loaded with the virus for so long and now it’s in these cameras,” Pavao speculated. Not that Martel is saying either. Aside from their non-communicative stance with iPower, three phone calls and one email from Threatpost on Tuesday went unanswered.
Conficker arrived in 2008 and promised to make a splash on April Fool’s Day 2009 with a major update that caused some panic in security circles. As it turned out, the update was just a new configuration for its command and control infrastructure. Regardless, Conficker made its mark as prolific network-based malware used primarily to steal credentials, exploiting Windows vulnerabilities and moving via shared network drives. Microsoft long ago patched the vulnerability exploited by the worm, yet for a long while it continued to exploit computers that were slow to be patched.
Pavao said in a post to the iPower website that manufacturers, especially in the IoT age, must adhere to strict security protocols.
“If products are being produced in offshore locations, what responsibilities lie with the manufacturer to guarantee our safety? Ultimately, the public has to understand that pretty much any device we use today that connects to the Internet or a computer, has the potential to be compromised,” Pavao wrote. “This discovery has a huge impact, as these devices are being shipped every day to our law enforcement agencies.”