Chinese Company Recalls Cameras, DVRs Used In Last Week's Massive DDoS Attack

from the internet-of-broken-things dept

Mon, Oct 24th 2016 11:40am — Karl Bode

For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how "smart" fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.

Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday. In a piece discussing the attack over at Flashpoint, the security firm (which worked with Akamai to help DYN) notes that the DDoS was indeed thanks to compromised IoT devices, and the Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to... your cable DVR:

"Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks."

Brian Krebs notes that the lion's share of these devices were manufactured by a Chinese company named XiongMai Technologies, which almost instantly found a huge swath of its product line contributing to the attack:

"It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn. At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack."

For what it's worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year. It also issued a poorly translated statement on its role in bringing the U.S. Internet to a crawl for much of Friday:

"Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.

And while that's all well and good, that's just one company. There are dozens upon dozens of companies and "IoT evangelists" that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they're generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.

So while it's nice to see at least one company almost admit culpability, this really is little more than a small drop in a very deep ocean of dysfunction. It's going to take a lot more naming and shaming of the companies that pushed "smart" but idiotic and poorly-secured technologies on consumers if we're to avoid significantly worse (and potentially fatal) attacks.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: botnet, cameras, china, ddos, dvrs, mirai, recall
Companies: dyn, xiongmai

30 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Blindsquirrel, 24 Oct 2016 @ 11:54am

Translated statement?
Think it said,"All your cameras are belong to us?"
[ link to this | view in chronology ]
Anonymous Coward, 24 Oct 2016 @ 12:02pm

Lack of diversity (in both HW/SW) == disaster
Major plagues can take out 60-80% of human
populations, but 20-40% still remains.

With the lack of diversity in computer HW/SW,
a major malware "plague" could take out nearly
100%.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Oct 2016 @ 3:52pm
  
  Re: Lack of diversity (in both HW/SW) == disaster
  That is the downside of nsa helping bill gates monopolize pc market with that crap called Windows 95 and later. That is like most humans having same Dna prone to plague. Then, they cry wiki leaks released podestas emails.
  [ link to this | view in chronology ]
Anonymous Coward, 24 Oct 2016 @ 12:18pm

So how long until this story expands to:

"[big telecom company] outdated wifi router and cable box software allows biggest DDoS attack vector to date."

With a followup along the lines of: "Big Cable Company profited millions of dollars in overage fees from those same attacks and refuses to refund victims when the attack vector came from the Big Cable Company's own devices. They claim the customer is responsible for updating Big Cable Company hardware and points to the small fine print buried on page 455 of the contract that says the customer must weekly log into a 56k dial-in only BBS to download new firmware for their DVR router. "
[ link to this | view in chronology ]
Roger Strong (profile), 24 Oct 2016 @ 12:21pm

That vast majority of those camera and DVR owners will never hear about the recall. Their security camera systems will have been bought - often rebranded - from third-party companies.
[ link to this | view in chronology ]
ANON, 24 Oct 2016 @ 12:24pm

But...
That's just DVR's and Cameras with external IP addresses or the port forwarding from the firewall, I assume?

This whole hype still misses the point that a device behind a firewall is inaccessible unless something is port-forwarded to it, correct? (Unless they could spoof some devic's central server IP...?)
[ link to this | view in chronology ]
- Roger Strong (profile), 24 Oct 2016 @ 12:36pm
  
  Re: But...
  Our (rebranded but obviously Chinese-made) security camera system is port-forwarded to the internet. That way you can watch from a browser app at home, or for an iPhone or Android app.
  [ link to this | view in chronology ]
- Anonymous Coward, 24 Oct 2016 @ 12:58pm
  
  Re: But...
  Remember, most home routers support UPnP, where convenience trumps security.
  [ link to this | view in chronology ]
- afn29129 (profile), 24 Oct 2016 @ 6:33pm
  
  Re: But...
  Many of the devices have uPNP turned on by default and they therefore automatically poke holes in router firelwalls, and NATs
  [ link to this | view in chronology ]
Anonymous Coward, 24 Oct 2016 @ 12:56pm

i never thought i'd learn to despise the word smart except in sentences like: ooh, that smarts.
[ link to this | view in chronology ]
- Roger Strong (profile), 24 Oct 2016 @ 1:02pm
  
  Re:
  I've heard the same thing from Smart Car reviewers and smart bomb targets.
  [ link to this | view in chronology ]
McFortner (profile), 24 Oct 2016 @ 1:09pm

IoT
I like the Internet a lot, but do we really need everything we own hooked up to it? It's because of all these IoT gadgets we are going to see more attacks like this. Yet most of those devices don't add anything significant to our lives. Do we really need to turn on our coffee makers from work? C'mon, we're just grasping at things to put online now that don't need to be. Until we can get a better grasp on the crap we have hooked up already we shouldn't be adding gasoline to the fire.
[ link to this | view in chronology ]
- Crazy Canuck, 24 Oct 2016 @ 1:47pm
  
  Re: IoT
  How would I be able to tell what time it is at my house if I can't access my clock remotely from my work computer?
  
  Also, I need my toaster hooked into the internet to be able to download the newest firmware! How else would I know if my bread is being burnt to imperfection?
  [ link to this | view in chronology ]
  - Anonymous Coward, 24 Oct 2016 @ 1:56pm
    
    Re: Re: IoT
    Only firmware? Pft you are so old fashioned. Get with the times!
    
    My toaster has its own unlimited wireless plan and live streams its perfect toasting on a youtube channel.
    
    Also my paint can takes time lapse photographs of the room painting process and uploads them to a branded instagram page that makes a movie of the paint drying process.
    [ link to this | view in chronology ]
  - Roger Strong (profile), 24 Oct 2016 @ 2:29pm
    
    Re: Re: IoT
    Time to watch Buster Keaton's The Electric House (1922). Fair warning on the sheer madness of the idea of wiring up a home with electric gadgets.
    [ link to this | view in chronology ]
    - afn29129 (profile), 24 Oct 2016 @ 7:00pm
      
      Re: Re: Re: IoT
      Merrie Melodies cartoon, Dog Gone Modern, 1939.
      [ link to this | view in chronology ]
Jeffrey Nonken (profile), 24 Oct 2016 @ 1:09pm

The smartest thing in my home is the cat.
[ link to this | view in chronology ]
- Anonymous Coward, 24 Oct 2016 @ 1:27pm
  
  Re:
  Is it possible to stop them from posting so many selfies?
  [ link to this | view in chronology ]
Anonymous Coward, 24 Oct 2016 @ 1:58pm

Attack participation check

[these devices] usually provide no functionality to help users determine if they're generating traffic or participating in attacks.

How would that work? Were I writing a worm the first thing I'd do is make that function always return "NO".
[ link to this | view in chronology ]
- Thad, 24 Oct 2016 @ 2:35pm
  
  Re: Attack participation check
  Well, an external utility (website, phone app, etc.) could check for open ports and unchanged default logins pretty easily. It wouldn't prove the device had been compromised, but it would prove it was vulnerable.
  
  This would presumably lead malware authors to make their software automatically close open ports and change default passwords, but I guess that at least means they'd be protecting you against other malware exploiting the same vulnerabilities.
  [ link to this | view in chronology ]
  - Anonymous Coward, 24 Oct 2016 @ 5:02pm
    
    Re: Re: Attack participation check
    Wasn't there an actual PC virus a few years ago that did just this? (closing up a vulnerability another worm was using that is?)
    [ link to this | view in chronology ]
    - That One Guy (profile), 24 Oct 2016 @ 5:39pm
      
      Re: Re: Re: Attack participation check
      Now if we can just get that idea and expand upon it, have the malware and virus makers more focused on attacking each other than the poor sods playing unwilling(and often unknowing) 'host', we'd be golden.
      [ link to this | view in chronology ]
    - orbitalinsertion (profile), 24 Oct 2016 @ 10:48pm
      
      Re: Re: Re: Attack participation check
      More than once, but yes, Conficker is probably what you remember.
      [ link to this | view in chronology ]
afn29129 (profile), 24 Oct 2016 @ 6:40pm

Inform tyrself
Someone here asked about firewalls. Inform thyself by reading some of Krebs excellent articles on the problem.

https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outa ge/

https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/

https://krebsonsecurity .com/2016/10/iot-devices-as-proxies-for-cybercrime/

and others......
[ link to this | view in chronology ]
Anonymous Coward, 24 Oct 2016 @ 6:49pm

Perhaps these "camera" IoT devices were *intended* as Trojan Horses
that the Chinese conned us into paying good money for.

The Chinese gather intelligence differently from Western nations ... While Russians and Americans rely on professional snoops or fancy equipment, the Chinese count on friends and connections to piece together information ... if the Chinese wanted to learn about a beach, they would send in a thousand tourists, each assigned to collect a single grain of sand. "When they returned, they would be asked to shake out their towels. And [the Chinese] would end up knowing more about the sand than anyone else."
[ link to this | view in chronology ]
That Anonymous Coward (profile), 24 Oct 2016 @ 10:23pm

If only there was I dunno some sort of law that forced companies to bear the costs of their security failures.

Far to often we see companies gleefully suing people who dare to politely point out flaws rather than fix them.
Sending researchers the bill for having to fix the bug they discovered.
Sending the DoJ on a rampage to threaten to put them in jail for crimes against humanity.
Issuing press releases blaming the researchers for the bug.

This is 'we just slapped our brand on something & did none of the work' and jacked the price up several magnitudes because our brand name is worth it. They got profits, we got a growing network of shit that will be used to cripple the entire internet. Perhaps its time to stop pretending corporations will do anything about this on their own & we start punishing them for taking the path of most profits.
[ link to this | view in chronology ]
- The Event More Anonymous Coward, 25 Oct 2016 @ 5:37am
  
  Re:
  Perhaps its time to stop pretending that government is the answer? Besides, aren't they the ones bailing out big business instead of the little guy, spying on every man/woman/child, starting wars, torturing people, drone striking citizens and giving away corporate sovereignty so now corporations stand above governments?
  [ link to this | view in chronology ]
Ninja (profile), 25 Oct 2016 @ 5:38am

The question is how effective will be this recall. Most people who buy Chinese stuff of less known brands are also the type that would either never know about the recall or just don't care/understand if they did.

Of course we have a huge problem in our hands but we should be really focused on stopping new attack vectors from entering the market. At the very least everybody seems to have started giving a damn. Better late than never eh?
[ link to this | view in chronology ]
JBDragon (profile), 25 Oct 2016 @ 8:03am

The problem with IoT is it was never designed for all the crap it's being used for. Security is weak or non-existent. Many times even if you wanted to change a password, you can't it's baked into the firmware. This stuff may not ever get updated, let alone fixed because it can't.

Apple's Homekit is all about Security. Some company's have had issues with that. They don't want to get the chip needed for security as it costs more money. So they go the IoT route.

I just avoid all this stuff as much as I can. I would NEVER get any IoT Camera's or Door Locks, right off the bat. That would be completely dumb. The only thing I have is my device for the Garage door that can open and close it and tell me when it opens and closes. It's not a IoT or Homekit device. I trust it at least more then a IoT device. The only reason I got it was because that's how we get in/out of the house 99% of the time.

My Dad who lives with me has left the door wide open when he drove away. I'd come home to find the door open, and luckily not robbed blind. Especially where I live. Now I'm warned if it's left opened longer then 5 minutes and then 10 minutes and I can close it myself anywhere I'm at. But it also warns him also, and so he can close it. Since having it, it hasn't been a issue.

I tried putting a label on his mirror saying to make sure the door was closed and that didn't work. So sometimes you have to resort to other methods. I do also have a Wifi module on my new Hot Water Heater I replaced this last December. It's really pretty silly. I have a App for it. I can adjust the temp. I mean who doesn't need to do that all the time if not NEVER! Or put it into Vacation mode, which lowers the temp way down. Again I talk right next to it every day in as it's in my garage right near the door. It's so easy to just turn the dial down.

The other features, it'll warn if there's a leak as there's a probe you put in the pan that will sense water. It'll also tell you if there's some other error, issue. The problem with that, It requires Electricity, Yep, where I live in CA, I need a special Heater, This one has a Electric Damper on it. When it's heating it opens, when it isn't heating it closes to help keep the heat in. It's of course larger diameter, because there's more insulation around it. That can be a problem for some people with limited space already. It has a Electric Gas Valve. Any issues and the App would let me know. Problem is, once already the circuit breaker of the outlet popped, that killed the power, killed the Wifi on the heater and stopped the gas valve from working, and in the morning going to use the shower, all I have is warm water. I wasn't told of any problem because there was no power for the Wifi module to work!!! Kind of a big flaw, wouldn't you think?

It's really silly having a GAS water heater that I have to plug into the wall for power. It's on a long cable with a large wall wart(Transformer) on the end. Really, more crap that can go wrong with it. It wasn't cheap ether, even though I installed it myself. Luckily there was a $150 rebate for that heater from PG&E before the end of the year, so I got luckily it went bad when it did instead of a week later. The Wifi on it I think is pretty silly and almost worthless.
[ link to this | view in chronology ]
Michael, 25 Oct 2016 @ 9:32am

Techdirt T-Shirt idea:

Shirt with an iron burn on it that reads: my smart iron overheated while running a DDoS attack
[ link to this | view in chronology ]