Xiongmai, a Chinese electronics firm has initiated a product recall, prompted by the large DDoS attack that caused large internet websites such as GitHub, Reddit and Spotify to grind to a halt on the east coast of the US, and mainland Europe this past Friday.
The root distributed denial of service attack (DDoS), was believed to be a network of hacked Internet of Things devices, such as webcams and digital recorders, many of which were made by Xiongmai.
Researchers accused Xiongmai of releasing products with basic security vulnerabilities, such as the inability to set a password on some forms of connection. This is the reason which hackers were then able to combine them into the Mirai botnet, a large network of hacked IoT devices consisting of millions of devices.
Craig Young, security researcher at Tripwire said: “It is fantastic to see a vendor owning up to their responsibility in this event. It is very rare to hear of a vendor doing something like this and I hope that it will be the first of many vendors to react strongly to Friday's attacks.”
The Chinese firm, which makes parts for surveillance cameras, said in a statement on its website that it would recall some of its products sold in the United States. They plan to strengthen security on the devices and send users a patch for products made before April last year.
Pointing the finger at the user, Xiongami said the biggest issue was users not changing default passwords, and added that overall, its products were well protected from cyber-security breaches.
Xiongami also claims that reports which say its products made up the bulk of those targeted in the attack are incorrect.
The company statement said: “Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”
Friday's cyber-attack alarmed security experts because it represented a type of threat which is caused by the spread of relatively simple digital devices such as webcams, home routers and IoT alarms. These devices can lack in strong security. This lax approach to security meant hackers found a way to harness millions of IoT devices to flood DNS provider Dyn with more traffic than it couldn't cope with and brought its services to a halt.
Security researchers have advised that the Mirai malware, which is used to create the botnet, can be cleared by restarting affected devices. However the challenge is the number of devices out there which are vulnerable, and will likely be re-infected quite quickly after restarting, unless some other protection is put in place.
The hacker who wrote the code for the Mirai botnet malware released the source code to the public in October, allowing other opportunistic attackers to create their own networks of hacked IoT devices.
Javvad Malik, security advocate at AlienVault said: “IoT devices have proliferated at a rapid pace, and anyone that can take control of them can wield significant power. The Mirai botnet has given us the first real glimpse into the power of an IoT botnet and the damage that can be done.
“With no patching feasible for most devices, there is no easy fix in sight. IoT device manufacturers will need to consider architecting fundamental security principles into the designs, such as avoiding the use of default credentials.”
“Until such a time that IoT devices have secure options, these devices will continue to feature prominently at the forefront of cyber-security attacks.”
The challenge with IoT devices is that not only are they often insecure by design, but they lack the options to apply patches or upgrade. Enterprises deploying IoT devices may spend the time needed to change default credentials, place the devices in a segregated network zone, or otherwise harden their systems – but consumers are highly unlikely to implement any such measures,” Malik concluded.
Mark James, security specialist at ESET said: “I don't think Xiongmai could be held liable for this attack, but they obviously recognise a concern here and are making good steps in the right direction by recalling products that may have been affected. Hopefully other manufacturers will follow suit and take a look at what they can do to increase security of their own products. It seems these days that security takes a back seat, low cost affordable mass consumer use seems to be the preferred option and it has to change if we want a safer environment for our digital presence.”
One of the biggest problems with IoT is its lack of security, the race is currently on to get customers involved with your product. The divide between usability and security is hard to get right at the early adoption stage. People like ease, sadly the average user will very often choose ease over security and if offered cheaper or safer, will choose cheaper every time.
IoT device manufacturers have to design security into their products from day one, it has to stop being an afterthought or sadly in some cases no thought. As our digital presence expands we need to accept security is everyone's responsibility, if we stop buying insecure products and force the manufacturers to make better and safer products things will have to change.
As for IoT devices already in use, you can secure them by upgrading through firmware. In some cases minor changes may make them more secure but in most cases it's getting those updates out to the public. A lot of IoT devices are purchased, configured, installed and forgotten about, the idea of checking for updates on those devices is alien to most users.