Chinese Company Recalls Cameras, DVRs Used In Last Week's Massive DDoS Attack

from the internet-of-broken-things dept

For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how “smart” fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.

Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday. In a piece discussing the attack over at Flashpoint, the security firm (which worked with Akamai to help DYN) notes that the DDoS was indeed thanks to compromised IoT devices, and the Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to… your cable DVR:

“Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks.”

Brian Krebs notes that the lion’s share of these devices were manufactured by a Chinese company named XiongMai Technologies, which almost instantly found a huge swath of its product line contributing to the attack:

“It?s remarkable that virtually an entire company?s product line has just been turned into a botnet that is now attacking the United States,? Nixon said, noting that Flashpoint hasn?t ruled out the possibility of multiple botnets being involved in the attack on Dyn. At least one Mirai [control server] issued an attack command to hit Dyn,? Nixon said. ?Some people are theorizing that there were multiple botnets involved here. What we can say is that we?ve seen a Mirai botnet participating in the attack.”

For what it’s worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year. It also issued a poorly translated statement on its role in bringing the U.S. Internet to a crawl for much of Friday:

“Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too,” the company statement said.

And while that’s all well and good, that’s just one company. There are dozens upon dozens of companies and “IoT evangelists” that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they’re generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.

So while it’s nice to see at least one company almost admit culpability, this really is little more than a small drop in a very deep ocean of dysfunction. It’s going to take a lot more naming and shaming of the companies that pushed “smart” but idiotic and poorly-secured technologies on consumers if we’re to avoid significantly worse (and potentially fatal) attacks.

Filed Under: , , , , , ,
Companies: dyn, xiongmai

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Chinese Company Recalls Cameras, DVRs Used In Last Week's Massive DDoS Attack”

Subscribe: RSS Leave a comment
Anonymous Coward says:

So how long until this story expands to:

“[big telecom company] outdated wifi router and cable box software allows biggest DDoS attack vector to date.”

With a followup along the lines of: “Big Cable Company profited millions of dollars in overage fees from those same attacks and refuses to refund victims when the attack vector came from the Big Cable Company’s own devices. They claim the customer is responsible for updating Big Cable Company hardware and points to the small fine print buried on page 455 of the contract that says the customer must weekly log into a 56k dial-in only BBS to download new firmware for their DVR router. “

McFortner (profile) says:


I like the Internet a lot, but do we really need everything we own hooked up to it? It’s because of all these IoT gadgets we are going to see more attacks like this. Yet most of those devices don’t add anything significant to our lives. Do we really need to turn on our coffee makers from work? C’mon, we’re just grasping at things to put online now that don’t need to be. Until we can get a better grasp on the crap we have hooked up already we shouldn’t be adding gasoline to the fire.

Anonymous Coward says:

Re: Re: IoT

Only firmware? Pft you are so old fashioned. Get with the times!

My toaster has its own unlimited wireless plan and live streams its perfect toasting on a youtube channel.

Also my paint can takes time lapse photographs of the room painting process and uploads them to a branded instagram page that makes a movie of the paint drying process.

Thad (user link) says:

Re: Attack participation check

Well, an external utility (website, phone app, etc.) could check for open ports and unchanged default logins pretty easily. It wouldn’t prove the device had been compromised, but it would prove it was vulnerable.

This would presumably lead malware authors to make their software automatically close open ports and change default passwords, but I guess that at least means they’d be protecting you against other malware exploiting the same vulnerabilities.

Anonymous Coward says:

Perhaps these "camera" IoT devices were *intended* as Trojan Horses

that the Chinese conned us into paying good money for.

The Chinese gather intelligence differently from Western nations … While Russians and Americans rely on professional snoops or fancy equipment, the Chinese count on friends and connections to piece together information … if the Chinese wanted to learn about a beach, they would send in a thousand tourists, each assigned to collect a single grain of sand. “When they returned, they would be asked to shake out their towels. And [the Chinese] would end up knowing more about the sand than anyone else.”

That Anonymous Coward (profile) says:

If only there was I dunno some sort of law that forced companies to bear the costs of their security failures.

Far to often we see companies gleefully suing people who dare to politely point out flaws rather than fix them.
Sending researchers the bill for having to fix the bug they discovered.
Sending the DoJ on a rampage to threaten to put them in jail for crimes against humanity.
Issuing press releases blaming the researchers for the bug.

This is ‘we just slapped our brand on something & did none of the work’ and jacked the price up several magnitudes because our brand name is worth it. They got profits, we got a growing network of shit that will be used to cripple the entire internet. Perhaps its time to stop pretending corporations will do anything about this on their own & we start punishing them for taking the path of most profits.

The Event More Anonymous Coward says:

Re: Re:

Perhaps its time to stop pretending that government is the answer? Besides, aren’t they the ones bailing out big business instead of the little guy, spying on every man/woman/child, starting wars, torturing people, drone striking citizens and giving away corporate sovereignty so now corporations stand above governments?

Ninja (profile) says:

The question is how effective will be this recall. Most people who buy Chinese stuff of less known brands are also the type that would either never know about the recall or just don’t care/understand if they did.

Of course we have a huge problem in our hands but we should be really focused on stopping new attack vectors from entering the market. At the very least everybody seems to have started giving a damn. Better late than never eh?

JBDragon (profile) says:

The problem with IoT is it was never designed for all the crap it’s being used for. Security is weak or non-existent. Many times even if you wanted to change a password, you can’t it’s baked into the firmware. This stuff may not ever get updated, let alone fixed because it can’t.

Apple’s Homekit is all about Security. Some company’s have had issues with that. They don’t want to get the chip needed for security as it costs more money. So they go the IoT route.

I just avoid all this stuff as much as I can. I would NEVER get any IoT Camera’s or Door Locks, right off the bat. That would be completely dumb. The only thing I have is my device for the Garage door that can open and close it and tell me when it opens and closes. It’s not a IoT or Homekit device. I trust it at least more then a IoT device. The only reason I got it was because that’s how we get in/out of the house 99% of the time.

My Dad who lives with me has left the door wide open when he drove away. I’d come home to find the door open, and luckily not robbed blind. Especially where I live. Now I’m warned if it’s left opened longer then 5 minutes and then 10 minutes and I can close it myself anywhere I’m at. But it also warns him also, and so he can close it. Since having it, it hasn’t been a issue.

I tried putting a label on his mirror saying to make sure the door was closed and that didn’t work. So sometimes you have to resort to other methods. I do also have a Wifi module on my new Hot Water Heater I replaced this last December. It’s really pretty silly. I have a App for it. I can adjust the temp. I mean who doesn’t need to do that all the time if not NEVER! Or put it into Vacation mode, which lowers the temp way down. Again I talk right next to it every day in as it’s in my garage right near the door. It’s so easy to just turn the dial down.

The other features, it’ll warn if there’s a leak as there’s a probe you put in the pan that will sense water. It’ll also tell you if there’s some other error, issue. The problem with that, It requires Electricity, Yep, where I live in CA, I need a special Heater, This one has a Electric Damper on it. When it’s heating it opens, when it isn’t heating it closes to help keep the heat in. It’s of course larger diameter, because there’s more insulation around it. That can be a problem for some people with limited space already. It has a Electric Gas Valve. Any issues and the App would let me know. Problem is, once already the circuit breaker of the outlet popped, that killed the power, killed the Wifi on the heater and stopped the gas valve from working, and in the morning going to use the shower, all I have is warm water. I wasn’t told of any problem because there was no power for the Wifi module to work!!! Kind of a big flaw, wouldn’t you think?

It’s really silly having a GAS water heater that I have to plug into the wall for power. It’s on a long cable with a large wall wart(Transformer) on the end. Really, more crap that can go wrong with it. It wasn’t cheap ether, even though I installed it myself. Luckily there was a $150 rebate for that heater from PG&E before the end of the year, so I got luckily it went bad when it did instead of a week later. The Wifi on it I think is pretty silly and almost worthless.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...