Webcams involved in Dyn DDoS attack recalled | TechCrunch

https://techcrunch.com/2016/10/24/webcams-involved-in-dyn-ddos-attack-recalled/?sr_share=facebook

Some IoT devices with bad security recalled. It is a good start to make Internet safer.

 

Related postings:
Blame the Internet of Things for Destroying the Internet Today | Motherboard

Why Today’s Attacks on the Internet Are Just the Start – The Daily Beast

Today’s Brutal DDoS Attack Is the Beginning of a Bleak Future

IoT used for censorship and more

14 Comments

  1. Tomi Engdahl says:

    Reuters:
    In wake of botnet DDoS attack on DynDNS, Hangzhou Xiongmai issues US recall of webcam models that had easy-to-guess default passwords — Chinese firm Hangzhou Xiongmai Technology Co Ltd said it will recall some of its products sold in the United States after it was identified by security researchers …

    China electronics firm to recall some U.S. products after hacking attack
    http://www.reuters.com/article/us-cyber-attacks-manufacturers-idUSKCN12O0MS

    Chinese firm Hangzhou Xiongmai Technology Co Ltd said it will recall some of its products sold in the United States after it was identified by security researchers as having made parts for devices that were targeted in a major hacking attack on Friday.

    Hackers unleashed a complex attack on the Internet through common devices like webcams and digital recorders, and cut access to some of the world’s best known websites in a stunning breach of global internet stability.

    strengthen password functions and send users a patch for products made before April last year.

    It said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches.

    Reply
  2. Tomi Engdahl says:

    That massive internet outage, explained
    https://www.cnet.com/how-to/what-is-a-ddos-attack/

    What even happened on Friday? Your favorite websites were down, and it was all because one company got attacked. Here’s how it happened, and why it’s likely to happen again.

    Why Friday’s Massive Internet Outage Was So Scary
    Hackers have turned our cheap electronic devices against us. And at this rate, it’s only going to get worse.
    https://newrepublic.com/article/138084/fridays-massive-internet-outage-sc

    Reply
  3. Tomi Engdahl says:

    Mirai Botnets Used for DDoS Attacks on Dyn
    http://www.securityweek.com/mirai-botnets-used-ddos-attacks-dyn

    Experts determined that the distributed denial-of-service (DDoS) attacks launched last week against Dyn’s DNS infrastructure were powered by Internet of Things (IoT) devices infected with the malware known as Mirai.

    The first attack started on Friday at 7 am ET and it took the DNS provider roughly two hours to mitigate it. During this time, users directed to the company’s DNS servers on the east coast of the U.S. were unable to access several major websites, including Twitter, Reddit, GitHub, Etsy, Netflix, PagerDuty, Airbnb, Spotify, Intercom and Heroku.

    A few hours later, a second, more global attack led to some users having difficulties in accessing the websites of Dyn customers. This second attack was mitigated within an hour. A third attack attempt was also detected, but it was mitigated before impacting users.

    Dyn Chief Strategy Officer Kyle York pointed out in a blog post that the company “did not experience a system-wide outage at any time.”

    Akamai and Flashpoint have confirmed that the attacks leveraged Mirai botnets and Dyn said it had observed tens of millions of IPs involved in the incident.

    Reply
  4. Tomi Engdahl says:

    Webcams used to attack Reddit and Twitter recalled
    http://www.bbc.com/news/technology-37750798

    Home webcams that were hijacked to help knock popular websites offline last week are being recalled in the US.

    Chinese electronics firm Hangzhou Xiongmai issued the recall soon after its cameras were identified as aiding the massive web attacks.

    They made access to popular websites, such as Reddit, Twitter, Spotify and many other sites, intermittent.

    Security experts said easy-to-guess default passwords, used on Xiongmai webcams, aided the hijacking.

    The web attack enrolled thousands of devices that make up the internet of things – smart devices used to oversee homes and which can be controlled remotely.

    In a statement, Hangzhou Xiongmai said hackers were able to take over the cameras because users had not changed the devices’ default passwords.

    Xiongmai rejected suggestions that its webcams made up the bulk of the devices used in the attacks.

    “Security issues are a problem facing all mankind,” it said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”

    It has also pledged to improve the way it uses passwords on its products and will send customers a software patch to harden devices against attack.

    Could this happen again?

    Yes, and it probably will. The smart devices making up the IoT are proving very popular with the malicious hackers who make their living by selling attack services or extorting cash by threatening firms with devastating attacks.

    Before the rise of the IoT it was tricky to set up a network of hijacked machines as most would be PCs that, generally, are more secure. Running such a network is hard and often machines had to be rented for a few hours just to carry out attacks. Now anyone can scan the net for vulnerable cameras, DVRs and other gadgets, take them over and start bombarding targets whenever they want.
    Why should I care if my webcam is hijacked?

    For the same reason you would care if your car was stolen and used by bank robbers as a getaway vehicle.

    And because if your webcam, printer or DVR is hijacked you have, in effect, allowed a stranger to enter your home. Hackers are likely to start using these gadgets to spy on you and scoop up valuable data. It’s worth taking steps to shut out the intruders.

    Can the IoT-based attacks be stopped?

    Not easily. Many of the devices being targeted are hard to update and the passwords on some, according to one report, are hard-coded which means they cannot be changed.

    There is also the difficulty of identifying whether you are using a vulnerable product. A lot of IoT devices are built from components sourced from lots of different places. Finding out what software is running on them can be frustrating.

    Also, even if recalls and updates are massively successful there will still be plenty of unpatched devices available for malicious hackers to use. Some manufacturers of cheaper devices have refused to issue updates meaning there is a ready population of vulnerable gadgets available.

    Why are these devices so poorly protected?

    Because security costs money and electronics firms want to make their IoT device as cheap as possible. Paying developers to write secure code might mean a gadget is late to market and is more expensive. Plus enforcing good security on these devices can make them harder to use – again that might hit sales.

    Who was behind the massive web attacks?

    Right now, we don’t know. Some hacker groups have claimed responsibility but none of their claims are credible.

    Reply
  5. Tomi Engdahl says:

    First Mea Culpa for Dyn hack as webcam manufacturer issues recall
    The one who smelted it, dealt it
    http://www.theinquirer.net/inquirer/news/2475142/first-mea-culpa-for-dyn-hack-as-webcam-manufacturer-issues-recall

    THE FIRST Internet of Things (IoT) devices thought to be responsible for Friday’s giant Mirai DDoS attack on DNS provider Dyn have been recalled by their manufacturer.

    Chinese firm Hangzhou Xiongmai specialises in motherboards for DVRs and IP cameras, both suspected of being part of the giant botnet used in the attack, the firm said in a statement

    “Security issues are a problem facing all mankind,” it said on a Chinese microblog. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”

    We think that might be a Samsung dig.

    The company is the first to take responsibility for products which may well have allowed many services including Twitter and Spotify to be taken offline at a stroke last Friday.

    The main problems were caused by simple to hack user names and passwords on IoT devices, many of which never get changed from their defaults.

    Xiongmai devices are particularly vulnerable, given that in many cases it doesn’t even offer the tools needed to change username and password. It may be that falling on its sword may prove a brilliant publicity coup for the company, which has promised to improve mechanisms of security on future products.

    At present, it is still not known who was responsible for the attack, which was launched in three waves over a number of hours on Friday.

    Reply
  6. Tomi Engdahl says:

    Chinese Manufacturer Recalls IOT Gear Following Dyn DDoS
    https://threatpost.com/chinese-manufacturer-recalls-iot-gear-following-dyn-ddos/121496/

    Hangzhou Xiongmai said that it will recall millions of cameras sold in the U.S. in response to Friday’s DDoS attack against DNS provider Dyn that kept a number of web-based services such as Twitter, Github and others offline for much of the day. The Chinese manufacturer sells OEM white-label circuit boards and software for cameras, along with DVRs and network video recorders. Many of these types of IoT devices were compromised by the Mirai malware, which exploits default credentials in the equipment and corrals them into botnets used and sold for DDoS attacks.

    The company said in its statement—translated via Google—that it would recall devices sold earlier and still in use, mainly one million cards used in network cameras, one million cloud network cameras, one million panoramic network cameras and 1.3 million network cameras. It believes only devices sold before April 2015 that have not been updated, are only protected by default credentials and are exposed to the public Internet are vulnerable. “(If) any of the above conditions are not met, Mai Xiong equipment cannot be attacked or manipulated so this attack had little impact on the actual use of male Mai device,” the company said in its statement.

    Level 3 Communications, a Colorado-based telecommunications company and ISP said the bulk of the traffic used in the DDoS attack was UDP/53 and TCP/53 with the TCP traffic consisting of TCP DNS SYN attacks, while the UDP traffic was subdomain, or prefix label attacks.

    Mirai could be a long-term menace. The source code for the malware, which was responsible for other massive DDoS attacks against Krebs on Security and French webhost OVH

    See more at: Chinese Manufacturer Recalls IOT Gear Following Dyn DDoS https://wp.me/p3AjUX-vBC

    Reply
  7. Tomi Engdahl says:

    Chinese Company Recalls Millions of IoT Devices After DYN Attack
    https://www.tripwire.com/state-of-security/latest-security-news/chinese-company-recalls-millions-iot-devices-dyn-attack/

    A Chinese technology company has recalled millions of Internet of Things (IoT) devices following a digital attack against the Internet performance management company DYN.

    As quoted by KrebsonSecurity.com, Dyn had this to say:

    Flashpoint told Brian Krebs that a specific set of credentials scanned for by Mirai bots – username: root and password: xc3511 – is hardcoded into the device firmware of a number of IoT devices produced by a a Chinese company called XiongMai Technologies, meaning someone can’t change an affected device’s username or password via a web admin panel.

    Perhaps in recognition of that fact, XiongMai Technologies issued a recall of millions of its network cameras and other devices on 24 October.

    In a statement, the Chinese company says three conditions must all be met for hackers to obtain access to the products:

    The devices must predate April 2015 when XiongMai Technologies instituted a new firmware upgrade program.
    The default login credentials must still be activated on those products.
    A public network must directly expose itself to the devices without the use of a firewall.

    XiongMai Technologies says hackers can’t abuse its products absent any one of those criteria.

    IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers
    https://krebsonsecurity.com/2016/10/iot-device-maker-vows-product-recall-legal-action-against-western-accusers/

    A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.

    Last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords. Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors.

    In an interim report on the attack, Dyn said: “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

    default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products.

    The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.

    In a statement issued on social media Monday, XiongMai (referring to itself as “XM”) said it would be issuing a recall on millions of devices — mainly network cameras.

    Brian Karas, a business analyst with IPVM — a subscription-based news, testing and training site for the video surveillance industry which first reported the news of potential litigation by XM — said that over the past five years China’s market share in the video surveillance industry has surged, due to the efforts of companies like XiongMai and Dahua to expand globally, and from the growth of government-controlled security company Hikvision.

    Reply
  8. Tomi Engdahl says:

    Device Makers Face Legal Trouble Over Internet of Things Attack
    http://fortune.com/2016/10/25/dyn-lawsuits/

    The legal test looks at consumer harms.

    Who should be held responsible for last week’s security breach that took out parts of the Internet?

    That question is becoming more pressing as regulators and the public begin to grasp the implication of the first major “Internet of things” attack, in which hackers hijacked millions of everyday devices such as security cameras and printers, and cut off access to major websites like Amazon and Twitter for hours at a time.

    Increasingly, the security community is focusing on the role of the device makers, whose products contained a major security flaw. Namely, the companies did not require consumers to change a default password, which is what made it so easy for hackers to conscript so many Internet-connected devices into the botnet army that carried out last week’s attack.

    Some of the companies, which include little-known Chinese manufacturers but also familiar names like Panasonic and Xerox, have begun a recall of the devices. But for now, many of their products remain out in the wild with their software “unpatched.” That means they remain compromised. Worse, hackers have released the source code to control the botnet army, meaning future attacks using devices of this nature are all but certain.

    This raises the question of whether the device makers should be held legally responsible. Even though they had no role in directing last week’s attack on the Internet, such an attack was not hard to foresee—especially since there have been reports of compromised cameras, and other Internet-enabled devices, for years.

    According to Michael Zweiback, an attorney with Alston & Bird and a former cyber-crime prosecutor, legal action is most likely to come in the form of lawsuits, and investigations by the Federal Trade Commission and state attorneys general.

    A harder question is whether U.S. consumers who purchased the compromised devices, which also include network routers and baby monitors, can bring lawsuits of their own.

    While class action lawyers may be watching the situation closely, a legal victory would be no sure thing. Even though the companies appear to have been negligent by failing to introduce tougher password protection, consumers would still have to show they were harmed. And right now the test for showing harm is unclear.

    The situation is different for Dyn, the Internet service company that was the direct target of last week’s attack by the millions of compromised devices, since the firm had to directly absorb the cost of the attack.

    Reply
  9. Tomi Engdahl says:

    Chinese tech giant recalls webcams used in Dyn cyberattack
    http://www.zdnet.com/article/chinese-tech-giant-recalls-webcams-used-in-dyn-cyberattack/

    A number of the company’s US-sold products were used in the attack, which prevented millions of users from accessing dozens of high-profile websites.

    A Chinese manufacturer of internet-connected surveillance cameras has recalled a number of its products said to have been used in Friday’s cyberattack.

    The three-wave attack against Dyn, a managed domain name system provider, lasted almost all day, leaving millions on the US east coast unable to access dozens of high-profile websites.

    In a statement, Xiongmai said hackers were able to hijack hundreds of thousands of its devices into a botnet because users had not changed the devices’ default passwords.

    The botnet then flooded Dyn’s servers with traffic, which led to its systems overloading and failing. Websites that relied on Dyn’s managed domain name system, including Reddit, Spotify, and Twitter, appeared offline.

    But the company rejected claims that its devices made up the bulk of the attack.

    “Security issues are a problem facing all mankind,” the statement said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”

    The company confirmed that it will recall some of its older products sold in the US made before April 2015 in an effort to improve its password functionality.

    Reply
  10. Tomi Engdahl says:

    Chinese Company Recalls Cameras, DVRs Used In Last Week’s Massive DDoS Attack
    https://www.techdirt.com/articles/20161024/08552535872/chinese-company-recalls-cameras-dvrs-used-last-weeks-massive-ddos-attack.shtml

    For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how “smart” fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.

    Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday.

    Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to… your cable DVR

    Brian Krebs notes that the lion’s share of these devices were manufactured by a Chinese company named XiongMai Technologies, which almost instantly found a huge swath of its product line contributing to the attack

    For what it’s worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year.

    And while that’s all well and good, that’s just one company. There are dozens upon dozens of companies and “IoT evangelists” that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they’re generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.

    Reply
  11. Tomi Engdahl says:

    Map shows which state have more unprotected cams
    https://www.hackread.com/firm-recall-webcams-after-dyn-ddos-attack/

    Remember, it was the Mirai botnet that played a vital role in the DDoS attack on Dyn servers. The fact that Mirai’s developer leaked its source code online also played a vital role in the rapid increase of this botnet. Last month, the same botnet was used for conducting the Internets largest ever DDoS attack of 1 Tbps on OVH hostings as well as the 665 Gbps attack on Brian Krebs blog by hacking over 145,000 webcams.

    If you own a security camera or any IoT device HackRead urges you to change their default login credentials now to avoid getting your device compromised and used in further DDoS attacks.

    Reply
  12. Tomi Engdahl says:

    China’s Xiongmai to recall up to 10,000 webcams after hack
    http://www.reuters.com/article/us-cyber-attacks-china-idUSKCN12P1TT

    Up to 10,000 webcams will be recalled in the aftermath of a cyber attack that blocked access last week to some of the world’s biggest websites, Chinese manufacturer Hangzhou Xiongmai Technology Co told Reuters on Tuesday.

    In Washington, a member of the U.S. Senate Intelligence committee asked three federal agencies what steps the government can take to prevent cyber criminals from compromising electronic devices.

    In a new type of attack last Friday, hackers harnessed hundreds of thousands of webcams and other connected devices globally to flood U.S.-based internet infrastructure provider Dyn with so much traffic that it could not cope, cutting access to websites including PayPal, Spotify and Twitter.

    Hangzhou Xiongmai said it would recall some surveillance cameras sold in the United States after researchers identified they had been targeted in the attack.

    Reply
  13. Tomi Engdahl says:

    Beijing threatens legal action over webcam claims
    http://www.bbc.com/news/technology-37761868

    The Chinese Ministry of Justice has threatened legal action against “organisations and individuals” making “false claims” about the security of Chinese-made devices.

    It follows a product recall from the Chinese electronics firm Hangzhou after its web cameras were used in a massive web attack last week.

    The attack knocked out sites such as Reddit, Twitter, Paypal and Spotify.

    The Chinese government blamed customers for not changing their passwords.

    Its legal warning was added to an online statement from the company Xiongmai, in which the firm said that it would recall products, mainly webcams, following the attack but denied that its devices made up the majority of the botnet used to launch it.

    The cyber attack hit Dyn, a firm which matches IP addresses to web addresses to allow users to find sites online, on 21 October.

    Afterwards, it became clear that it was made possible via a botnet made up of insecure “smart” devices, which had been taken over remotely and enlisted to bombard Dyn with data, knocking offline the sites it manages.

    Krebs pointed out that it was difficult for users to change the default passwords on devices.

    “Products from Xiongmai and other makers of inexpensive, mass-produced ‘internet of things’ devices are essentially unfixable,” he said, “and will remain a danger to others unless and until they are completely unplugged from the internet.”

    Video surveillance equipment expert Brian Karas said he did not believe the Chinese government would follow through on its legal threats.

    “We believe Xiongmai has issued this announcement as a PR effort within China, to help counter criticisms they are facing,” he said.

    Reply
  14. Tomi Engdahl says:

    Botnet Recall of Things
    http://hackaday.com/2016/10/26/botnet-recall-of-things/

    After a tough summer of botnet attacks by Internet-of-Things things came to a head last week and took down many popular websites for folks in the eastern US, more attention has finally been paid to what to do about this mess. We’ve wracked our brains, and the best we can come up with is that it’s the manufacturers’ responsibility to secure their devices.

    Chinese DVR manufacturer Xiongmai, predictably, thinks that the end-user is to blame, but is also consenting to a recall of up to 300 million of their pre-2015 vintage cameras — the ones with hard-coded factory default passwords.

    Xiongmai’s claim is that their devices were never meant to be exposed to the real Internet, but rather were designed to be used exclusively behind firewalls. That’s apparently the reason for the firmware-coded administrator passwords. (Sigh!) Anyone actually making their Internet of Things thing reachable from the broader network is, according to Xiongmai, being irresponsible. They then go on to accuse a tech website of slander, and produce a friendly ruling from a local court supporting this claim.

    Whatever. We understand that Xiongmai has to protect its business, and doesn’t want to admit liability. And in the end, they’re doing the right thing by recalling their devices with hard-coded passwords

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*