If you were not already familiar with the term Distributed Denial of Service (DDoS), then over the past several weeks you probably have become aware of it through various news articles.

A few key points in the media about the DDoS attacks:

• Some of the largest DDoS attacks ever launched[1] in late September
• Release of the Mirai source code used to create the DDoS attacks in early October[2]
• Growth of devices infected by Mirai malware is growing from 213,000 to 493,000, by mid-October[3]
• Twitter, Netflix and PayPal and many popular site being unreachable for part of Friday as a result of a new DDoS attack[4]

Were Tyco Products Affected?
These attacks are of special interest for companies such as Johnson Controls because they were launched from botnets composed of “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders[5].  There is no indication that any Tyco Security Products devices were involved in these attacks.

• Illustra cameras are designed to prevent user access to the camera’s operating system and as a result of that decision: telnet is not available on any Illustra camera model.
• VideoEdge NVRs do not support telnet. Also, all known botnet scanners look for a different version of Linux than used on VideoEdge.
• iSTAR controllers do not support any remote access protocol and will not be detected by the malicious scanners.
• DCM controllers, AC200 (RTC) Ethernet Controller and Emerald Intelligent, multi-function access terminals do not support Telnet
• exacqVision network video recorders and video management system (VMS) software has SSH disabled making it unaffected.
• Kantech  access control system also remains unaffected.
• Applications such as AC2000, C•CURE 9000 and victor are not affected. These applications also do not require remote access protocols.

Background: What are Distributed Denial of Service Attacks?
If you are not familiar with a Distributed Denial of Service (DDoS) attack, it is an Internet attack, which typically targets websites in an attempt to bring down the site so that it is inaccessible to other Internet users.  It is a common tactic for activists and groups looking to suppress information or as a form of extortion; demanding money from the victim to cease to attack.  These attacks work by flooding the target website with large amounts of data, or requests for data, that use up a website’s resources. With a small attack, the site may appear to be slow, but large attacks can bring down a website making it inaccessible.

What is a botnet?
These recent attacks have used a ‘botnet’, or a network of devices, infected with malware. The attacker is able to remotely control the device. The owner of the device will not know it has been infected because the malware does not affect the devices normal operation.

This malware is only able to be loaded onto the device if it has a remote protocol such as telnet or SSH enabled on the device. Telnet and SSH are common among physical security products and devices with the protocols enabled will be detected by the scanner.  The Mirai malware uses a table of common factory default usernames and passwords to log into devices.

Recommendations for Installers and End Users
If you have a device which is using the default password and a remote access protocol enabled, you are at risk. To prevent your device from becoming a bot, you should immediately:

• Disable remote access if it is not required.
• Reboot the device. This does not have to be a factory reset, just turning the power off, wait a minute and turning it back on is sufficient
• Change the password to a complex password. If you do not change the password or have a device that doesn’t allow you to change the password, you run the risk of becoming infected.

Again , the following Tyco Security Product devices are not affected:

• Illustra Cameras
• VideoEdge NVRs
• iSTAR
• DCM
• AC2000 RTC Controllers
• Emerald Intelligent Access Terminals

Sign Up to Receive Security Advisories
Tyco Security Products dedicated Cyber Response Team generates notices, typically within 24 hours, advising which products, if any, might be vulnerable along with mitigation steps. If it’s a critical security vulnerability, the team will develop, test and release patches to resolve issues.  Sign up to receive security advisories and access compliance guidelines. 

Sources:

[1] Wall Street Journal Sept 30th 2016 Hackers Infect Army of Cameras DVRs for Massive Internet Attacks http://www.wsj.com/articles/hackers-infect-army-of-cameras-dvrs-for-massive-internet-attacks-1475179428

[2] Wall Street Journal October 5^th 2016 Hackers Release Botnet Code, Raising Specter of More Attacks ttp://www.wsj.com/articles/hackers-release-botnet-code-raising-specter-of-more-attacks-1475677667

[3] PC World October 18,th 2016 Hackers create more IoT botnets with Mirai source code http://www.pcworld.com/article/3132571/hackers-create-more-iot-botnets-with-mirai-source-code.html

[4] Wall Street Journal October 21^st 2016 Cyberattack Knocks Out Access to Websites http://www.wsj.com/articles/denial-of-service-web-attack-affects-amazon-twitter-others-1477056080

[5] Krebs on Security October 21, 2016 Hacked Cameras, DVRs Powered Today’s Massive Internet Outage  https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/#more-36754