Chinese Hardware That Fueled Massive DYN BotNet Attack Still Poorly Secured Pieces Of Shit

from the interet-of-broken-things dept

Fri, Oct 26th 2018 1:33pm — Karl Bode

Just about two years ago, you might recall that the internet partially imploded after DNS provider Dyn was hit with a historically massive DDOS attack. A major reason for the attack was the Mirai botnet malware, which made creating rampant botnets a pretty trivial affair for anybody with an IQ over 70. The other problem was that Mirai was able to quickly compromise and incorporate millions of internet of things devices as part of the assault thanks to said devices' lack of meaningful privacy and security protections.

That included a large number of DVRs and internet-connected cameras by a Chinese company by the name of XiongMai Technologies, which stated it would be recalling many of the devices after issuing a statement in rather broken English that didn't really make much sense:

"Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too."

Sure thing.

Fast forward several years, and you'll be shocked to learn that really nothing has changed at the company in terms of ensuring its cheap hardware can't be quickly compromised by hackers and thieves. Most of the fatal flaws remain in the company's products, including default login credentials, terrible GUIs that fail to show what the device is doing online, intentional backdoors, and pretty basic design flaws like the failure to prompt a password change during setup.

Worse, because XiongMai Technologies is a "white label vendor" whose hardware is often repackaged and resold under a universe of different brands, it's impossible for many to know if they even own these substandard products, notes activist and author Cory Doctorow:

"Xiongmai is a white-label vendor whose products are sold under hundreds of brand-names, making it nearly impossible to tell whether you are about to buy (or already own) one of their defective products...The most reliable way to determine if you own a Xiongmai product is to see if its control systems mention "XMEye." But even if you ditch your Xiongmai product, it's clear that the whole industry is a cesspool of flaming garbage devices, and there's probably not an alternative you can trust."

Of course Xiongmai is just one of several, similar Chinese IOT hardware vendors that pretty clearly couldn't give less of a shit about user privacy and security, or the fact these devices directly impact the health of the internet. SEC Consult has been not only issuing advisories surrounding Xiongmai and its universe of offshoot products, but also about a myriad of other, similarly-unaccountable hardware vendors like Shenzhen Gwelltimes Technology Co. All told we're talking about more than 9 million DVRs and cameras currently in use protected with the security equivalent of wet cardboard.

As security experts like Bruce Schneier keep pointing out, we're basically begging for a massive dumpster fire that could have dramatic and potentially even fatal repercussions. And the solution isn't just one thing or another, it's going to require a concerted, cross-sector collaborative effort that starts with integrating security and privacy warnings into product reviews, and naming and shaming vendors that pretty clearly don't think even the barest bones privacy and security standards are worth the time or money it takes to develop them.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: botnet, china, cybersecurity, dyn, iot

11 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 26 Oct 2018 @ 2:01pm

The best way to tell if you own a Xiongmai device...
... is to test how quickly you can own the suspected device. ;)
[ link to this | view in chronology ]
Phoenix84 (profile), 26 Oct 2018 @ 2:08pm

Which is it?
Come on now, which is it: wet cardboard, or a dumpster fire? It can't be both.
/s
[ link to this | view in chronology ]
- Anonymous Coward, 26 Oct 2018 @ 2:47pm
  
  Re: Which is it?
  You can't secure a dumpster fire....
  
  You can secure wet cardboard though. Just throw it into a dumpster fire.
  [ link to this | view in chronology ]
- Anonymous Coward, 26 Oct 2018 @ 6:20pm
  
  Re: Which is it?
  It's a time line.
  
  We had wet cardboard, but it was only wet from being soaked is gasoline.
  
  Now it's a dumpster fire.
  [ link to this | view in chronology ]
Anonymous Coward, 26 Oct 2018 @ 8:34pm

"really nothing has changed at the company"

Duh. It's a Chinese company and they're out of reach for any legal means. There's literally hundreds of rebranding operations going on that simply filters cheap knock-off and off brand Chinese goods flooding not just the US but Europe and the rest of the world. Block one, and five more step up to make a quick buck and disappear the next day. The only way to stop this is either for a societal change - people stop buying this junk en mass, or to cut off ties with China. It's not going to stop otherwise. These companies are subsidized by their own government. Effectively government owned companies who's entire point is to wage economic warfare by dumping cheap knockoffs in another country's markets.
[ link to this | view in chronology ]
Anonymous Coward, 26 Oct 2018 @ 9:28pm

This is one of the few problems where import control would actually work if implemented well.

Government owned/funded inspection lab would routinely check common appliances found in the market. If it discovers you product is shit? They levy penalties up to total import ban, depending on severity of the vulnerability (=was it obviously deliberate) and your willingness to correct it.

Like poison can't be sold as food, dumpster fires shouldn't be sold as electronics.
[ link to this | view in chronology ]
Jeffrey Nonken (profile), 27 Oct 2018 @ 1:48am

Eh. As long as we don't use Huawei, the internet is safe.
[ link to this | view in chronology ]
Anonymous Coward, 27 Oct 2018 @ 2:54pm

Hasn't America had enough of chinese crap? You fucking traitors out there and you know who you are should be all hung for sending American ideas out to our enemies to mass produce crap.
[ link to this | view in chronology ]
- Thad (profile), 29 Oct 2018 @ 10:34am
  
  Re:
  
  should be all hung
  
  I assure you, I am.
  [ link to this | view in chronology ]
- Wendy Cockcroft, 7 Nov 2018 @ 5:55am
  
  Re:
  Eh, it'd be simpler to stop choosing to buy stuff from China just because it's cheap. That's your job as an individual.
  [ link to this | view in chronology ]
Anonymous Coward, 29 Oct 2018 @ 8:38am

Not hardware problems
All the problems you list are software problems, not hardware ones. And I don't mean this in a pedantic way—it may well be the root of the issue. These companies think their products are hardware, and happen to develop a bit of software as an afterthought.
[ link to this | view in chronology ]