Recently, independent security researcher Mike Olsen discovered that the CCTV surveillance devices sold on Amazon came with pre-installed malware.
Olsen discovered this nasty secret after he bought a set of outdoor CCTV surveillance cameras from Amazon for one of his friends.
He picked Sony Chip HD 6 Camera 1080P PoE IP CCTV surveillance camera kit sold by the Urban Security Group (USG) on Amazon, as it had good reviews and was a relatively cheap set of 6 cameras with all necessary equipment included.
While helping his friend set up the cameras, Olsen logged into the administrator panel to configure the surveillance system and found that the page hosted "no normal controls or settings."
Assuming that it might be bad programming, Olsen opened up the browser's developer tools and was surprised to discover a hidden iFrame loaded at the bottom of the body tag, retrieving content from Brenz.pl.
A quick Google search revealed that the Brenz.pl domain was used in malware distribution campaigns, according to a blog post by cyber-security vendor Sucuri in 2011.
In short, this means that the newly bought surveillance camera kit could be infected with malware anytime, when the Brenz.pl operator decides to push malicious code to the DVR's backend through the hidden iFrame.
Once the CCTV camera's operator accessed that page, the malware would be downloaded and installed, potentially leading to unlawful spying and data theft.
Since the Breza.pl domain was already on the firmware, there might be other nasty malware included in the firmware as well, that does not provide the camera's owner to access the backend.
The malware distributed by the surveillance cameras can have the ability to hijack video feeds or make the customer's cameras part of a DDoS Botnet, something that happened last year.
So be careful what you buy. Check reviews of every product before buying, even if the product brand and the eCommerce platform is trusted.