Webcam company recalls devices that caused internet outage

Posted Oct 25, 2016 by James Walker
Chinese webcam manufacturer Xiongmai has announced it is recalling many of its products in the wake of last week's internet outage. The attack affected sites including Spotify and Twitter and is believed to have been triggered by hijacked 'smart' devices.
A Norwegian appeals court increased jail terms Tuesday for a Norwegian woman who drowned her infant ...
A Norwegian appeals court increased jail terms Tuesday for a Norwegian woman who drowned her infant and her British lover who gave her instructions via a webcam
Lionel Bonaventure, AFP/File
On Friday, a wide range of popular online services were inaccessible for much of the day in the U.S. as DNS provider Dyn faced an enormous DDoS (distributed denial of service) attack. The company provides infrastructure that maps website addresses to the servers powering public websites and apps.
In the hours after the attack, researchers traced the source of the malicious traffic to a giant botnet coordinated by the Mirai malware. They found that "tens of millions" of devices around the world were used to overwhelm Dyn's services, the majority of them hijacked "smart" Internet of Things (IoT) products such as webcams, printers and digital video recorders.
One of the companies linked to the attack was Xiongmai Technologies. The Chinese technology company manufactures a range of internet-connected products that have very weak security. It builds components that are then sold onto downstream vendors for inclusion in their devices, allowing attackers to gain access to millions of products.
Security experts warned that Xiongmai and other companies included a default user account in their software that hackers could use to connect to devices. Because every product has the same username and password, it would be trivial for a cybercriminal to scan the Internet for vulnerable products, upload malicious software to each one and link them into the giant botnet that bombarded Dyn on Friday.
Since details of the attack were made public, Xiongmai acknowledged the role of its products in the DDoS. It announced a recall of its webcams in the U.S. to reduce the chances of hackers using the same technique again.
Analysts have questioned how effective the recall will be. It covers all of Xiongmai's circuit boards and components and could extend to several different product ranges marketed under many brand names. However, it is not clear whether Xiongmai's downstream vendors will actively communicate with customers to publicise the recall.
In a statement to the BBC, Xiongmai suggested its users were at fault for not changing the default passwords on its devices. However, analysts have criticised the claim, noting the accounts in question are not accessible to the user. "A user cannot feasibly change [the] password," security firm Flashpoint had earlier said to cybersecurity expert Brian Krebs.
"Security issues are a problem facing all mankind," Xiongmai told the BBC. "Since industry giants have experienced them, Xiongmai is not afraid to experience them once too."
Xiongmai has said it will change the way it manages default user accounts on its future products. The company is also planning to develop a software patch for existing devices to make their security more robust. Again, it is not clear how successful it will be or whether customers will have an easy way of knowing the update is available.
While Xiongmai appears to be stepping in the right direction, there are still plenty of other companies producing cheap IoT products with similar flaws. In a scan of the internet on October 6, researchers at Flashpoint Security found 515,000 devices that could be susceptible to hijacking in this way.
It is still unknown who was behind the attack on Dyn last Friday. The rise of cyberattacks targeting the Internet's infrastructure instead of individual websites is a concerning trend. The weak security around the Internet of Things is providing hackers with hundreds of thousands of devices to weave together into botnets, making more ambitious campaigns feasible.