(Mis)Uses of Technology

by Karl Bode


Filed Under:
botnet, cameras, china, ddos, dvrs, mirai, recall

Companies:
dyn, xiongmai



Chinese Company Recalls Cameras, DVRs Used In Last Week's Massive DDoS Attack

from the internet-of-broken-things dept

For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how "smart" fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.

Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday. In a piece discussing the attack over at Flashpoint, the security firm (which worked with Akamai to help DYN) notes that the DDoS was indeed thanks to compromised IoT devices, and the Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to... your cable DVR:
"Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks."
Brian Krebs notes that the lion's share of these devices were manufactured by a Chinese company named XiongMai Technologies, which almost instantly found a huge swath of its product line contributing to the attack:
"It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn. At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack."
For what it's worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year. It also issued a poorly translated statement on its role in bringing the U.S. Internet to a crawl for much of Friday:
"Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.
And while that's all well and good, that's just one company. There are dozens upon dozens of companies and "IoT evangelists" that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they're generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.

So while it's nice to see at least one company almost admit culpability, this really is little more than a small drop in a very deep ocean of dysfunction. It's going to take a lot more naming and shaming of the companies that pushed "smart" but idiotic and poorly-secured technologies on consumers if we're to avoid significantly worse (and potentially fatal) attacks.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Blindsquirrel, 24 Oct 2016 @ 11:54am

    Translated statement?

    Think it said,"All your cameras are belong to us?"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Oct 2016 @ 12:02pm

    Lack of diversity (in both HW/SW) == disaster

    Major plagues can take out 60-80% of human
    populations, but 20-40% still remains.

    With the lack of diversity in computer HW/SW,
    a major malware "plague" could take out nearly
    100%.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 25 Oct 2016 @ 3:52pm

      Re: Lack of diversity (in both HW/SW) == disaster

      That is the downside of nsa helping bill gates monopolize pc market with that crap called Windows 95 and later. That is like most humans having same Dna prone to plague. Then, they cry wiki leaks released podestas emails.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Oct 2016 @ 12:18pm

    So how long until this story expands to:

    "[big telecom company] outdated wifi router and cable box software allows biggest DDoS attack vector to date."

    With a followup along the lines of: "Big Cable Company profited millions of dollars in overage fees from those same attacks and refuses to refund victims when the attack vector came from the Big Cable Company's own devices. They claim the customer is responsible for updating Big Cable Company hardware and points to the small fine print buried on page 455 of the contract that says the customer must weekly log into a 56k dial-in only BBS to download new firmware for their DVR router. "

    reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 24 Oct 2016 @ 12:21pm

    That vast majority of those camera and DVR owners will never hear about the recall. Their security camera systems will have been bought - often rebranded - from third-party companies.

    reply to this | link to this | view in chronology ]

  • identicon
    ANON, 24 Oct 2016 @ 12:24pm

    But...

    That's just DVR's and Cameras with external IP addresses or the port forwarding from the firewall, I assume?

    This whole hype still misses the point that a device behind a firewall is inaccessible unless something is port-forwarded to it, correct? (Unless they could spoof some devic's central server IP...?)

    reply to this | link to this | view in chronology ]

    • icon
      Roger Strong (profile), 24 Oct 2016 @ 12:36pm

      Re: But...

      Our (rebranded but obviously Chinese-made) security camera system is port-forwarded to the internet. That way you can watch from a browser app at home, or for an iPhone or Android app.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 24 Oct 2016 @ 12:58pm

      Re: But...

      Remember, most home routers support UPnP, where convenience trumps security.

      reply to this | link to this | view in chronology ]

    • icon
      afn29129 (profile), 24 Oct 2016 @ 6:33pm

      Re: But...

      Many of the devices have uPNP turned on by default and they therefore automatically poke holes in router firelwalls, and NATs

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Oct 2016 @ 12:56pm

    i never thought i'd learn to despise the word smart except in sentences like: ooh, that smarts.

    reply to this | link to this | view in chronology ]

  • icon
    McFortner (profile), 24 Oct 2016 @ 1:09pm

    IoT

    I like the Internet a lot, but do we really need everything we own hooked up to it? It's because of all these IoT gadgets we are going to see more attacks like this. Yet most of those devices don't add anything significant to our lives. Do we really need to turn on our coffee makers from work? C'mon, we're just grasping at things to put online now that don't need to be. Until we can get a better grasp on the crap we have hooked up already we shouldn't be adding gasoline to the fire.

    reply to this | link to this | view in chronology ]

    • identicon
      Crazy Canuck, 24 Oct 2016 @ 1:47pm

      Re: IoT

      How would I be able to tell what time it is at my house if I can't access my clock remotely from my work computer?

      Also, I need my toaster hooked into the internet to be able to download the newest firmware! How else would I know if my bread is being burnt to imperfection?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 Oct 2016 @ 1:56pm

        Re: Re: IoT

        Only firmware? Pft you are so old fashioned. Get with the times!

        My toaster has its own unlimited wireless plan and live streams its perfect toasting on a youtube channel.

        Also my paint can takes time lapse photographs of the room painting process and uploads them to a branded instagram page that makes a movie of the paint drying process.

        reply to this | link to this | view in chronology ]

      • icon
        Roger Strong (profile), 24 Oct 2016 @ 2:29pm

        Re: Re: IoT

        Time to watch Buster Keaton's The Electric House (1922). Fair warning on the sheer madness of the idea of wiring up a home with electric gadgets.

        reply to this | link to this | view in chronology ]

  • icon
    Jeffrey Nonken (profile), 24 Oct 2016 @ 1:09pm

    The smartest thing in my home is the cat.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Oct 2016 @ 1:58pm

    Attack participation check

    [these devices] usually provide no functionality to help users determine if they're generating traffic or participating in attacks.

    How would that work? Were I writing a worm the first thing I'd do is make that function always return "NO".

    reply to this | link to this | view in chronology ]

    • identicon
      Thad, 24 Oct 2016 @ 2:35pm

      Re: Attack participation check

      Well, an external utility (website, phone app, etc.) could check for open ports and unchanged default logins pretty easily. It wouldn't prove the device had been compromised, but it would prove it was vulnerable.

      This would presumably lead malware authors to make their software automatically close open ports and change default passwords, but I guess that at least means they'd be protecting you against other malware exploiting the same vulnerabilities.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 24 Oct 2016 @ 5:02pm

        Re: Re: Attack participation check

        Wasn't there an actual PC virus a few years ago that did just this? (closing up a vulnerability another worm was using that is?)

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 24 Oct 2016 @ 5:39pm

          Re: Re: Re: Attack participation check

          Now if we can just get that idea and expand upon it, have the malware and virus makers more focused on attacking each other than the poor sods playing unwilling(and often unknowing) 'host', we'd be golden.

          reply to this | link to this | view in chronology ]

        • icon
          orbitalinsertion (profile), 24 Oct 2016 @ 10:48pm

          Re: Re: Re: Attack participation check

          More than once, but yes, Conficker is probably what you remember.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 24 Oct 2016 @ 6:49pm

    Perhaps these "camera" IoT devices were *intended* as Trojan Horses

    that the Chinese conned us into paying good money for.

    The Chinese gather intelligence differently from Western nations ... While Russians and Americans rely on professional snoops or fancy equipment, the Chinese count on friends and connections to piece together information ... if the Chinese wanted to learn about a beach, they would send in a thousand tourists, each assigned to collect a single grain of sand. "When they returned, they would be asked to shake out their towels. And [the Chinese] would end up knowing more about the sand than anyone else."

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 24 Oct 2016 @ 10:23pm

    If only there was I dunno some sort of law that forced companies to bear the costs of their security failures.

    Far to often we see companies gleefully suing people who dare to politely point out flaws rather than fix them.
    Sending researchers the bill for having to fix the bug they discovered.
    Sending the DoJ on a rampage to threaten to put them in jail for crimes against humanity.
    Issuing press releases blaming the researchers for the bug.

    This is 'we just slapped our brand on something & did none of the work' and jacked the price up several magnitudes because our brand name is worth it. They got profits, we got a growing network of shit that will be used to cripple the entire internet. Perhaps its time to stop pretending corporations will do anything about this on their own & we start punishing them for taking the path of most profits.

    reply to this | link to this | view in chronology ]

    • identicon
      The Event More Anonymous Coward, 25 Oct 2016 @ 5:37am

      Re:

      Perhaps its time to stop pretending that government is the answer? Besides, aren't they the ones bailing out big business instead of the little guy, spying on every man/woman/child, starting wars, torturing people, drone striking citizens and giving away corporate sovereignty so now corporations stand above governments?

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 25 Oct 2016 @ 5:38am

    The question is how effective will be this recall. Most people who buy Chinese stuff of less known brands are also the type that would either never know about the recall or just don't care/understand if they did.

    Of course we have a huge problem in our hands but we should be really focused on stopping new attack vectors from entering the market. At the very least everybody seems to have started giving a damn. Better late than never eh?

    reply to this | link to this | view in chronology ]

  • icon
    JBDragon (profile), 25 Oct 2016 @ 8:03am

    The problem with IoT is it was never designed for all the crap it's being used for. Security is weak or non-existent. Many times even if you wanted to change a password, you can't it's baked into the firmware. This stuff may not ever get updated, let alone fixed because it can't.

    Apple's Homekit is all about Security. Some company's have had issues with that. They don't want to get the chip needed for security as it costs more money. So they go the IoT route.

    I just avoid all this stuff as much as I can. I would NEVER get any IoT Camera's or Door Locks, right off the bat. That would be completely dumb. The only thing I have is my device for the Garage door that can open and close it and tell me when it opens and closes. It's not a IoT or Homekit device. I trust it at least more then a IoT device. The only reason I got it was because that's how we get in/out of the house 99% of the time.

    My Dad who lives with me has left the door wide open when he drove away. I'd come home to find the door open, and luckily not robbed blind. Especially where I live. Now I'm warned if it's left opened longer then 5 minutes and then 10 minutes and I can close it myself anywhere I'm at. But it also warns him also, and so he can close it. Since having it, it hasn't been a issue.

    I tried putting a label on his mirror saying to make sure the door was closed and that didn't work. So sometimes you have to resort to other methods. I do also have a Wifi module on my new Hot Water Heater I replaced this last December. It's really pretty silly. I have a App for it. I can adjust the temp. I mean who doesn't need to do that all the time if not NEVER! Or put it into Vacation mode, which lowers the temp way down. Again I talk right next to it every day in as it's in my garage right near the door. It's so easy to just turn the dial down.

    The other features, it'll warn if there's a leak as there's a probe you put in the pan that will sense water. It'll also tell you if there's some other error, issue. The problem with that, It requires Electricity, Yep, where I live in CA, I need a special Heater, This one has a Electric Damper on it. When it's heating it opens, when it isn't heating it closes to help keep the heat in. It's of course larger diameter, because there's more insulation around it. That can be a problem for some people with limited space already. It has a Electric Gas Valve. Any issues and the App would let me know. Problem is, once already the circuit breaker of the outlet popped, that killed the power, killed the Wifi on the heater and stopped the gas valve from working, and in the morning going to use the shower, all I have is warm water. I wasn't told of any problem because there was no power for the Wifi module to work!!! Kind of a big flaw, wouldn't you think?

    It's really silly having a GAS water heater that I have to plug into the wall for power. It's on a long cable with a large wall wart(Transformer) on the end. Really, more crap that can go wrong with it. It wasn't cheap ether, even though I installed it myself. Luckily there was a $150 rebate for that heater from PG&E before the end of the year, so I got luckily it went bad when it did instead of a week later. The Wifi on it I think is pretty silly and almost worthless.

    reply to this | link to this | view in chronology ]

  • identicon
    Michael, 25 Oct 2016 @ 9:32am

    Techdirt T-Shirt idea:

    Shirt with an iron burn on it that reads: my smart iron overheated while running a DDoS attack

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.