Webcams involved in DDoS attack recalled; Chinese maker threatens legal action for 'totally untrue' accusations
Google translate version of the announcement.
It's easy to blame dumb consumers using bad passwords when a large-scale Internet attack occurs, and that's what happened on Friday when sites like Reddit and Twitter became unavailable during an Internet of Things-driven denial of service attack. But a developing melodrama has U.S. security firms saying passwords were hard-coded into the gadgets and couldn't be changed, while the Chinese firm in the middle of the controversy is threatening legal action for shouldering the blame. That firm, Hangzhou Xiongmai, has also recalled its components, according to the B.B.C and a statement that appears to be on its website.
Friday's attack was not a surprise.
Earlier this month, U.S. researchers had discovered that computer criminals were gathering an army of hacked video cameras using a malicious piece of software named Mirai that automatically sought vulnerable components . and connected them to a botnet ready for an attack. Famed security journalist Brian Krebs was actually knocked offline by a Marai-controlled attack. Soon after, the source code to Mirai was released to the public, and within days, the army of infected video cameras swelled to 500,000 -- more than enough to create Friday's Internet chaos.
Meanwhile, security firm FlashPoint partners began investigating Mirai after the Krebs attack, and issued a serious warning on Oct. 7 when it discovered a source of vulnerable machines -- a Chinese firm that makes components for cameras and DVRs.
"Flashpoint identified the primary manufacturer of the devices that utilize the default username and password combination known as root and xc3511, respectively. These types of credentials exist all across the Internet and are commonly used via Telnet to access numerous types of DVRs. In fact, countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai Technologies, located in Hangzhou, China. This company sells white-labeled DVR, NVR and IP Camera boards and software to downstream vendors who then use it in their own products. Altogether, over five-hundred thousand devices on public IPs around the world appear susceptible to this vulnerability."
Critically, Flashpoint also found out that the default passwords on gadgets with XiongMai components were not editable.
"The issue with these particular devices is that a user cannot feasibly change this password. The password is hardcoded into the firmware, and the tools necessary to disable it are not present," the report said.
Unfortunately, the warning came and went without much fanfare -- leading to Friday's show of force.
It could have been worse. Security firm Symantec said that attackers used only a fraction of the bots they had at their disposal.
"(The) attack only used approximately 10 percent of these bots, demonstrating the incredible power wielded by just one type of device. There are 10s of millions more insecure "smart" things that could cause incredible disruptions, if harnessed," it said.
For its part, XiongMai says it is being falsely accused by Western media. According to the website IPVM, which reports on web-enabled cameras, XiongMai has threatened legal action against its accusers.
A social media post translated by Google translate that appears to come from the firm blames users for not changing passwords, and called reports blaming XiongMai "totally untrue." The post also includes a statement allegedly from China's Ministry of Justice exonerating the firm, and warning that it would pursue "legal channels" because of the damage the firm is suffering.
"Security issues are a common problem of all mankind," the firm said in its statement, which also announced a recall of 1.3 million gadgets.
Consumers should change the default password on any Internet of Things gadgets in their homes. But if those passwords can't be changed...there isn't much users can do. Advanced solutions like a well-tuned firewall would help, but we can't expect consumers buying coffee pots and nanny cams to do that work. That's a problem gadget makers will have to solve.
If you've read this far, perhaps you'd like to support what I do. That's easy. Sign up for my free email list, or click on an advertisement, or just share the story.