HideTechdirt is off for the long weekend! We'll be back with our regular posts tomorrow.
HideTechdirt is off for the long weekend! We'll be back with our regular posts tomorrow.

Chinese Hardware That Fueled Massive DYN BotNet Attack Still Poorly Secured Pieces Of Shit

from the interet-of-broken-things dept

Just about two years ago, you might recall that the internet partially imploded after DNS provider Dyn was hit with a historically massive DDOS attack. A major reason for the attack was the Mirai botnet malware, which made creating rampant botnets a pretty trivial affair for anybody with an IQ over 70. The other problem was that Mirai was able to quickly compromise and incorporate millions of internet of things devices as part of the assault thanks to said devices' lack of meaningful privacy and security protections.

That included a large number of DVRs and internet-connected cameras by a Chinese company by the name of XiongMai Technologies, which stated it would be recalling many of the devices after issuing a statement in rather broken English that didn't really make much sense:

"Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too."

Sure thing.

Fast forward several years, and you'll be shocked to learn that really nothing has changed at the company in terms of ensuring its cheap hardware can't be quickly compromised by hackers and thieves. Most of the fatal flaws remain in the company's products, including default login credentials, terrible GUIs that fail to show what the device is doing online, intentional backdoors, and pretty basic design flaws like the failure to prompt a password change during setup.

Worse, because XiongMai Technologies is a "white label vendor" whose hardware is often repackaged and resold under a universe of different brands, it's impossible for many to know if they even own these substandard products, notes activist and author Cory Doctorow:

"Xiongmai is a white-label vendor whose products are sold under hundreds of brand-names, making it nearly impossible to tell whether you are about to buy (or already own) one of their defective products...The most reliable way to determine if you own a Xiongmai product is to see if its control systems mention "XMEye." But even if you ditch your Xiongmai product, it's clear that the whole industry is a cesspool of flaming garbage devices, and there's probably not an alternative you can trust."

Of course Xiongmai is just one of several, similar Chinese IOT hardware vendors that pretty clearly couldn't give less of a shit about user privacy and security, or the fact these devices directly impact the health of the internet. SEC Consult has been not only issuing advisories surrounding Xiongmai and its universe of offshoot products, but also about a myriad of other, similarly-unaccountable hardware vendors like Shenzhen Gwelltimes Technology Co. All told we're talking about more than 9 million DVRs and cameras currently in use protected with the security equivalent of wet cardboard.

As security experts like Bruce Schneier keep pointing out, we're basically begging for a massive dumpster fire that could have dramatic and potentially even fatal repercussions. And the solution isn't just one thing or another, it's going to require a concerted, cross-sector collaborative effort that starts with integrating security and privacy warnings into product reviews, and naming and shaming vendors that pretty clearly don't think even the barest bones privacy and security standards are worth the time or money it takes to develop them.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 26 Oct 2018 @ 2:01pm

    The best way to tell if you own a Xiongmai device...

    ... is to test how quickly you can own the suspected device. ;)

    reply to this | link to this | view in chronology ]

  • icon
    Phoenix84 (profile), 26 Oct 2018 @ 2:08pm

    Which is it?

    Come on now, which is it: wet cardboard, or a dumpster fire? It can't be both.
    /s

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Oct 2018 @ 2:47pm

      Re: Which is it?

      You can't secure a dumpster fire....

      You can secure wet cardboard though. Just throw it into a dumpster fire.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 26 Oct 2018 @ 6:20pm

      Re: Which is it?

      It's a time line.

      We had wet cardboard, but it was only wet from being soaked is gasoline.

      Now it's a dumpster fire.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Oct 2018 @ 8:34pm

    "really nothing has changed at the company"

    Duh. It's a Chinese company and they're out of reach for any legal means. There's literally hundreds of rebranding operations going on that simply filters cheap knock-off and off brand Chinese goods flooding not just the US but Europe and the rest of the world. Block one, and five more step up to make a quick buck and disappear the next day. The only way to stop this is either for a societal change - people stop buying this junk en mass, or to cut off ties with China. It's not going to stop otherwise. These companies are subsidized by their own government. Effectively government owned companies who's entire point is to wage economic warfare by dumping cheap knockoffs in another country's markets.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 26 Oct 2018 @ 9:28pm

    This is one of the few problems where import control would actually work if implemented well.

    Government owned/funded inspection lab would routinely check common appliances found in the market. If it discovers you product is shit? They levy penalties up to total import ban, depending on severity of the vulnerability (=was it obviously deliberate) and your willingness to correct it.

    Like poison can't be sold as food, dumpster fires shouldn't be sold as electronics.

    reply to this | link to this | view in chronology ]

  • icon
    Jeffrey Nonken (profile), 27 Oct 2018 @ 1:48am

    Eh. As long as we don't use Huawei, the internet is safe.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Oct 2018 @ 2:54pm

    Hasn't America had enough of chinese crap? You fucking traitors out there and you know who you are should be all hung for sending American ideas out to our enemies to mass produce crap.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 29 Oct 2018 @ 8:38am

    Not hardware problems

    All the problems you list are software problems, not hardware ones. And I don't mean this in a pedantic way—it may well be the root of the issue. These companies think their products are hardware, and happen to develop a bit of software as an afterthought.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.