Chinese Company Recalls Cameras, DVRs Used In Last Week's Massive DDoS Attack
from the internet-of-broken-things dept
For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how “smart” fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.
Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday. In a piece discussing the attack over at Flashpoint, the security firm (which worked with Akamai to help DYN) notes that the DDoS was indeed thanks to compromised IoT devices, and the Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to… your cable DVR:
“Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks.”
Brian Krebs notes that the lion’s share of these devices were manufactured by a Chinese company named XiongMai Technologies, which almost instantly found a huge swath of its product line contributing to the attack:
“It?s remarkable that virtually an entire company?s product line has just been turned into a botnet that is now attacking the United States,? Nixon said, noting that Flashpoint hasn?t ruled out the possibility of multiple botnets being involved in the attack on Dyn. At least one Mirai [control server] issued an attack command to hit Dyn,? Nixon said. ?Some people are theorizing that there were multiple botnets involved here. What we can say is that we?ve seen a Mirai botnet participating in the attack.”
For what it’s worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year. It also issued a poorly translated statement on its role in bringing the U.S. Internet to a crawl for much of Friday:
“Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too,” the company statement said.
And while that’s all well and good, that’s just one company. There are dozens upon dozens of companies and “IoT evangelists” that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they’re generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.
So while it’s nice to see at least one company almost admit culpability, this really is little more than a small drop in a very deep ocean of dysfunction. It’s going to take a lot more naming and shaming of the companies that pushed “smart” but idiotic and poorly-secured technologies on consumers if we’re to avoid significantly worse (and potentially fatal) attacks.
Filed Under: botnet, cameras, china, ddos, dvrs, mirai, recall
Companies: dyn, xiongmai
Comments on “Chinese Company Recalls Cameras, DVRs Used In Last Week's Massive DDoS Attack”
Translated statement?
Think it said,”All your cameras are belong to us?”
Lack of diversity (in both HW/SW) == disaster
Major plagues can take out 60-80% of human
populations, but 20-40% still remains.
With the lack of diversity in computer HW/SW,
a major malware “plague” could take out nearly
100%.
Re: Lack of diversity (in both HW/SW) == disaster
That is the downside of nsa helping bill gates monopolize pc market with that crap called Windows 95 and later. That is like most humans having same Dna prone to plague. Then, they cry wiki leaks released podestas emails.
So how long until this story expands to:
“[big telecom company] outdated wifi router and cable box software allows biggest DDoS attack vector to date.”
With a followup along the lines of: “Big Cable Company profited millions of dollars in overage fees from those same attacks and refuses to refund victims when the attack vector came from the Big Cable Company’s own devices. They claim the customer is responsible for updating Big Cable Company hardware and points to the small fine print buried on page 455 of the contract that says the customer must weekly log into a 56k dial-in only BBS to download new firmware for their DVR router. “
That vast majority of those camera and DVR owners will never hear about the recall. Their security camera systems will have been bought – often rebranded – from third-party companies.
But...
That’s just DVR’s and Cameras with external IP addresses or the port forwarding from the firewall, I assume?
This whole hype still misses the point that a device behind a firewall is inaccessible unless something is port-forwarded to it, correct? (Unless they could spoof some devic’s central server IP…?)
Re: But...
Our (rebranded but obviously Chinese-made) security camera system is port-forwarded to the internet. That way you can watch from a browser app at home, or for an iPhone or Android app.
Re: But...
Remember, most home routers support UPnP, where convenience trumps security.
Re: But...
Many of the devices have uPNP turned on by default and they therefore automatically poke holes in router firelwalls, and NATs
i never thought i’d learn to despise the word smart except in sentences like: ooh, that smarts.
Re: Re:
I’ve heard the same thing from Smart Car reviewers and smart bomb targets.
IoT
I like the Internet a lot, but do we really need everything we own hooked up to it? It’s because of all these IoT gadgets we are going to see more attacks like this. Yet most of those devices don’t add anything significant to our lives. Do we really need to turn on our coffee makers from work? C’mon, we’re just grasping at things to put online now that don’t need to be. Until we can get a better grasp on the crap we have hooked up already we shouldn’t be adding gasoline to the fire.
Re: IoT
How would I be able to tell what time it is at my house if I can’t access my clock remotely from my work computer?
Also, I need my toaster hooked into the internet to be able to download the newest firmware! How else would I know if my bread is being burnt to imperfection?
Re: Re: IoT
Only firmware? Pft you are so old fashioned. Get with the times!
My toaster has its own unlimited wireless plan and live streams its perfect toasting on a youtube channel.
Also my paint can takes time lapse photographs of the room painting process and uploads them to a branded instagram page that makes a movie of the paint drying process.
Re: Re: IoT
Time to watch Buster Keaton’s The Electric House (1922). Fair warning on the sheer madness of the idea of wiring up a home with electric gadgets.
Re: Re: Re: IoT
Merrie Melodies cartoon, Dog Gone Modern, 1939.
The smartest thing in my home is the cat.
Re: Re:
Is it possible to stop them from posting so many selfies?
Attack participation check
How would that work? Were I writing a worm the first thing I’d do is make that function always return "NO".
Re: Attack participation check
Well, an external utility (website, phone app, etc.) could check for open ports and unchanged default logins pretty easily. It wouldn’t prove the device had been compromised, but it would prove it was vulnerable.
This would presumably lead malware authors to make their software automatically close open ports and change default passwords, but I guess that at least means they’d be protecting you against other malware exploiting the same vulnerabilities.
Re: Re: Attack participation check
Wasn’t there an actual PC virus a few years ago that did just this? (closing up a vulnerability another worm was using that is?)
Re: Re: Re: Attack participation check
Now if we can just get that idea and expand upon it, have the malware and virus makers more focused on attacking each other than the poor sods playing unwilling(and often unknowing) ‘host’, we’d be golden.
Re: Re: Re: Attack participation check
More than once, but yes, Conficker is probably what you remember.
Inform tyrself
Someone here asked about firewalls. Inform thyself by reading some of Krebs excellent articles on the problem.
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
https://krebsonsecurity.com/2016/10/iot-devices-as-proxies-for-cybercrime/
and others……
Perhaps these "camera" IoT devices were *intended* as Trojan Horses
that the Chinese conned us into paying good money for.
The Chinese gather intelligence differently from Western nations … While Russians and Americans rely on professional snoops or fancy equipment, the Chinese count on friends and connections to piece together information … if the Chinese wanted to learn about a beach, they would send in a thousand tourists, each assigned to collect a single grain of sand. “When they returned, they would be asked to shake out their towels. And [the Chinese] would end up knowing more about the sand than anyone else.”
If only there was I dunno some sort of law that forced companies to bear the costs of their security failures.
Far to often we see companies gleefully suing people who dare to politely point out flaws rather than fix them.
Sending researchers the bill for having to fix the bug they discovered.
Sending the DoJ on a rampage to threaten to put them in jail for crimes against humanity.
Issuing press releases blaming the researchers for the bug.
This is ‘we just slapped our brand on something & did none of the work’ and jacked the price up several magnitudes because our brand name is worth it. They got profits, we got a growing network of shit that will be used to cripple the entire internet. Perhaps its time to stop pretending corporations will do anything about this on their own & we start punishing them for taking the path of most profits.
Re: Re:
Perhaps its time to stop pretending that government is the answer? Besides, aren’t they the ones bailing out big business instead of the little guy, spying on every man/woman/child, starting wars, torturing people, drone striking citizens and giving away corporate sovereignty so now corporations stand above governments?
The question is how effective will be this recall. Most people who buy Chinese stuff of less known brands are also the type that would either never know about the recall or just don’t care/understand if they did.
Of course we have a huge problem in our hands but we should be really focused on stopping new attack vectors from entering the market. At the very least everybody seems to have started giving a damn. Better late than never eh?
The problem with IoT is it was never designed for all the crap it’s being used for. Security is weak or non-existent. Many times even if you wanted to change a password, you can’t it’s baked into the firmware. This stuff may not ever get updated, let alone fixed because it can’t.
Apple’s Homekit is all about Security. Some company’s have had issues with that. They don’t want to get the chip needed for security as it costs more money. So they go the IoT route.
I just avoid all this stuff as much as I can. I would NEVER get any IoT Camera’s or Door Locks, right off the bat. That would be completely dumb. The only thing I have is my device for the Garage door that can open and close it and tell me when it opens and closes. It’s not a IoT or Homekit device. I trust it at least more then a IoT device. The only reason I got it was because that’s how we get in/out of the house 99% of the time.
My Dad who lives with me has left the door wide open when he drove away. I’d come home to find the door open, and luckily not robbed blind. Especially where I live. Now I’m warned if it’s left opened longer then 5 minutes and then 10 minutes and I can close it myself anywhere I’m at. But it also warns him also, and so he can close it. Since having it, it hasn’t been a issue.
I tried putting a label on his mirror saying to make sure the door was closed and that didn’t work. So sometimes you have to resort to other methods. I do also have a Wifi module on my new Hot Water Heater I replaced this last December. It’s really pretty silly. I have a App for it. I can adjust the temp. I mean who doesn’t need to do that all the time if not NEVER! Or put it into Vacation mode, which lowers the temp way down. Again I talk right next to it every day in as it’s in my garage right near the door. It’s so easy to just turn the dial down.
The other features, it’ll warn if there’s a leak as there’s a probe you put in the pan that will sense water. It’ll also tell you if there’s some other error, issue. The problem with that, It requires Electricity, Yep, where I live in CA, I need a special Heater, This one has a Electric Damper on it. When it’s heating it opens, when it isn’t heating it closes to help keep the heat in. It’s of course larger diameter, because there’s more insulation around it. That can be a problem for some people with limited space already. It has a Electric Gas Valve. Any issues and the App would let me know. Problem is, once already the circuit breaker of the outlet popped, that killed the power, killed the Wifi on the heater and stopped the gas valve from working, and in the morning going to use the shower, all I have is warm water. I wasn’t told of any problem because there was no power for the Wifi module to work!!! Kind of a big flaw, wouldn’t you think?
It’s really silly having a GAS water heater that I have to plug into the wall for power. It’s on a long cable with a large wall wart(Transformer) on the end. Really, more crap that can go wrong with it. It wasn’t cheap ether, even though I installed it myself. Luckily there was a $150 rebate for that heater from PG&E before the end of the year, so I got luckily it went bad when it did instead of a week later. The Wifi on it I think is pretty silly and almost worthless.
Techdirt T-Shirt idea:
Shirt with an iron burn on it that reads: my smart iron overheated while running a DDoS attack