Recalls May Become The Norm For IoT Devices If Security Doesn’t Improve Significantly

XiongMai Technologies headquarters

Hangzhou Xiongmai, a Chinese company that sells components for surveillance cameras and other gadgets in the U.S., issued a recall for its devices. The company’s cameras were found to be part of the large botnet that engaged in a massive DDoS attack against Dyn’s DNS service on Friday, which caused many major websites such as Twitter, Reddit, CNN, and others, to be inaccessible to users.

Disrupting A DNS Service

A DNS service is like a phone book for Internet domain names that ties server IP addresses to names that humans can remember more easily. When a DDoS attack disrupts the website's DNS service the users are no longer redirected to the server’s IP address (behind the scenes), which results in them losing the ability to access the website.

That’s how countries (such as Turkey) have censored websites in the past, and it's also how a botnet disrupted access to major U.S. websites on Friday.

As suspected earlier, IoT devices such as cameras and DVRs seem to have powered the botnet. These devices can be accessed remotely through telnet, and they tend to have default passwords. Hackers can gain access with the default passwords and then infect the device.

Xiongmai, Maker Of Vulnerable IoT Device Components

According to Flashpoint Intel, the Xiongmai Technologies web security firm located in Hangzhou, China, is the primary manufacturer of the IoT devices used in the attack. The company sells digital video recorders (DVRs), network video recorders (NVRs), and IP camera boards and software licenses to other manufacturers, who then make the cameras and other IoT devices.

Flashpoint said that over half a million of the devices participating in the DDoS attack had Xiongmai components that used a default username and password (root and xc3511).

According to a more recent report, Xiongmai began issuing a recall in the U.S. for devices using the vulnerable components. It’s not clear whether the recall was the result of pressure from the U.S. government, or whether Xiongmai took it upon itself to recall so many devices. We’ve asked the company for clarification and an official statement.

Recall As Potential Precedent

Xiongmai’s recall may be the first of its kind that was spurred by IoT devices participating in botnets, and it may even set a precedent for future attacks. Many experts have been warning about an impending IoT security catastrophe due to how unsecure and unsupported most of the devices are.

The vulnerabilities are due to manufacturers trying to sell IoT devices as cheaply as possible. However, if governments force the companies to recall products that are part of botnets every time an attack happens, then they may begin to quickly change their thinking in regards to how “cheap” it is to avoid securing them properly by default, or not to update them. They may find that recalls are much more expensive in the end.

The recall solution, which serves as a way to keep companies liable for irresponsible design and manufacturing, is already commonplace in the automobile industry. Although not perfect, it seems to have worked quite well, so it may be something for regulators to consider.

Forced recalls aren’t a rule yet, so it remains to be seen if other IoT manufacturers will start to take notice of what happened and significantly improve their products’ security before governments get a chance to act and impose stricter certification regulations. If the U.S. government pressured Xiongmai to recall its products, then it may use its power again if it finds another company’s products used in a massive DDoS attack.

That's all the more reason for IoT manufacturers to act sooner rather than later and design their products with security in mind from the beginning. Bolstered security would avoid recall situations, and it would make it cheaper to update them in the future because there would be less of a need if security is already solid.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • blazorthon
    Securing devices like these from such botnet usage shouldn't be difficult. You can do something as simple as having a hardware switch to control write access to what the devices can connect to and then they can no longer connect to web services they aren't supposed to connect to. If there's a hardware inability to connect to Dyn DNS, then you can't disrupt their services even if someone gets into the devices!

    Or you could, ya know, change the password from the default. At least make the hackers have to exploit one of the infinite vulnerabilities that are sure to be there to get access and control. Tell your customers that they need to change the passwords of products they buy before the products can be used. You can even go as far on DVRs and the like to have a randomized password that is printed on a sticker on the side like some routers have. At least then physical access is needed to get the password.
    Reply
  • Jeff Fx
    18774092 said:
    Securing devices like these from such botnet usage shouldn't be difficult. You can do something as simple as having a hardware switch to control write access to what the devices can connect to and then they can no longer connect to web services they aren't supposed to connect to. If there's a hardware inability to connect to Dyn DNS, then you can't disrupt their services even if someone gets into the devices!

    Or you could, ya know, change the password from the default. At least make the hackers have to exploit one of the infinite vulnerabilities that are sure to be there to get access and control. Tell your customers that they need to change the passwords of products they buy before the products can be used. You can even go as far on DVRs and the like to have a randomized password that is printed on a sticker on the side like some routers have. At least then physical access is needed to get the password.

    The problem is that companies are financially rewarded for getting a product out the door before their competitors, and there's no penalty for producing dangerously insecure devices. All they care about is that things work well enough to not be returned.
    Reply
  • problematiq
    18774092 said:
    Securing devices like these from such botnet usage shouldn't be difficult. You can do something as simple as having a hardware switch to control write access to what the devices can connect to and then they can no longer connect to web services they aren't supposed to connect to. If there's a hardware inability to connect to Dyn DNS, then you can't disrupt their services even if someone gets into the devices!

    Or you could, ya know, change the password from the default. At least make the hackers have to exploit one of the infinite vulnerabilities that are sure to be there to get access and control. Tell your customers that they need to change the passwords of products they buy before the products can be used. You can even go as far on DVRs and the like to have a randomized password that is printed on a sticker on the side like some routers have. At least then physical access is needed to get the password.

    A problem is not that there is not a fix, there is. A simple firmware update fixes the vulnerability. The real problem is that no one is going to update their firmware of there cameras, they just don't care. This problem will stay till the cameras are phased out in a 7-15 year timeline.

    You are correct, with little effort they could mitigate these problems before selling them.

    Also these are "usually" hardcoded passwords on the OS of the camera, there is no way of changing them without updating the firmware.

    The only semi-practice fix would be on the network level.

    Edit: Additional info.
    Reply
  • termathor
    I think the US gov is probably the only one to realise how IoT is gonna be a gigantic lens for any kiddie attack onto internet components if nothing is done to regulate this market security.

    Pending regulation, as we've seen over the last 5+ years, manufacturors JUST. DON'T. CARE. It's Somebody Else's Problem !
    And they've addressed it, so far, just like that, upon discovery of the really awfull snafu:
    - issue a statement "we take our users security seriously, blah, blah"
    - come up with a half baked new FW, addressing only the most easily exploitable flaw

    With big money spent for each snafu, this may change.
    Reply