Chinese Hardware That Fueled Massive DYN BotNet Attack Still Poorly Secured Pieces Of Shit

from the interet-of-broken-things dept

Just about two years ago, you might recall that the internet partially imploded after DNS provider Dyn was hit with a historically massive DDOS attack. A major reason for the attack was the Mirai botnet malware, which made creating rampant botnets a pretty trivial affair for anybody with an IQ over 70. The other problem was that Mirai was able to quickly compromise and incorporate millions of internet of things devices as part of the assault thanks to said devices’ lack of meaningful privacy and security protections.

That included a large number of DVRs and internet-connected cameras by a Chinese company by the name of XiongMai Technologies, which stated it would be recalling many of the devices after issuing a statement in rather broken English that didn’t really make much sense:

“Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”

Sure thing.

Fast forward several years, and you’ll be shocked to learn that really nothing has changed at the company in terms of ensuring its cheap hardware can’t be quickly compromised by hackers and thieves. Most of the fatal flaws remain in the company’s products, including default login credentials, terrible GUIs that fail to show what the device is doing online, intentional backdoors, and pretty basic design flaws like the failure to prompt a password change during setup.

Worse, because XiongMai Technologies is a “white label vendor” whose hardware is often repackaged and resold under a universe of different brands, it’s impossible for many to know if they even own these substandard products, notes activist and author Cory Doctorow:

“Xiongmai is a white-label vendor whose products are sold under hundreds of brand-names, making it nearly impossible to tell whether you are about to buy (or already own) one of their defective products…The most reliable way to determine if you own a Xiongmai product is to see if its control systems mention “XMEye.” But even if you ditch your Xiongmai product, it’s clear that the whole industry is a cesspool of flaming garbage devices, and there’s probably not an alternative you can trust.”

Of course Xiongmai is just one of several, similar Chinese IOT hardware vendors that pretty clearly couldn’t give less of a shit about user privacy and security, or the fact these devices directly impact the health of the internet. SEC Consult has been not only issuing advisories surrounding Xiongmai and its universe of offshoot products, but also about a myriad of other, similarly-unaccountable hardware vendors like Shenzhen Gwelltimes Technology Co. All told we’re talking about more than 9 million DVRs and cameras currently in use protected with the security equivalent of wet cardboard.

As security experts like Bruce Schneier keep pointing out, we’re basically begging for a massive dumpster fire that could have dramatic and potentially even fatal repercussions. And the solution isn’t just one thing or another, it’s going to require a concerted, cross-sector collaborative effort that starts with integrating security and privacy warnings into product reviews, and naming and shaming vendors that pretty clearly don’t think even the barest bones privacy and security standards are worth the time or money it takes to develop them.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Chinese Hardware That Fueled Massive DYN BotNet Attack Still Poorly Secured Pieces Of Shit”

Subscribe: RSS Leave a comment
Anonymous Coward says:

“really nothing has changed at the company”

Duh. It’s a Chinese company and they’re out of reach for any legal means. There’s literally hundreds of rebranding operations going on that simply filters cheap knock-off and off brand Chinese goods flooding not just the US but Europe and the rest of the world. Block one, and five more step up to make a quick buck and disappear the next day. The only way to stop this is either for a societal change – people stop buying this junk en mass, or to cut off ties with China. It’s not going to stop otherwise. These companies are subsidized by their own government. Effectively government owned companies who’s entire point is to wage economic warfare by dumping cheap knockoffs in another country’s markets.

Anonymous Coward says:

This is one of the few problems where import control would actually work if implemented well.

Government owned/funded inspection lab would routinely check common appliances found in the market. If it discovers you product is shit? They levy penalties up to total import ban, depending on severity of the vulnerability (=was it obviously deliberate) and your willingness to correct it.

Like poison can’t be sold as food, dumpster fires shouldn’t be sold as electronics.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...