This spring I sent a coordinated disclosure to NCSC-NL, the Dutch national CERT. The gist: a handful of residential IP addresses, scattered across several of the big Dutch ISPs, were being sold as residential proxy exit nodes. Every one of them was a hacked CCTV camera. And I’d bet almost anything the people who own those cameras have no idea their driveway monitor is currently laundering someone else’s credential-stuffing traffic.
This is the public writeup, so let me get the disclaimer out of the way first: the actual IP addresses aren’t in here. They point at real, still-vulnerable boxes in real homes. Those went to the CERT and they stay with the CERT. What I can talk about is how you go looking for something like this, and why it exists in the first place.
From “puppy cam” to “exit node”
All the devices carried a TCP/IP fingerprint that lines up with the NETSurveillance/XMEye/Sofia family — those cheap ARM and MIPS CCTV DVR/NVR boxes that sell for about €50 under a dozen interchangeable brand names. You’ve seen them. Maybe you own one.
The trip from “camera on the porch” to “node in a botnet” is embarrassingly short:
- The firmware ships with default credentials and a web interface sitting on port 80.
- Two well-known unauthenticated RCE bugs (CVE-2017-7921, CVE-2018-10088) have been getting popped in the wild since 2018.
- Somebody scans big IP ranges, exploits the box, and drops a small statically-linked ARM/MIPS Linux binary onto it.
- That binary quietly registers the device as a residential proxy exit node with one or more commercial proxy services.
- The camera now carries strangers’ traffic on the side, alongside whatever it was already doing.
And the owner sees nothing. The dashboard still loads. The app still shows the puppy. There is no blinking light for “your home connection is now the residential-looking front end of a credential-stuffing campaign.”
Finding them without ever touching them
I want to be really clear about this, because it’s the whole point: I never touched a single camera. Everything I did happened on my side of the wire.
I run an active prober. It buys access to commercial residential proxy pools and pushes a tiny keyed identifier out through each provider’s network. On the other end, a raw-socket SYN sniffer catches the inbound TCP handshake coming back from whatever exit IP the pool handed me, and pulls the TCP/IP fingerprint out of it — TTL, MSS, window size, the ordering of the TCP options, the DF flag. No HTTP, no login, no poking at the device. Just watching how it says hello.
And this particular hello is distinctive. The signature: option ordering MSS,NOP,NOP,TS,NOP,WS, with no SACK, WS≈28240, MSS=1412, an initial TTL of 64 landing 9–15 hops out, DF set. The missing SACK is the giveaway. Nothing modern negotiates a connection without it — that’s an old embedded Linux 2.6.x kernel talking, which is exactly what this class of camera runs. I lined the fingerprints up against public banner data, and the dashboard titles on the affected hosts confirmed the device family. No guessing required at that stage.
The Dutch slice was small enough that you could actually remediate it device by device, which is why it made a clean disclosure case — a tractable problem you can hand to a CERT and expect action on. But I don’t want to oversell that. The same fingerprint matches thousands of IPs across dozens of countries. The Netherlands was just the piece small enough to do something about. Taiwan, South Korea, and the US each turned up hundreds. That’s not a coordinated-disclosure email anymore; that’s an ISP-scale notification problem.
Why the person who owns the camera should actually care
“Your IP shows up in abuse logs” is the boring version. The real reasons are worse:
- That web interface is reachable by anyone routing through the proxy — the live feed, the recordings, the admin controls, all of it.
- Whatever the abuser sends through your line — and some of it is genuinely illegal — comes out on your IP, with a timestamp. When a subpoena follows that trail, it ends at your house, not theirs.
- The same RCE that installed the proxy SDK can install anything else. A DDoS bot that pins your uplink to the ceiling whenever its operator feels like it, for one.
What I actually asked for
The ask to NCSC-NL was deliberately modest: notify the affected ISPs so they can reach the customers, and get those customers to factory-reset, update firmware, and set credentials that aren’t the factory default. Standard stuff, and it runs through NCSC-NL’s normal process.
I floated one bigger idea as a policy question, well above the pay grade of any single CERT: ISPs could consider blocking the known proxy-SDK signature ports outbound from residential lines, the same way they’ve blocked open SMTP relay for years. That one’s a conversation, not a request. The first two are the actual disclosure.
If you’re buying “residential” IPs, read this part
This next part is the uncomfortable one. A meaningful chunk of the IPs you can pay to route through right now are compromised IoT devices — CCTV cameras, Android TV boxes, routers — owned by people who never agreed to any of it. Across the pools I fingerprinted, the IoT share of the “residential” supply was over a quarter.
And the useful thing is that this device class is structurally different at the TCP layer. You can spot it before a single HTTP request goes out, before any JavaScript runs — just from how it opens a connection. So when a proxy vendor tells you their network is “ethically sourced,” there’s actually a way to check: you can measure the fingerprint spread yourself instead of taking the sales pitch at face value.