Compromised Device behind RB1100AHx2

We are currently dealing with a Camera Device that has been used in botnet attacks that is housed behind an Ethernet connection to an RB1100AHx2.

I have contacted the manufacturer of the device and followed all recommendations and a firmware version change, yet we’ve still received reports of malicious activity.

The camera belongs to a client of ours and we’d like to not have to dispatch a climb to replace the physical camera unit.

I am looking for any advice on Filter Rules or otherwise I may be able to implement to limit the malicious activity that may take place if the device is left connected.

The camera has a Public IP Address routed to it.

It’s not ideal, but if you put it in isolated L2 segment, allow only the minimum necessary traffic and block the rest, it should be pretty safe. For example, if it should be connecting to outside world to upload some data, then allow only selected target server and port. If someone should be connecting to it, then allow only selected source addresses.

IP cams don’t run a ton of extra services. Chances are, it’s a bug in one of the legit services at the bottom of the compromise.

I’d move that cam behind a firewall and a VPN to ensure only legit hosts can connect to it.

Exposing IoT devices you can’t get updates for on the public Internet is a classic blunder, second only to starting a land war in Asia.

If you’re referring to the currently ongoing war, then that’s in Europe. Even if you’re not, I don’t see how starting a war on some continent is any different (better or worse) than starting it on another continent.

On topic, I agree that IoT devices should be treated as if they were infested with malware right as shipped from factory. (IT) Security is not a craft, it’s state of mind … and vast majority of software developers don’t have it.

@tangent but slightly less well-known is this: Never go in against a Sicilian when death is on the line.

Nope. Gabacho4 gets it.