After a tough summer of botnet attacks by Internet-of-Things things came to a head last week and took down many popular websites for folks in the eastern US, more attention has finally been paid to what to do about this mess. We’ve wracked our brains, and the best we can come up with is that it’s the manufacturers’ responsibility to secure their devices.

Chinese DVR manufacturer Xiongmai, predictably, thinks that the end-user is to blame, but is also consenting to a recall of up to 300 million of their pre-2015 vintage cameras — the ones with hard-coded factory default passwords.

Xiongmai’s claim is that their devices were never meant to be exposed to the real Internet, but rather were designed to be used exclusively behind firewalls. That’s apparently the reason for the firmware-coded administrator passwords. (Sigh!) Anyone actually making their Internet of Things thing reachable from the broader network is, according to Xiongmai, being irresponsible. They then go on to accuse a tech website of slander, and produce a friendly ruling from a local court supporting this claim.

Whatever. We understand that Xiongmai has to protect its business, and doesn’t want to admit liability. And in the end, they’re doing the right thing by recalling their devices with hard-coded passwords

The Chinese Ministry of Justice has threatened legal action against “organisations and individuals” making “false claims” about the security of Chinese-made devices.

It follows a product recall from the Chinese electronics firm Hangzhou after its web cameras were used in a massive web attack last week.

The attack knocked out sites such as Reddit, Twitter, Paypal and Spotify.

The Chinese government blamed customers for not changing their passwords.

Its legal warning was added to an online statement from the company Xiongmai, in which the firm said that it would recall products, mainly webcams, following the attack but denied that its devices made up the majority of the botnet used to launch it.

The cyber attack hit Dyn, a firm which matches IP addresses to web addresses to allow users to find sites online, on 21 October.

Afterwards, it became clear that it was made possible via a botnet made up of insecure “smart” devices, which had been taken over remotely and enlisted to bombard Dyn with data, knocking offline the sites it manages.

Krebs pointed out that it was difficult for users to change the default passwords on devices.

“Products from Xiongmai and other makers of inexpensive, mass-produced ‘internet of things’ devices are essentially unfixable,” he said, “and will remain a danger to others unless and until they are completely unplugged from the internet.”

Video surveillance equipment expert Brian Karas said he did not believe the Chinese government would follow through on its legal threats.

“We believe Xiongmai has issued this announcement as a PR effort within China, to help counter criticisms they are facing,” he said.

Up to 10,000 webcams will be recalled in the aftermath of a cyber attack that blocked access last week to some of the world’s biggest websites, Chinese manufacturer Hangzhou Xiongmai Technology Co told Reuters on Tuesday.

In Washington, a member of the U.S. Senate Intelligence committee asked three federal agencies what steps the government can take to prevent cyber criminals from compromising electronic devices.

In a new type of attack last Friday, hackers harnessed hundreds of thousands of webcams and other connected devices globally to flood U.S.-based internet infrastructure provider Dyn with so much traffic that it could not cope, cutting access to websites including PayPal, Spotify and Twitter.

Hangzhou Xiongmai said it would recall some surveillance cameras sold in the United States after researchers identified they had been targeted in the attack.

Remember, it was the Mirai botnet that played a vital role in the DDoS attack on Dyn servers. The fact that Mirai’s developer leaked its source code online also played a vital role in the rapid increase of this botnet. Last month, the same botnet was used for conducting the Internets largest ever DDoS attack of 1 Tbps on OVH hostings as well as the 665 Gbps attack on Brian Krebs blog by hacking over 145,000 webcams.

If you own a security camera or any IoT device HackRead urges you to change their default login credentials now to avoid getting your device compromised and used in further DDoS attacks.

For some time now, security researchers have been warning that our lackadaisical approach to Internet of Things security would soon be coming home to roost. Initially it was kind of funny to read how “smart” fridges, tea kettles and Barbie dolls did an arguably worse job than their dumb counterparts with a greater risk to privacy and security. But as we collectively realized that these devices not only created millions of new home and business attack vectors, but could also be used to wage historically-unprecedented DDoS attacks, things quickly became less amusing.

Last week, the theoretical became very real with the massive attack on DNS provider DYN, which knocked a swath of companies and services off the internet for a large portion of Friday.

Mirai botnet malware recently released to make compromising and harnessing such devices easier than ever. But the group also notes that targeted devices included everything from cameras to… your cable DVR

Brian Krebs notes that the lion’s share of these devices were manufactured by a Chinese company named XiongMai Technologies, which almost instantly found a huge swath of its product line contributing to the attack

For what it’s worth, XiongMai was quick to issue a statement announcing that it would be recalling some of its products (mostly webcams), while strengthening password functions (Mirai often depends on default usernames and passwords) and sending users a patch for products made before April of last year.

And while that’s all well and good, that’s just one company. There are dozens upon dozens of companies and “IoT evangelists” that refuse to acknowledge that they put hype and personal profit ahead of security, by proxy putting the entire internet at risk. Not only do most of these devices lack even the most fundamental security, they usually provide no functionality to help users determine if they’re generating traffic or participating in attacks. And these devices are often sitting behind consumer-grade routers on the network that have equally flimsy security while using default username and password combinations.

A number of the company’s US-sold products were used in the attack, which prevented millions of users from accessing dozens of high-profile websites.

A Chinese manufacturer of internet-connected surveillance cameras has recalled a number of its products said to have been used in Friday’s cyberattack.

The three-wave attack against Dyn, a managed domain name system provider, lasted almost all day, leaving millions on the US east coast unable to access dozens of high-profile websites.

In a statement, Xiongmai said hackers were able to hijack hundreds of thousands of its devices into a botnet because users had not changed the devices’ default passwords.

The botnet then flooded Dyn’s servers with traffic, which led to its systems overloading and failing. Websites that relied on Dyn’s managed domain name system, including Reddit, Spotify, and Twitter, appeared offline.

But the company rejected claims that its devices made up the bulk of the attack.

“Security issues are a problem facing all mankind,” the statement said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”

The company confirmed that it will recall some of its older products sold in the US made before April 2015 in an effort to improve its password functionality.

The legal test looks at consumer harms.

Who should be held responsible for last week’s security breach that took out parts of the Internet?

That question is becoming more pressing as regulators and the public begin to grasp the implication of the first major “Internet of things” attack, in which hackers hijacked millions of everyday devices such as security cameras and printers, and cut off access to major websites like Amazon and Twitter for hours at a time.

Increasingly, the security community is focusing on the role of the device makers, whose products contained a major security flaw. Namely, the companies did not require consumers to change a default password, which is what made it so easy for hackers to conscript so many Internet-connected devices into the botnet army that carried out last week’s attack.

Some of the companies, which include little-known Chinese manufacturers but also familiar names like Panasonic and Xerox, have begun a recall of the devices. But for now, many of their products remain out in the wild with their software “unpatched.” That means they remain compromised. Worse, hackers have released the source code to control the botnet army, meaning future attacks using devices of this nature are all but certain.

This raises the question of whether the device makers should be held legally responsible. Even though they had no role in directing last week’s attack on the Internet, such an attack was not hard to foresee—especially since there have been reports of compromised cameras, and other Internet-enabled devices, for years.

According to Michael Zweiback, an attorney with Alston & Bird and a former cyber-crime prosecutor, legal action is most likely to come in the form of lawsuits, and investigations by the Federal Trade Commission and state attorneys general.

A harder question is whether U.S. consumers who purchased the compromised devices, which also include network routers and baby monitors, can bring lawsuits of their own.

While class action lawyers may be watching the situation closely, a legal victory would be no sure thing. Even though the companies appear to have been negligent by failing to introduce tougher password protection, consumers would still have to show they were harmed. And right now the test for showing harm is unclear.

The situation is different for Dyn, the Internet service company that was the direct target of last week’s attack by the millions of compromised devices, since the firm had to directly absorb the cost of the attack.

A Chinese technology company has recalled millions of Internet of Things (IoT) devices following a digital attack against the Internet performance management company DYN.

As quoted by KrebsonSecurity.com, Dyn had this to say:

Flashpoint told Brian Krebs that a specific set of credentials scanned for by Mirai bots – username: root and password: xc3511 – is hardcoded into the device firmware of a number of IoT devices produced by a a Chinese company called XiongMai Technologies, meaning someone can’t change an affected device’s username or password via a web admin panel.

Perhaps in recognition of that fact, XiongMai Technologies issued a recall of millions of its network cameras and other devices on 24 October.

In a statement, the Chinese company says three conditions must all be met for hackers to obtain access to the products:

The devices must predate April 2015 when XiongMai Technologies instituted a new firmware upgrade program.
The default login credentials must still be activated on those products.
A public network must directly expose itself to the devices without the use of a firewall.

XiongMai Technologies says hackers can’t abuse its products absent any one of those criteria.

IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers
https://krebsonsecurity.com/2016/10/iot-device-maker-vows-product-recall-legal-action-against-western-accusers/

A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.

Last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords. Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors.

In an interim report on the attack, Dyn said: “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products.

The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.

In a statement issued on social media Monday, XiongMai (referring to itself as “XM”) said it would be issuing a recall on millions of devices — mainly network cameras.

Brian Karas, a business analyst with IPVM — a subscription-based news, testing and training site for the video surveillance industry which first reported the news of potential litigation by XM — said that over the past five years China’s market share in the video surveillance industry has surged, due to the efforts of companies like XiongMai and Dahua to expand globally, and from the growth of government-controlled security company Hikvision.

Hangzhou Xiongmai said that it will recall millions of cameras sold in the U.S. in response to Friday’s DDoS attack against DNS provider Dyn that kept a number of web-based services such as Twitter, Github and others offline for much of the day. The Chinese manufacturer sells OEM white-label circuit boards and software for cameras, along with DVRs and network video recorders. Many of these types of IoT devices were compromised by the Mirai malware, which exploits default credentials in the equipment and corrals them into botnets used and sold for DDoS attacks.

The company said in its statement—translated via Google—that it would recall devices sold earlier and still in use, mainly one million cards used in network cameras, one million cloud network cameras, one million panoramic network cameras and 1.3 million network cameras. It believes only devices sold before April 2015 that have not been updated, are only protected by default credentials and are exposed to the public Internet are vulnerable. “(If) any of the above conditions are not met, Mai Xiong equipment cannot be attacked or manipulated so this attack had little impact on the actual use of male Mai device,” the company said in its statement.

Level 3 Communications, a Colorado-based telecommunications company and ISP said the bulk of the traffic used in the DDoS attack was UDP/53 and TCP/53 with the TCP traffic consisting of TCP DNS SYN attacks, while the UDP traffic was subdomain, or prefix label attacks.

Mirai could be a long-term menace. The source code for the malware, which was responsible for other massive DDoS attacks against Krebs on Security and French webhost OVH

See more at: Chinese Manufacturer Recalls IOT Gear Following Dyn DDoS https://wp.me/p3AjUX-vBC

THE FIRST Internet of Things (IoT) devices thought to be responsible for Friday’s giant Mirai DDoS attack on DNS provider Dyn have been recalled by their manufacturer.

Chinese firm Hangzhou Xiongmai specialises in motherboards for DVRs and IP cameras, both suspected of being part of the giant botnet used in the attack, the firm said in a statement

“Security issues are a problem facing all mankind,” it said on a Chinese microblog. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”

We think that might be a Samsung dig.

The company is the first to take responsibility for products which may well have allowed many services including Twitter and Spotify to be taken offline at a stroke last Friday.

The main problems were caused by simple to hack user names and passwords on IoT devices, many of which never get changed from their defaults.

Xiongmai devices are particularly vulnerable, given that in many cases it doesn’t even offer the tools needed to change username and password. It may be that falling on its sword may prove a brilliant publicity coup for the company, which has promised to improve mechanisms of security on future products.

At present, it is still not known who was responsible for the attack, which was launched in three waves over a number of hours on Friday.