Chinese Company Recalls Cameras, DVRs Used In Last Week's Massive DDoS Attack
from the internet-of-broken-things dept
For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how "smart" fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday. In a piece discussing the attack over at Flashpoint, the security firm (which worked with Akamai to help DYN) notes that the DDoS was indeed thanks to compromised IoT devices, and the Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to... your cable DVR:
"Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks."Brian Krebs notes that the lion's share of these devices were manufactured by a Chinese company named XiongMai Technologies, which almost instantly found a huge swath of its product line contributing to the attack:
"It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn. At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack."For what it's worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year. It also issued a poorly translated statement on its role in bringing the U.S. Internet to a crawl for much of Friday:
"Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.And while that's all well and good, that's just one company. There are dozens upon dozens of companies and "IoT evangelists" that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they're generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.
So while it's nice to see at least one company almost admit culpability, this really is little more than a small drop in a very deep ocean of dysfunction. It's going to take a lot more naming and shaming of the companies that pushed "smart" but idiotic and poorly-secured technologies on consumers if we're to avoid significantly worse (and potentially fatal) attacks.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: botnet, cameras, china, ddos, dvrs, mirai, recall
Companies: dyn, xiongmai
Reader Comments
Subscribe: RSS
View by: Time | Thread
Translated statement?
[ link to this | view in chronology ]
Lack of diversity (in both HW/SW) == disaster
populations, but 20-40% still remains.
With the lack of diversity in computer HW/SW,
a major malware "plague" could take out nearly
100%.
[ link to this | view in chronology ]
Re: Lack of diversity (in both HW/SW) == disaster
[ link to this | view in chronology ]
"[big telecom company] outdated wifi router and cable box software allows biggest DDoS attack vector to date."
With a followup along the lines of: "Big Cable Company profited millions of dollars in overage fees from those same attacks and refuses to refund victims when the attack vector came from the Big Cable Company's own devices. They claim the customer is responsible for updating Big Cable Company hardware and points to the small fine print buried on page 455 of the contract that says the customer must weekly log into a 56k dial-in only BBS to download new firmware for their DVR router. "
[ link to this | view in chronology ]
[ link to this | view in chronology ]
But...
This whole hype still misses the point that a device behind a firewall is inaccessible unless something is port-forwarded to it, correct? (Unless they could spoof some devic's central server IP...?)
[ link to this | view in chronology ]
Re: But...
[ link to this | view in chronology ]
Re: But...
[ link to this | view in chronology ]
Re: But...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
IoT
[ link to this | view in chronology ]
Re: IoT
Also, I need my toaster hooked into the internet to be able to download the newest firmware! How else would I know if my bread is being burnt to imperfection?
[ link to this | view in chronology ]
Re: Re: IoT
My toaster has its own unlimited wireless plan and live streams its perfect toasting on a youtube channel.
Also my paint can takes time lapse photographs of the room painting process and uploads them to a branded instagram page that makes a movie of the paint drying process.
[ link to this | view in chronology ]
Re: Re: IoT
[ link to this | view in chronology ]
Re: Re: Re: IoT
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Attack participation check
How would that work? Were I writing a worm the first thing I'd do is make that function always return "NO".
[ link to this | view in chronology ]
Re: Attack participation check
This would presumably lead malware authors to make their software automatically close open ports and change default passwords, but I guess that at least means they'd be protecting you against other malware exploiting the same vulnerabilities.
[ link to this | view in chronology ]
Re: Re: Attack participation check
[ link to this | view in chronology ]
Re: Re: Re: Attack participation check
[ link to this | view in chronology ]
Re: Re: Re: Attack participation check
[ link to this | view in chronology ]
Inform tyrself
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outa ge/
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
https://krebsonsecurity .com/2016/10/iot-devices-as-proxies-for-cybercrime/
and others......
[ link to this | view in chronology ]
Perhaps these "camera" IoT devices were *intended* as Trojan Horses
The Chinese gather intelligence differently from Western nations ... While Russians and Americans rely on professional snoops or fancy equipment, the Chinese count on friends and connections to piece together information ... if the Chinese wanted to learn about a beach, they would send in a thousand tourists, each assigned to collect a single grain of sand. "When they returned, they would be asked to shake out their towels. And [the Chinese] would end up knowing more about the sand than anyone else."
[ link to this | view in chronology ]
Far to often we see companies gleefully suing people who dare to politely point out flaws rather than fix them.
Sending researchers the bill for having to fix the bug they discovered.
Sending the DoJ on a rampage to threaten to put them in jail for crimes against humanity.
Issuing press releases blaming the researchers for the bug.
This is 'we just slapped our brand on something & did none of the work' and jacked the price up several magnitudes because our brand name is worth it. They got profits, we got a growing network of shit that will be used to cripple the entire internet. Perhaps its time to stop pretending corporations will do anything about this on their own & we start punishing them for taking the path of most profits.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Of course we have a huge problem in our hands but we should be really focused on stopping new attack vectors from entering the market. At the very least everybody seems to have started giving a damn. Better late than never eh?
[ link to this | view in chronology ]
Apple's Homekit is all about Security. Some company's have had issues with that. They don't want to get the chip needed for security as it costs more money. So they go the IoT route.
I just avoid all this stuff as much as I can. I would NEVER get any IoT Camera's or Door Locks, right off the bat. That would be completely dumb. The only thing I have is my device for the Garage door that can open and close it and tell me when it opens and closes. It's not a IoT or Homekit device. I trust it at least more then a IoT device. The only reason I got it was because that's how we get in/out of the house 99% of the time.
My Dad who lives with me has left the door wide open when he drove away. I'd come home to find the door open, and luckily not robbed blind. Especially where I live. Now I'm warned if it's left opened longer then 5 minutes and then 10 minutes and I can close it myself anywhere I'm at. But it also warns him also, and so he can close it. Since having it, it hasn't been a issue.
I tried putting a label on his mirror saying to make sure the door was closed and that didn't work. So sometimes you have to resort to other methods. I do also have a Wifi module on my new Hot Water Heater I replaced this last December. It's really pretty silly. I have a App for it. I can adjust the temp. I mean who doesn't need to do that all the time if not NEVER! Or put it into Vacation mode, which lowers the temp way down. Again I talk right next to it every day in as it's in my garage right near the door. It's so easy to just turn the dial down.
The other features, it'll warn if there's a leak as there's a probe you put in the pan that will sense water. It'll also tell you if there's some other error, issue. The problem with that, It requires Electricity, Yep, where I live in CA, I need a special Heater, This one has a Electric Damper on it. When it's heating it opens, when it isn't heating it closes to help keep the heat in. It's of course larger diameter, because there's more insulation around it. That can be a problem for some people with limited space already. It has a Electric Gas Valve. Any issues and the App would let me know. Problem is, once already the circuit breaker of the outlet popped, that killed the power, killed the Wifi on the heater and stopped the gas valve from working, and in the morning going to use the shower, all I have is warm water. I wasn't told of any problem because there was no power for the Wifi module to work!!! Kind of a big flaw, wouldn't you think?
It's really silly having a GAS water heater that I have to plug into the wall for power. It's on a long cable with a large wall wart(Transformer) on the end. Really, more crap that can go wrong with it. It wasn't cheap ether, even though I installed it myself. Luckily there was a $150 rebate for that heater from PG&E before the end of the year, so I got luckily it went bad when it did instead of a week later. The Wifi on it I think is pretty silly and almost worthless.
[ link to this | view in chronology ]
Shirt with an iron burn on it that reads: my smart iron overheated while running a DDoS attack
[ link to this | view in chronology ]