Hangzhou Xiongmai, a Chinese company that sells components for surveillance cameras and other gadgets in the U.S., issued a recall for its devices. The company’s cameras were found to be part of the large botnet that engaged in a massive DDoS attack against Dyn’s DNS service on Friday, which caused many major websites such as Twitter, Reddit, CNN, and others, to be inaccessible to users.
Disrupting A DNS Service
A DNS service is like a phone book for Internet domain names that ties server IP addresses to names that humans can remember more easily. When a DDoS attack disrupts the website's DNS service the users are no longer redirected to the server’s IP address (behind the scenes), which results in them losing the ability to access the website.
That’s how countries (such as Turkey) have censored websites in the past, and it's also how a botnet disrupted access to major U.S. websites on Friday.
As suspected earlier, IoT devices such as cameras and DVRs seem to have powered the botnet. These devices can be accessed remotely through telnet, and they tend to have default passwords. Hackers can gain access with the default passwords and then infect the device.
Xiongmai, Maker Of Vulnerable IoT Device Components
According to Flashpoint Intel, the Xiongmai Technologies web security firm located in Hangzhou, China, is the primary manufacturer of the IoT devices used in the attack. The company sells digital video recorders (DVRs), network video recorders (NVRs), and IP camera boards and software licenses to other manufacturers, who then make the cameras and other IoT devices.
Flashpoint said that over half a million of the devices participating in the DDoS attack had Xiongmai components that used a default username and password (root and xc3511).
According to a more recent report, Xiongmai began issuing a recall in the U.S. for devices using the vulnerable components. It’s not clear whether the recall was the result of pressure from the U.S. government, or whether Xiongmai took it upon itself to recall so many devices. We’ve asked the company for clarification and an official statement.
Recall As Potential Precedent
Xiongmai’s recall may be the first of its kind that was spurred by IoT devices participating in botnets, and it may even set a precedent for future attacks. Many experts have been warning about an impending IoT security catastrophe due to how unsecure and unsupported most of the devices are.
The vulnerabilities are due to manufacturers trying to sell IoT devices as cheaply as possible. However, if governments force the companies to recall products that are part of botnets every time an attack happens, then they may begin to quickly change their thinking in regards to how “cheap” it is to avoid securing them properly by default, or not to update them. They may find that recalls are much more expensive in the end.
The recall solution, which serves as a way to keep companies liable for irresponsible design and manufacturing, is already commonplace in the automobile industry. Although not perfect, it seems to have worked quite well, so it may be something for regulators to consider.
Forced recalls aren’t a rule yet, so it remains to be seen if other IoT manufacturers will start to take notice of what happened and significantly improve their products’ security before governments get a chance to act and impose stricter certification regulations. If the U.S. government pressured Xiongmai to recall its products, then it may use its power again if it finds another company’s products used in a massive DDoS attack.
That's all the more reason for IoT manufacturers to act sooner rather than later and design their products with security in mind from the beginning. Bolstered security would avoid recall situations, and it would make it cheaper to update them in the future because there would be less of a need if security is already solid.