Chinese Hardware That Fueled Massive DYN BotNet Attack Still Poorly Secured Pieces Of Shit
from the interet-of-broken-things dept
Just about two years ago, you might recall that the internet partially imploded after DNS provider Dyn was hit with a historically massive DDOS attack. A major reason for the attack was the Mirai botnet malware, which made creating rampant botnets a pretty trivial affair for anybody with an IQ over 70. The other problem was that Mirai was able to quickly compromise and incorporate millions of internet of things devices as part of the assault thanks to said devices’ lack of meaningful privacy and security protections.
That included a large number of DVRs and internet-connected cameras by a Chinese company by the name of XiongMai Technologies, which stated it would be recalling many of the devices after issuing a statement in rather broken English that didn’t really make much sense:
“Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”
Sure thing.
Fast forward several years, and you’ll be shocked to learn that really nothing has changed at the company in terms of ensuring its cheap hardware can’t be quickly compromised by hackers and thieves. Most of the fatal flaws remain in the company’s products, including default login credentials, terrible GUIs that fail to show what the device is doing online, intentional backdoors, and pretty basic design flaws like the failure to prompt a password change during setup.
Worse, because XiongMai Technologies is a “white label vendor” whose hardware is often repackaged and resold under a universe of different brands, it’s impossible for many to know if they even own these substandard products, notes activist and author Cory Doctorow:
“Xiongmai is a white-label vendor whose products are sold under hundreds of brand-names, making it nearly impossible to tell whether you are about to buy (or already own) one of their defective products…The most reliable way to determine if you own a Xiongmai product is to see if its control systems mention “XMEye.” But even if you ditch your Xiongmai product, it’s clear that the whole industry is a cesspool of flaming garbage devices, and there’s probably not an alternative you can trust.”
Of course Xiongmai is just one of several, similar Chinese IOT hardware vendors that pretty clearly couldn’t give less of a shit about user privacy and security, or the fact these devices directly impact the health of the internet. SEC Consult has been not only issuing advisories surrounding Xiongmai and its universe of offshoot products, but also about a myriad of other, similarly-unaccountable hardware vendors like Shenzhen Gwelltimes Technology Co. All told we’re talking about more than 9 million DVRs and cameras currently in use protected with the security equivalent of wet cardboard.
As security experts like Bruce Schneier keep pointing out, we’re basically begging for a massive dumpster fire that could have dramatic and potentially even fatal repercussions. And the solution isn’t just one thing or another, it’s going to require a concerted, cross-sector collaborative effort that starts with integrating security and privacy warnings into product reviews, and naming and shaming vendors that pretty clearly don’t think even the barest bones privacy and security standards are worth the time or money it takes to develop them.
Filed Under: botnet, china, cybersecurity, dyn, iot
Comments on “Chinese Hardware That Fueled Massive DYN BotNet Attack Still Poorly Secured Pieces Of Shit”
The best way to tell if you own a Xiongmai device...
… is to test how quickly you can own the suspected device. 😉
Which is it?
Come on now, which is it: wet cardboard, or a dumpster fire? It can’t be both.
/s
Re: Which is it?
You can’t secure a dumpster fire….
You can secure wet cardboard though. Just throw it into a dumpster fire.
Re: Which is it?
It’s a time line.
We had wet cardboard, but it was only wet from being soaked is gasoline.
Now it’s a dumpster fire.
“really nothing has changed at the company”
Duh. It’s a Chinese company and they’re out of reach for any legal means. There’s literally hundreds of rebranding operations going on that simply filters cheap knock-off and off brand Chinese goods flooding not just the US but Europe and the rest of the world. Block one, and five more step up to make a quick buck and disappear the next day. The only way to stop this is either for a societal change – people stop buying this junk en mass, or to cut off ties with China. It’s not going to stop otherwise. These companies are subsidized by their own government. Effectively government owned companies who’s entire point is to wage economic warfare by dumping cheap knockoffs in another country’s markets.
This is one of the few problems where import control would actually work if implemented well.
Government owned/funded inspection lab would routinely check common appliances found in the market. If it discovers you product is shit? They levy penalties up to total import ban, depending on severity of the vulnerability (=was it obviously deliberate) and your willingness to correct it.
Like poison can’t be sold as food, dumpster fires shouldn’t be sold as electronics.
Eh. As long as we don’t use Huawei, the internet is safe.
Hasn’t America had enough of chinese crap? You fucking traitors out there and you know who you are should be all hung for sending American ideas out to our enemies to mass produce crap.
Re: Re:
I assure you, I am.
Re: Re:
Eh, it’d be simpler to stop choosing to buy stuff from China just because it’s cheap. That’s your job as an individual.
Not hardware problems
All the problems you list are software problems, not hardware ones. And I don’t mean this in a pedantic way—it may well be the root of the issue. These companies think their products are hardware, and happen to develop a bit of software as an afterthought.