After a tough summer of botnet attacks by Internet-of-Things things came to a head last week and took down many popular websites for folks in the eastern US, more attention has finally been paid to what to do about this mess. We’ve wracked our brains, and the best we can come up with is that it’s the manufacturers’ responsibility to secure their devices.
Chinese DVR manufacturer Xiongmai, predictably, thinks that the end-user is to blame, but is also consenting to a recall of up to 300 million 4.3 million of their pre-2015 vintage cameras — the ones with hard-coded factory default passwords. (You can cut/paste the text into a translator and have a few laughs, or just take our word for it. The company’s name gets mis-translated frequently throughout as “male” or “masculine”, if that helps.)
Xiongmai’s claim is that their devices were never meant to be exposed to the real Internet, but rather were designed to be used exclusively behind firewalls. That’s apparently the reason for the firmware-coded administrator passwords. (Sigh!) Anyone actually making their Internet of Things thing reachable from the broader network is, according to Xiongmai, being irresponsible. They then go on to accuse a tech website of slander, and produce a friendly ruling from a local court supporting this claim.
Whatever. We understand that Xiongmai has to protect its business, and doesn’t want to admit liability. And in the end, they’re doing the right thing by recalling their devices with hard-coded passwords, so we’ll cut them some slack. Is the threat of massive economic damage from a recall of insecure hardware going to be the driver for manufacturers to be more security conscious? (We kinda hope so.)
Meanwhile, if you can’t get enough botnets, here is a trio of recent articles (one, two, and three) that are all relevant to this device recall.
Via threatpost.
Xiongmai
Like many other dodgy Chinese Companys making cheap tech/security devices they always blame others for issues they created and then attempt take down notices when their security flaws are pointed out, There’s was a Lock no longer sold it used a special key disc it was opened with a coat hanger and a screw driver fairly quickly the manufacturer had a Melt down on youtube.
I have seen many non chinese companies do the same. I think the 300 million people that bought these devices without thinking how or why it’s cheap and put them in their living room and connect it to the internet is also to blame.
These people aren’t going to pay any attention to this recall. How many cameras do you think are going to be sent back at this point? 1,000?
Apathy is the big problem here… anything that requires a firmware update is almost impossible to get consumers to pay attention and perform the work. Anything that requires changing a password will be extremely hard to get consumers to act. Botnets are almost an unsolvable problem once the shoddy hardware has proliferated.
“Botnets are almost an unsolvable problem once the shoddy hardware has proliferated.” really?
1. Write a bot attacking the vulnerable devices. It doesn’t seem very difficult
2. Our new bot either simply bricks the device or changes the default password to a random one
3. Problem “solved’ :)
+1
Okay. Now you’re in a race with the black hats to capture insecure devices first. And I don’t care how good you think you are; *you’re not going to win.*
Then hire a lawyer to defend you against an unauthorized access to a computing device lawsuit brought by the government just because.
Technically, what you are proposing is illegal (in the US at least), no matter how sensible. Sigh…
Which is the worse problem: ignorance or apathy?
I dunno and I don’t care!
Internet security? What’s that? Eh, it’s cheap; who gives a rip.
So, Apple (and later anything with an app Store, like Google, Amazon, Apple, etc) has made great strides in making sure updates get installed by having all software updates go through one unified Software Update stream. App stores will routinely tell you “ok six updates are ready” regardless of what it is being updated, disparate developers behind them, etc etc.
Still, things get left behind. Have you tried tracking down firmware updates for your HDD? Lot of people don’t even know you can do that. I wonder if there is any possibility of success for an even grander Everything Update system, where you can update any DEVICE or component, not just the software that runs on it.
Or, you know, Windows update since forever. Apple is not the inventor of automatic updates…
I mean in the sense that Apple Update can manage non-Apple products. Windows may do it now, but it didn’t before, which is how they ended up having Microsoft Update, Java Update, MS Office Update, Dell Update, … all running at startup or whatever.
Eventually, ISP’s will start contacting users and explaining it to them and those users will then likely recycle the devices.
It is known to at least one involved party (the ISP) who the zombies are, so this is very fixable over time.
Don’t just wave your hands and declare it unsolvable when you didn’t think of a solution.
I will predict though that as it is solved, the problem will become less visible, and internet pundits will fail to notice; they’ll simply complain about it less often.
Where did you get that eye-popping 300 million number from? The Chinese article and the first article you linked both state that it’s a recall of 4.3 million devices.
Using Google translate: https://goo.gl/CV6gCl
It states:
mainly 100 million card network camera, 100 million cloud Taiwan network camera (shaking his head), 100 million panoramic network camera, 1.3 million panoramic camera to do the recall, while increasing the default password changes to minimize the security risks.
— so the number of devices actually exceeds 300 million
It is around 301.3 million (which is about 300 million as reported)
This is interesting and probably highlights an issue with Google translate. I clicked on the link that was provided in the article above, and then clicked translate in Chrome and I read, “mainly for one million cards network cameras, one million cloud network camera (shaking his head), 1,000,000 panoramic network camera, 1.3 million network cameras make panoramic recall process, while increasing forced to change the default password features to minimize security risks.” This is the 4.3 million that [Alex Hornstein] was talking about.
You should always change the default password as it’s there just to let you get into the device after a factory reset.
Though maybe they should bring back serial ports for recovery vs only being able to configure it over the network.
All they need to do it add a USB connector and a prolific USB to serial chip to the uart that’s probably already on the chipset and there you go a serial console.
Need to recover it just plug a laptop into it and you can choose to make it where you cannot even reconfigure it over the net if you’re paranoid.
Probably less than 50 cents a device.
I also wonder how much trouble could be avoided by being able to make the firmware part of the flash read only except for when there is an update.
Synology NAS are not better, they have a hardcoded root password and the algorithm is available on the net.
http://blog.thomasmarcussen.com/synology-nas-recovery-password-telnet/
It’s a google translation problem. If you read the original chinese, it says (paraphrasing due to my crappy chinese) “100万” of the network card cameras, “100万” of the cloud cameras, “100万” of the panoramic network cameras, and “130万” of the panoramic cameras.
If you just type “万“ into google translate as a standalone character, google incorrectly interprets it as “million”. It’s weird, because the first translation result in google translate is the correct number, ten thousand. (https://cl.ly/3p0c103R1E0X).
Bizarrely, I read the page originally using the google translate chrome plugin, which translates it correctly (https://cl.ly/3e3Y1f2N3201), but copy-pasting it into google translate gives the incorrect translation of 万 as “million”, rather than 10,000.
I felt particularly confident that this was an error in translation when reading the first link from the article (https://threatpost.com/chinese-manufacturer-recalls-iot-gear-following-dyn-ddos/121496/) and seeing that its numbers matched what my google translation/manual chinese translation said they should be.
Also, back-o-ye-enveloppe thinking shows it to be unlikely. There are ~318 million people in the US, the market affected by this recall, and I know at least one other person who doesn’t have a xiongmai network camera, panoramic or otherwise.
Good catch. So the article above overstates the recall by a HUGE factor. I couldn’t imagine how this company I’ve never heard of would have a recall of 300 million units!
Thanks for the studied answer to this problem. I’ve used strikethrough to update the article to 4.3 Million.
are they paying the full cost of replacement? there is climbing towers or other labor intensive acts, return postage and also the loss of service during that interval.
dollars to donuts, they are not paying any of that (?)
from me, they don’t get any free passes. you cannot just say ‘sorry!’ when you fuck up this badly. a 2 man company, sure. a large company that should KNOW BETTER, no! no free pass for you!
Good luck with that. And I might go as far as stating that they *knew* better, but in the cut-throat business of consumer electronics, there’s no such thing as “doing the right thing” when the expedient gets you to market faster and cheaper.
What is up with HaD’s proofreading?
“Is the massive economic damage that a recall of insecure hardware going to be the driver for a change to more security consciousness on the part of manufacturers?” seems like it was cobbled together from three different sentences…
is the end user aware of the hard coded admin password?
if so it sure sounds like an end user error.
Although manufacturers can be expected to provide reasonably secure devices, it will never be possible to ensure that all manufacturers of the (eventuallly) billions of IOT devices will be properly securing their devices. While it is reasonable to expect users to change the passwords (when they are not hard coded) that should either be “forced” in order to activate the device or unique passwords should be supplied. It needs a sort of internet UL for IOT devices to encourage this.
In the end it will be up to end users and ISPs to prevent bot takeover. I expect to see intelligent security devices/routers becoming available that can monitor your internet activity and let you (and maybe the ISP) know if any of your devices are acting incorrectly so that you can take them offline or fix them. The issues may be bots or viruses or just plain device failure. Of course, there will need to be some cost to end users and ISPs if issues are not fixed to incent everyone to take action. The “smart/deep learning” routers could automatically filter (with user override), making it easier for end users. The key is that end users should be deciding what is and isn’t OK as otherwise ISPs could impose censorship under the disguise of DDNS prevention.
or when the problem hits the employee or even founder’s home.
example say mr toyota’s wife or daughter gets killed by runaway cars because they decided to replace the mechanical linkages with servo motor/actuators.
A Chinese manufacturer leaving a product directed at the U.S. market vulnerable to attacks/control from the Chinese government? Sounds like more than a coincidence.
I love the company response of ‘we made a product that can go on the internet, but you shouldn’t use it on the internet’..:-)
NETWORK, not internet, they are NOT the same thing.
it is meant to be connected to a second router that is connected to a network DVR on a second ethernnet cable with no internet access whatsoever. the ONLY device that can bridge the two networks MUST be a computer that has ANY AND ALL ACCESS BY NORMAL EMPLOYEES BARRED WITH LOCK AND KEY, or to be 100% secure, a second 100$ computer JUST for viewing the DVR’s content, as they are usually headless. this is to prevent access to facebook ect, where all it takes is a targeted friend REQUEST and your screwed, do not have to accept, just log in and your infected.
although a picture can speak a thousand words, an infected (non-bitmap) picture can speak nearly unlimited words
The problem with this is that the average consumer now doesn’t even realize that wifi, ISP, cable modem, router etc are different things. You seen ’em on facebook etc. “OMG I need new wifi, this one charged me for overage…” etc
Yeah! Don’t be irresponsible and drive your car on the road!
Is there any way this could be regulated,like with a iot standard? Maybe the fcc could do something. It isn’t wireless, but it certainly messes up communications.