Chinese Hardware That Fueled Massive DYN BotNet Attack Still Poorly Secured Pieces Of Shit
from the interet-of-broken-things dept
Just about two years ago, you might recall that the internet partially imploded after DNS provider Dyn was hit with a historically massive DDOS attack. A major reason for the attack was the Mirai botnet malware, which made creating rampant botnets a pretty trivial affair for anybody with an IQ over 70. The other problem was that Mirai was able to quickly compromise and incorporate millions of internet of things devices as part of the assault thanks to said devices' lack of meaningful privacy and security protections.
That included a large number of DVRs and internet-connected cameras by a Chinese company by the name of XiongMai Technologies, which stated it would be recalling many of the devices after issuing a statement in rather broken English that didn't really make much sense:
"Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too."
Sure thing.
Fast forward several years, and you'll be shocked to learn that really nothing has changed at the company in terms of ensuring its cheap hardware can't be quickly compromised by hackers and thieves. Most of the fatal flaws remain in the company's products, including default login credentials, terrible GUIs that fail to show what the device is doing online, intentional backdoors, and pretty basic design flaws like the failure to prompt a password change during setup.
Worse, because XiongMai Technologies is a "white label vendor" whose hardware is often repackaged and resold under a universe of different brands, it's impossible for many to know if they even own these substandard products, notes activist and author Cory Doctorow:
"Xiongmai is a white-label vendor whose products are sold under hundreds of brand-names, making it nearly impossible to tell whether you are about to buy (or already own) one of their defective products...The most reliable way to determine if you own a Xiongmai product is to see if its control systems mention "XMEye." But even if you ditch your Xiongmai product, it's clear that the whole industry is a cesspool of flaming garbage devices, and there's probably not an alternative you can trust."
Of course Xiongmai is just one of several, similar Chinese IOT hardware vendors that pretty clearly couldn't give less of a shit about user privacy and security, or the fact these devices directly impact the health of the internet. SEC Consult has been not only issuing advisories surrounding Xiongmai and its universe of offshoot products, but also about a myriad of other, similarly-unaccountable hardware vendors like Shenzhen Gwelltimes Technology Co. All told we're talking about more than 9 million DVRs and cameras currently in use protected with the security equivalent of wet cardboard.
As security experts like Bruce Schneier keep pointing out, we're basically begging for a massive dumpster fire that could have dramatic and potentially even fatal repercussions. And the solution isn't just one thing or another, it's going to require a concerted, cross-sector collaborative effort that starts with integrating security and privacy warnings into product reviews, and naming and shaming vendors that pretty clearly don't think even the barest bones privacy and security standards are worth the time or money it takes to develop them.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: botnet, china, cybersecurity, dyn, iot
Reader Comments
Subscribe: RSS
View by: Time | Thread
The best way to tell if you own a Xiongmai device...
... is to test how quickly you can own the suspected device. ;)
[ link to this | view in thread ]
Which is it?
/s
[ link to this | view in thread ]
Re: Which is it?
You can secure wet cardboard though. Just throw it into a dumpster fire.
[ link to this | view in thread ]
Re: Which is it?
We had wet cardboard, but it was only wet from being soaked is gasoline.
Now it's a dumpster fire.
[ link to this | view in thread ]
Duh. It's a Chinese company and they're out of reach for any legal means. There's literally hundreds of rebranding operations going on that simply filters cheap knock-off and off brand Chinese goods flooding not just the US but Europe and the rest of the world. Block one, and five more step up to make a quick buck and disappear the next day. The only way to stop this is either for a societal change - people stop buying this junk en mass, or to cut off ties with China. It's not going to stop otherwise. These companies are subsidized by their own government. Effectively government owned companies who's entire point is to wage economic warfare by dumping cheap knockoffs in another country's markets.
[ link to this | view in thread ]
Government owned/funded inspection lab would routinely check common appliances found in the market. If it discovers you product is shit? They levy penalties up to total import ban, depending on severity of the vulnerability (=was it obviously deliberate) and your willingness to correct it.
Like poison can't be sold as food, dumpster fires shouldn't be sold as electronics.
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Not hardware problems
[ link to this | view in thread ]
Re:
I assure you, I am.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]