A China-based maker of surveillance cameras said Monday it will recall some products sold in the United States after a massive "Internet of Things" malware attack took down a major DNS provider in a massive DDOS attack. The stunningly broad attack brought much internet activity to a halt last Friday.
Hangzhou Xiongmai Technology Co Ltd. of Shenzhen today said it plans to recall some products sold in the United States after security researchers identified their devices as the target of Friday's attack. Vulnerable webcams are the focus of the recall.
The electronics components firm also said it would strengthen password functions, and offer a patch for all products manufactured before April 2015.
It said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches. It said reports that its products made up the bulk of those targeted in the attack were false.
"Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.
A depiction of the outages caused by today's attacks on Dyn, an Internet infrastructure company. Source: downdetector.com
The malware that brought down so many sites on Friday was linked to the Linux/Mirai ELF trojan.
The security firm Flashpoint was first to identify Friday's attack as having been launched by a Mirai-based botnet.
On Friday, Flashpoint said the DDoS took over digital video recorders (DVRs) and IP cameras made by XiongMai Technologies, which are sold downstream to consumer electronics sellers who use those components in their own branded products.
From Brian Krebs' blog post on Friday:
As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.
That's because while many of these devices allow users to change the default usernames and passwords on a Web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called "Telnet" and "SSH."
Telnet and SSH are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type "cmd.exe" to launch a command prompt, and then type "telnet" to reach a username and password prompt at the target host).
"The issue with these particular devices is that a user cannot feasibly change this password," Flashpoint's Zach Wikholm told KrebsOnSecurity. "The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist."
