back to article Dimwit hackers use security camera DVRs as SUPER-SLOW Bitcoin-mining rig

Miscreants are using hacked digital video recorders in a somewhat misguided attempt to mine cryptocurrency BitCoins. Hackers have created custom code to infect devices normally used for recording footage from security cameras. After getting in, likely to taking advantage of weak default passwords, a common security mistake …

COMMENTS

This topic is closed for new posts.
  1. Piro Silver badge

    Correction:

    "Mining BitCoins these days requires a specialist rig featuring graphic cards"

    Nah, people are only doing that still for Litecoin and the like, scrypt algorithm based cryptocurrencies.

    Bitcoin mining on a GPU now would be a mug's game - that's done by dedicated ASICs.

    1. Anonymous Coward
      Anonymous Coward

      Re: Correction:

      Indeed. If you're going to mock people for not knowing what it takes to mine bitcoins, it's probably a good idea to know what it takes to mine bitcoins yourself...

    2. Oninoshiko

      Re: Correction:

      Let's see, there is no 'leccy cost (to the attacker), there is no hardware cost (to the attacker).

      Even if the trickle is infinitesimal, it's not like it cost them anything. It's like saying "I'll offer you 1 quid every 100 years if you look at me funny." Who isn't going to make a funny face?

    3. Yet Another Anonymous coward Silver badge

      Re: Correction:

      >Bitcoin mining on a GPU now would be a mug's game

      Unless you aren't paying for the GPU or electricity.

    4. gotes

      Re: Correction:

      I expect they'd struggle to mine even a single dogecoin on that hardware.

  2. Steve Todd

    Using someone else's hardware and electricity?

    And lots of them, it makes some kind of sense. You're not going to make a lot of money, but some for nothing isn't a bad deal.

    1. G 14

      Re: Using someone else's hardware and electricity?

      that was my thought too, to them it wouldn't matter that it was using more power that it was earning. it was probably pool mining so many small devices, still low processing power, en mass would be returning something to whoever was behind it.

    2. Irongut

      Re: Using someone else's hardware and electricity?

      Except you won't make anything at all. Bitcoin mining is basically a race to find the next coin. If you use shit hardware then the guys using fast hardware (ASICs) will always find the next coin before you do so you will make nothing at all.

      1. Steve Todd

        Re: Using someone else's hardware and electricity?

        It's not a simple race, there's a statistical chance that you'll be first to guess the correct hash. That small chance combined with the fact that the network costs the hacker nothing to run means some income.

        1. Tom 260

          Re: Using someone else's hardware and electricity?

          If there's enough slow devices submitting shares (proof of work) to a mining pool*, then they will be earning tiny fractions of a Bitcoin, infect enough machines and it goes from being a pittance to a few dollars or even more per day/week/month.

          *Mining pools (for those not into the mining scene) basically let a load of people collaborate their mining power and share out the rewards of mining a block amongst themselves, this allows those taking part to have smaller but much more regular payouts, rather than solo-mining for one big payout which may come every month or even further apart (if you're unlucky, you could go quite a while even with significant hashing power).

    3. GarethB

      Re: Using someone else's hardware and electricity?

      Except that the difficulty of Litecoin mining is about 1000 (I think from memory - may be more) times lower than Bitcoin but Bitcoins are only worth about 40x more. So they would make 25 times more profit if they mined Litecoins instead.

      1. theblackhand

        Re: Using someone else's hardware and electricity?

        Quoting from Slashdot [http://it.slashdot.org/story/14/04/01/029249/dvrs-used-to-attack-synology-disk-stations-and-mine-bitcoin]:

        "If memory serves, most of Synology's non-intel NASes are Marvell based. Marvell's fastest device, in terms of general compute, is the MV78460. 4 cores, ARMv7, up to 1.6GHz. As documented here [http://forum.synology.com/wiki/index.php/What_kind_of_CPU_does_my_NAS_have] most Synology NASes ship with something slower than that."

        For reference, a 1.6GHz 'Kirkwood' Marvell core is good for slightly under .2 meghashes/s. About half as fast as an Atom CPU, less than 1/4000th as fast as an AMD7970, and just plain embarassing compared to the ASICs that do most of the work these days. With devices that run on USB power alone pulling north of 1gighash/s, you could probably own every Synology ARM NAS in the first world and barely pay yourself for your time."

        So every 10000 compromised DVR's gives you equivalent performance (at best) to a BitFury Red Fury (http://www.amazon.co.uk/BitFury-Red-Fury-Bitcoin-Miner/dp/B00HNR1HW8). Given that the compromise doesn't affect all devices in Synology range, I wouldn't expect more than 1 million devices were usable.

        It is "free" once your compromise is in the wild, but I'm not sure you'll be retiring to your favourite tropical island any time soon. If you're prepared to settle for the occasional pint or two in Swindon then you maybe happy....

  3. Anonymous Coward
    Anonymous Coward

    It may be wasting power, but its not the hackers power bill so they won't care, and they probably fly under the rader as not many people think of these as computers.

    It may be slow, but if they get it on enough devices the mining will add up.

    1. Loyal Commenter Silver badge

      I'm going to be generous and assume that one of these devices can manage a mining rate of 0.5MH/s (500 thousand hashes per second).

      To put this into context, the current genreation of ASIC mining rigs hash at 1 TH/s, or 2 million times this speed. To match the hashing power of one of these devices, you would therefore need to infect 2 million of these specific devices - a number which may well not exist.

      To put this further into context, lets look at the hashing power and mining rate of pooled mining. For my example, I'm going to pick Slush's pool which has a combined hashing rate of around 1PH/s and finds around 5 blocks of 25 BTC per day.

      So, with 2 million infected devices, you could expect to make around 0.125 BTC per day, worth around £35.

  4. Anonymous Coward
    Anonymous Coward

    Surprise!

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    (Sorry for being late....)

    1. Anonymous Coward
      Anonymous Coward

      Re: Surprise!

      Eadon, where have you been?

    2. Anonymous Coward
      FAIL

      Re: Surprise!

      Not only late but in the wrong building; I'm not aware of any Microsoft DVRs or routers existing, let alone being mentioned in the article...

      1. Anonymous Coward
        Anonymous Coward

        Re: Surprise!

        It's satire. Unfortunately most commentards have realised this and stopped biting....

        Bah!

      2. Lazlo Woodbine

        Re: Surprise!

        Pretty much every embedded DVR I've ever worked with runs on Linux of one kind or another. There were some early Honeywell models that ran something that looked like Windows CE, but I only ever saw a couple of these units.

        Most of the higher end server based DVR systems do use Windows Server. If they're running Milestone Corporate or Genetec software they'll be dual CPU units with quad or 8-core Xeons and upwards of 16gb RAM. Hijacking one of these beasts would be useful...

    3. Don Jefe

      Re: Surprise!

      God damnit. I hate it, just really, really hate it when people don't realize most words have multiple definitions. Even worse, it's often only the negative definitions they know. I blame that on emotionally driven news media, but that's another matter.

      There are some really great words that are often the most accurate word to use, but have been turned into emotional buzz words that lose their best attributes as a result.

      Words like 'exploit, retard, moot, dumb, conserve, oscillate, ignorant, anti, negative, positive, compromise, occult, take advantage of, theory, indefinite, niggardly,

      are a few examples right off the top of my head. There are shitloads more.

      It's a real problem because using a word appropriately may just upset the ignorant and occult your message because they are too nicgardly to buy and use a dictionary. Hell, dictionaries are free online these days. So we all get our vocabulary censored via ignorance and the no dictionaries crowd is also where the next generation of leaders and important people are going to come from. It's just so fucking silly.

      1. gotes

        Re: Surprise!

        Soon you'll be able to buy an abridged version of the Oxford English Dictionary which you can fit into a single tweet.

  5. d3rrial

    Bitcoin

    Bitcoin, not BitCoin. It's very clearly defined and constantly misused...

    Also: DVRs mining Bitcoin is incredibly stupid as it will not make any money at all. 600GH/s worth of power (10x the ASIC power of a BFL Single) brings 0.05btc per day, without subtracting electricity costs. This is already almost nothing. You'd need millions upon millions of infected smartmobes and DVRs to make even the tiniest amounts of money with this. I doubt the hackers are doing it for money, more for disrupting either the DVRs or to enforce the reputation Bitcoin has as the "evil man's tool"

    Edit:

    Just made the calculation: If you had 1,000,000 Raspberry Pis mining 24/7 you would make a whopping 144usd per month!

    Edit2: If you want to calculate for yourself: A Raspberry Pi (example for an average ARM processor) can hash with ~100kh/s when overclocked

  6. Velv
    Boffin

    "Mining BitCoins these days requires a specialist rig featuring graphic cards so using low-powered embedded systems is not terribly practical."

    Mining BitCoins requires CPU cycles. End of story. Where you obtain those CPU cycles from is your problem, and yes if you want to do it in one "CPU" then a GPU is one place.

    It's like the old urban legend of the guy who collected up all the fractional payments the company rounded down on its payroll. A lot of tiny amounts soon adds up.

    1. phil dude
      Coat

      supermann III

      Wasn't that Richard Pryor's character....?

      P.

    2. smudge

      It's like the old urban legend of the guy who collected up all the fractional payments the company rounded down on its payroll. A lot of tiny amounts soon adds up.

      No urban legend - a pretty common fraud. Known as a "salami swindle".

      1. asdf

        hmm

        >Known as a "salami swindle"

        Maybe but pretty sure if you pop over to urbandictionary.com the kids may being using that word for something else lol.

  7. Stevie

    Bah!

    Meh. Small potatoes.

    True cleverness in this less-is-more proof of concept hack would be mining bitcoins on a Sinclair Scientific calculator.

    1. Tom 7

      Re: Bah!

      http://files.righto.com/calculator/sinclair_scientific_simulator.html

      off you go!

      1. Stevie

        Re: Simulator

        a) Why would I need a simulator?

        2) How would running anything in a simulator prove anything about doing the same on the original kit?

        Ask anyone who has been forced to recover from a virtual environment into bare metal.

  8. aaronj2906_01

    Another way to look at this...

    There's something to this... Look at it this way:

    They experimenting with mining using non-conventional hardware. Not a PC. Not a smart phone. Not an ASIC designed to mine BTC.

    How about an ARM processor? Get some code figured out. Get it distributed. Show that the engine works, but have no plans to win a race with it (very slow mining). As the NON-PC platform evolves, the software might need some tweaking, but they know it works. They don't need to gain a coin, if their goal is only to show a working engine for, say, a recording device that uses the same instruction set.

    Then sell it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Another way to look at this...

      I think you are on the money.

      Want to test your code but would prefer someone else distributed and checked it? Give it some arcane use like, I don't know "bitcoin mining" (how we laughed) surely your mark is motivated by the "something for nuthin' " vibe no?

      It gets out there the script kiddies moan it doesn't work on brand x and they only managed y performance and you go OK thanks guys.

      --

      Someone I knew used to share video via P2P with a friend, nothing dodgy just large ish files, before fast connections he got them moved quickly by compressing and uploading 95% as (for example) "Big bouncy boobs" video part 1,2,3 knowing that they would be pounced on, he then sent the small last 5% to his friend direct, without the last bit the files were useless but strangely readily available locally to his friend at sunrise. I bet there are people out there now still hunting for big bouncy boobs part 4.

  9. Tom 7

    It does remind me of one of my daughters

    who will devote several hours to making complicated excuses as as not to do 5 minutes homework.

  10. Anonymous Coward
    Anonymous Coward

    Maybe "dumb like a fox"

    If I wanted to cut down on video surveillance, I'd just ask the camera to waste time mining BitCoins, or some other time-waster.

  11. futh4rk

    its not always about the money

    Sometimes hackers do something to prove it can be done more than just to make a profit. Something like this could be the precursor to a similar but more intricate attack, practice, fun....

  12. mark 63 Silver badge

    there is a threshold

    it dosent matter how free the electricity is, or how many machines you infect, if it turns out that you would need every person on the planet to have an infected machine switched on 24/7 for 100 years = 1 bitcoin, then you picked the wrong platform.

This topic is closed for new posts.

Other stories you might like