The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.
According to a report at Euractiv.com, the Commission is planning the new IoT rules as part of a new plan to overhaul the European Union’s telecommunications laws. “The Commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure,” wrote Catherine Stupp. “The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings.”
In last week’s piece, “Who Makes the IoT Things Under Attack?,” I looked at which companies are responsible for IoT products being sought out by Mirai — malware that scans the Internet for devices running default usernames and passwords and then forces vulnerable devices to participate in extremely powerful attacks designed to knock Web sites offline.
One of those default passwords — username: root and password: xc3511 — is in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use it in their own products.
That information comes in an analysis published this week by Flashpoint Intel, whose security analysts discovered that the Web-based administration page for devices made by this Chinese company (http://ipaddress/Login.htm) can be trivially bypassed without even supplying a username or password, just by navigating to a page called “DVR.htm” prior to login.
Worse still, even if owners of these IoT devices change the default credentials via the device’s Web interface, those machines can still be reached over the Internet via communications services called “Telnet” and “SSH.” These are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” to reach a username and password prompt at the target host).
“The issue with these particular devices is that a user cannot feasibly change this password,” said Flashpoint’s Zach Wikholm. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”
Flashpoint’s researchers said they scanned the Internet on Oct. 6 for systems that showed signs of running the vulnerable hardware, and found more than 515,000 of them were vulnerable to the flaws they discovered.
Flashpoint says the majority of media coverage surrounding the Mirai attacks on KrebsOnSecurity and other targets has outed products made by Chinese hi-tech vendor Dahua as a primary source of compromised devices. Indeed, Dahua’s products were heavily represented in the analysis I published last week.
For its part, Dahua appears to be downplaying the problem. On Thursday, Dahua published a carefully-worded statement that took issue with a Wall Street Journal story about the role of Dahua’s products in the Mirai botnet attacks.
“To clarify, Dahua Technology has maintained a B2B business model and sells its products through the channel,” the company said. “Currently in the North America market, we don’t sell our products directly to consumers and businesses through [our] website or retailers like Amazon. Amazon is not an approved Dahua distributor and we proactively conduct research to identify and take action against the unauthorized sale of our products. A list of authorized distributors is available here.”
Dahua said the company’s investigation determined the devices that became part of the DDoS attack had one or more of these characteristics:
-The devices were using firmware dating prior to January 2015.
-The devices were using the default user name and password.
-The devices were exposed to the internet without the protection of an effective network firewall.
Dahua also said that to the best of the company’s knowledge, DDoS [distributed denial-of-service attacks] threats have not affected any Dahua-branded devices deployed or sold in North America.
Flashpoint’s Wikholm said his analysis of the Mirai infected nodes found differently, that in the United States Dahua makes up about 65% of the attacking sources (~3,000 Internet addresses in the US out of approximately 400,000 addresses total).
ANALYSIS
Dahua’s statement that devices which were enslaved as part of the DDoS botnet were likely operating under the default password is duplicitous, given that threats like Mirai spread via Telnet and because the default password can’t effectively be changed.
Dahua and other IoT makers who have gotten a free pass on security for years are about to discover that building virtually no security into their products is going to have consequences. It’s a fair bet that the European Commission’s promised IoT regulations will cost a handful of IoT hardware vendors plenty.
Also, in the past week I’ve heard from two different attorneys who are weighing whether to launch class-action lawsuits against IoT vendors who have been paying lip service to security over the years and have now created a massive security headache for the rest of the Internet.
I don’t normally think class-action lawsuits move the needle much, but in this case they seem justified because these companies are effectively dumping toxic waste onto the Internet. And make no mistake, these IoT things have quite a long half-life: A majority of them probably will remain in operation (i.e., connected to the Internet and insecure) for many years to come — unless and until their owners take them offline or manufacturers issue product recalls.
Perhaps Dahua is seeing the writing on the wall as well. In its statement this week, the company confirmed rumors reported by KrebsOnSecurity earlier, stating that it would be offering replacement discounts as “a gesture of goodwill to customers who wish to replace pre-January 2015 models.” But it’s not clear yet whether and/or how end-users can take advantage of this offer, as the company maintains it does not sell to consumers directly. “Dealers can bring such products to an authorized Dahua dealer, where a technical evaluation will be performed to determine eligibility,” the IoT maker said.
In a post on Motherboard this week, security expert Bruce Schneier argued that the universe of IoT things will largely remain insecure and open to compromise unless and until government steps in and fixes the problem.
“When we have market failures, government is the only solution,” Schneier wrote. “The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.”
I’m not planning on suing anyone related to these attacks, but I wonder what you think, dear reader? Are lawsuits and government regulations going to help mitigate the security threat from the 20 billion IoT devices that Gartner estimates will be plugged into the Internet by 2020? Sound off in the comments below.
Even if they are mandated to be certified, it will need a validity period where the manufacturer must provide security patches and make them widely available. We all know that once these IoT cameras are out in place – they are rarely touched. So does that mean they need a feed service for auto patching? It opens up a big can of worms, for sure.
Thank you for bringing up patching :-). A few remarks upon that:
1. Your absolutely right. Certifications and Labels are only valid to declare products as “market compliant” and that specific date and time, and they will not deal with such thing as security within device’s product lifecycle.
2. What about open source code in products? A lot of stakeholders will have problems including open source software code into labeled products (reliability?) and that could be a poison pill to open source.
3. A label only means, a single product (or its prototype) has been tested against specific requirements. Of course we do not know the attacker and his (or her) amount of time or money he will invest in future.
So these testing requirements will create a level of something (sense of security), but unfortunately no measurable security at all. Example: 80% secure IoT device – LOL
4. What about products, that will be tested in e.g. May 2017 with a specific software/firmware release that is known to be vulnerable a few weeks later? If then thousands of “certified” IoT Devices are in production line, what will happen? Re-certify, push known insecure product into market, remove label…? What will happen with devices already in stores or in use?
There a a lot of thoughts we need to talk about.
My suggestion is to bring up a label claiming that the MANUFACTURER (in conjunction with the specific device itself) has a well implemented and structured security process including security by design (for this device’s development), security by default (stating secure modus operandi), product lifecycle response capabilities (to vulnerabilities, customer interaction, SPOC,…) and employee security training.
In fact, this will help to manage risks instead of putting a label onto devices and declare them “secure” (which they will be for est. 0.1 ms).
Because after all, we want to achieve the reliable use of robust (resilient) products from trustworthiness companies.
If the government cannot or will not act in a timely fashion, then a class action lawsuit is the only way to protect the public. Unfortunate, but true.
This may turn out to be big enough that you could find a law firm willing to do it on contingency. If you don’t want or need the money that the case might produce, direct it to a non-profit that you are fond of.
I think the most effective way is to require recalls. These are terrifically expensive and that will get these manufacturers attention. Regulations by themselves banning sale would have to reach back to the wholesale level so that the garbage can’t be sold without any real recourse to the OEM.
As a popular movie series repeats: When is it not about the money?
I think that regulations can help mitigate to a certain extent however by the time the regulations are passed and implemented by the vendors correctly, the internet will be heavily polluted with vulnerable devices.
Another question that has to be asked is how would a governments laws and regulations apply to a large vendor or manufacturer of IoT goods in China or elsewhere where it has no jurisdiction?
Oh gawd, I hope we don’t go down the path of government intervention here. The internet is too important to rely/depend on a collective of governments to drop the hammer in a coordinated approach.
As this story gets more attention, there will be a market opportunity created to counter it naturally. It will likely be solved by the same OEM manufacturers who are causing it, as they switch gears to create OEM secured wifi-routers to sell to the ISPs. “Only with Verizon’a new Fibre1000 will your home be safe from the IoT threats of today’a internet.”
My ¥2
[sarcasm]Yes, because letting the ‘free market’ handle cybersecurity issues for IoT devices has been SO effective. [/sarcasm]
Government intervention in the form of regulation is always needed when companies fail to address issues where their products are causing harm to people, infrastructure, and the environment.
It has been proven, by the evidence available, that the companies manufacturing IoT devices are unwilling to take the necessary steps on their own to keep their devices secure. Therefore they must be forced to do so by government action.
I wonder if, while they’re at it, they could enforce a common standard for infra-red remote control signals, so that we could all buy one remote control that controls everything without any hassle
(Not entirely joking here.)
Do you trust government?
Tell us which large or small corporations you trust unreservedly, without wanting access to legal remedies when they defraud you or otherwise injure the citizenry at large?
There are no such private businesses, no such non-profits, and we should simply apply the same critical scrutiny and desire for legal remedies against our elected and appointed government officials, correct? Is there a glaring hole in my argument for which you can provide improvements, Joe?
Market opportunity, for sure. Keep in mind that most consumers don’t know jack about securing their devices. So forget about them asking questions or raising concerns to the manufacturer: They buy according to the price tag, as usual.
If it wasn’t for car regulations, we would see a lot of crappy, unsafe “Frankeinstein” cars on our roads…
Chris, clearly consumers use car safety tests from consumer tests, so there is precedent. Highlighting that although this device is very cheap, it will make your internet unusable will have some impact.
You mean, like this one? https://www.google.com/search?q=trebant&hl=en&btnG=Search+Images&tbm=isch&gws_rd=ssl
There’s no market opportunity. When J Smith at neighborhood gas station wants to put a camera in, he doesn’t look for “certified safe”. He looks for cheapest one on amazon.
Anyone doing a more secure device costs more and thus is priced out of market.
There’s no consequence to end users having an insecure device. His ISP doesn’t cut him off, or block the device. Thus, they will go on price.
There needs to be consequences to either manufacture (lawsuits or regulation) or end user (ISP cut off but won’t happen without regulation).
Lawsuits couldn’t hurt, and they might impress upon OIT makers to make their products more secure in the future, no matter who/what/where they are used.
Regards,
Has anyone mentioned NIST’s cybersecurity framework industry resources?
https://www.nist.gov/cyberframework/industry-resources
There are ISO standards listed within the draft guidance for the post-market management of medical device cybersecurity.
While the FDA has put out their “Postmarket Management of Cybersecurity in Medical Devices: Draft Guidance for Industry and Food and Drug Administration Staff”, this guidance has no requirement that any of the medical device managers follow it – it is merely a recommendation. Add that to the fact that a large number of the medical devices currently in use are older and would be very expensive to replace. I don’t foresee the medical device manufacturers doing anything with this anytime soon, unless the FDA makes it a requirement rather than just guidance.
It appears you are correct. The document states that it reflects the FDA’s current thinking on guidance, unless a specific regulatory or statutory requirement has been cited.
Did you see that the National Telecommunications and Information Administration (NTIA) received a docket of comments from 131 organizations in June regarding their thoughts on what the government’s role should be regarding the Internet of Things? This group includes AT&T, Cisco, IBM, Microsoft, etc. It appears some support legislation, while others would like to minimize regulatory burden.
http://fedscoop.com/ntia-receive-131-comments-on-iot-future
http://www.ntia.doc.gov/federal-register-notice/2016/comments-potential-roles-government-fostering-advancement-internet-of-things
“Flashpoint’s Wikholm said his analysis of the Mirai infected nodes found differently, that in the United States Dahua makes up about 65% of the attacking sources (~3,000 Internet addresses in the US out of approximately 400,000 addresses total).””
Umm, how exactly does that math work? Are you saying that there are only ~4500 affected devices in US address space?
Maybe it was supposed to be 300.000 out of 400.000 but still, it’s 75% and not 65%.
Or is it 3.000 US addresses out of 4.500 total? Then yeah, it’s ~65% (66.(6)% to be “exact”).
Of the 3,000 attacking sources in the US, in the US, 65 percent of those were from Dahua devices.
Affirmative. 😉
Industry by itself won’t come up with effective standards that really make a dent into this problem. Governments could play a role in brokering an international security standard for IoT devices, along with a certification infrastructure. Subsequently, it could establish limits in liability for manufactures who get their product certified, and owners who use certified products.
Of course, in order for that to work, there first has to be a precedent that manufacturers and owners have liability for the havoc their appliances create. The way things are going, I don’t think such liability is going to be far off.
@David My concern is that market forces may create new opportunities but I don’t see how that’s going to effect the installed base of hardware. Surely you aren’t suggesting that consumers who have bought hardware with serious security defects should just buy more or newer hardware to fix what are essentially defective products? Without some standards for what constitutes reasonably secure products, how would you prevent any manufacturers from just claiming to be secure if there’s no official standard or enforcement mechanism?
@Robert Scroggins I’ve been involved in three class action lawsuits related to the IT industry, and I assure you that the only folks who come out of these with a high degree of satisfaction are the lawyers.
Well, greyhat hacking could solve issues with devices providing network/firewall settings. A bot would have to log in to such devices, change the settings so remote access (telnet, SSH) through the WAN port is impossible and restart the device. If the device has to provide remote access (and I bet most of them don’t) then the owner would have to *knowingly* change the settings back to what they were.
Keep the government out of it! In 5 billion years the sun will fry earth, so why even bother? Kidding. Although this excuse was mentioned by a candidate for president relating to a more important issue.
There must be some regulations on these devices as average users won’t know or care if their device is part of a botnet, as long as a device works and doesn’t hack their bank account or credit card.
The ISPs need to take some blame for this. The routers need to better protect the devices behind the firewall. Like the falsified source ip problem, all parties share some blame. Class action lawsuits and recalls ate one attempt at a solution, but we also know most companies will just take the chance and hope they get overlooked.
What if IoT companies make the devices unable to work until the customer changes default passwords and settings? That way people can’t just plug in and it work or am I missing more to the problem?
You’re missing a big part of the problem (that’s ok, so are most people).
Problems:
[x] There are thousands of different devices
[x] Each device has different configuration settings
[x] Expecting an ISP to maintain a database of all possible devices is unreasonable
[x] There’s no way for an ISP to determine if settings have been changed
[x] It’s possible that the password a user can change isn’t related to the password that needs to be changed
[x] It’s possible that the software (firmware) has some bug which allows it to be exploited w/o a password
“Congrats” (well, sort of…)! Krebs on Security is a high enough profile blog to draw instant Free Market/Libertarian Astroturfing with just a mention of “gubmint.”
There was an article in the NYTimes last year about hospital devices with hard coded user and passwords like blood transfusers and medicine dispenser carts that hackers would use to gain access to the hospital network to steal patient information like SS#s.
The upshot was NOTHING was done by the equipment manufacturers and the machines are STILL wide open.
This is case where the govt must step in to protect citizens rights since the manufacturers don’t give a sh*t.
I think we should make ISPs cut off internet access if they detect an attack is happening. Once a few thousand people loose their internet access they’ll finally start paying attention to security instead of just the price tag.
Matt K is right. The cost of any regulation is ultimately borne by the consumer of the good or service being regulated. If ISPs would simply shut down the connections of those customers with attacking devices, the problem would solve itself. Keep the gubmint from adding unnecessary costs and burdens for all consumers by letting the ISPs attack the problem directly.
That’s the most sensible suggestion I’ve heard in ages. The problem would go away very rapidly. If you make the end user responsible to the point of cutting them off from the internet, substandard devices would be gone from the marketplace in a flash.
As sensible as this suggestion seems, the problem is that major providers of backbone bandwidth actually make money off of bandwidth being used. i.e. they make more money from ALLOWING attacks, not blocking them… They have no incentive to block attacks, quite the opposite, their incentive is to allow them.
Now edge ISPs who allow “unlimited” bandwidth for a flat rate… they just keep raising prices to cover it, so they don’t have any incentive either. The cheapest broadband in my area is $60/mo…
Scanning for telnet ports and looking if a device encourages the users to change passwords before certifying that it can be sold would be great. But if a high-quality device lasts 20 years (most if the simple Chinese ones might) they still will have the certification sticker even if they never got any security updates. And I can bet that if you use a non-standard Port for telnet or require to go to the /DVR.htm address in order to open the backdoor the standard certification test won’t find it.
—
When I read about video cameras attacking your site I hoped that it would be the type of excellent security camera for hotels and airports that was sold in Europe cheaper than it could be produced, but with a nsa backdoor: http://www.zeit.de/digital/datenschutz/2016-09/videoueberwachung-nsa-bnd-frankfurt-flughafen as that would have provided the attack with a bit of irony.
The regulations will only affect devices sold by companies operating in the EU. It won’t affect the millions of devices bought online from outside the EU (Amazon US, Aliexpress, Banggood, Dealextreme, etc)
This is where opensource can assist (it probably won’t help with firmware issues).
If the EU goes the way of how the ‘energy certification’ is implemented, it will be a of no-use.
Because (as in Japan, where it was copycatted from) the rule is that the least energy consuming produced device sets the standard for the A status for the next year.
So every year the manufactures are pushed to make less energy consuming devices.
There A device might be a B or C device the next year.
And consumers will buy less energy consuming devices.
Sounds great right?
Well it isn’t. ‘Cause the standard is not updated in this way in the EU system now implemented.
(At least not in the Netherlands)
So there is a wild grow of A+ and A++ devices that claim there status on the fact they are a little more efficient than the official A status.
And if i buy a fridge that has been certified A, it does not mean i bought a fridge in the most energy efficient class. There could be fridges using half the energy that are also labeled A…
TL:dr
If a standard is not updated it is useless
Of course this was expected, the Dutch government has a fetish for implementing broken Japanese systems, like our public transportation pay/card system (OV chipcard), It was for a reason Japan did not implement it… ‘Cause it was broken, has no privacy and was hacked before implemented…
And still is! (and by all means very badly introduced and implemented)
@Brain would be nice to see how many sat receivers where in the attack, because the used user/pass is used on a bootload of boxes, and OS images for the last 10+ (!!) years! Enigma1 and 2 OS are used on receivers (satellite, terrestrial, cable or a combination of these) like dreambox and VU+ (best selling in EU) and just about every linux based receiver…
There are several software products out there called “vulnerability scanners.” I’ve used a couple of them in the test lab to attack (our own) web software products, find the holes, and patch them up.
Free and open source products are available, as well as expensive proprietary ones.
These products have, built in, a good understanding of the vulnerability surface of internet-connected equipment, and they zero in on the trouble spots. Open ports for ssh or telnet connections show up in the first few seconds of testing, for example.
Products — cheesy webcams and the like — that fail these tests should be named and publicly shamed.
The makers of these vulnerability testers are like anti-virus software makers. They scramble to keep up with the cybermiscreants. That means their users have to re-test and patch the new holes routinely. For an honest internet software developer, it’s a cost of doing business.
For the makers of cheesy devices, it will never happen. They may or may not scan their products once. They may have the ability to send out updates, but their customers will never install them.
The only feasible solution lies at the core network level. That is, the network providers need to detect and suspend customer connections carrying evidence of compromised devices.
Brian discovered the limitations of the Akamai / Cloudflare approach, when Akamai fired him as a user. It uses a far-flung network, but is not at the core of the network. Mitigating this stuff needs to happen at the core. Roadblocks, not ambulances!
Ten-minute customer connection suspensions would work wonders, both in coping with attack volume and with motivating network customers to deal with the offending devices.
Network routers (the customer-premises gadgets) need to contain rudimentary port scanners and compromised-device detectors. They need to be able to warn their owners that they’re about to be suspended.
This all involves change. It’s like mandating antilock brakes in cars. It’s going to take time and money to pull off. But it has to happen. The good news is, it can happen piecemeal, and doesn’t require big-bang system changes. Every cybercrook-resistant home router helps. Every network provider adding suspension rules helps.
The days when you could notice rogue traffic on your network, send an email to postmaster at rogue – traffic – source.com, and ask them to knock it off have been gone for a couple of decades now.
Thank you Mr Krebs for the series of pieces
on this issue!
I have closed the UPHPDH on our our devices
and will also check our Xerxes copiers for an
appropriate password .
As far as I understand the EU commission is merely talking about a ‘label’, much like the energy star label.
No liability, no fines, no pressure.
If so, this is a depressingly small step.
Let the ISP cut off the user? Are you kidding? We are cut off regularly for 5-15 minutes as it is, especially weekend evenings. All the ISP needs is a good excuse to tell users who can’t connect “our system detected you have botnet activity, you must resolve the issue by yourself or schedule a $125 service visit”. It would be a perfect excuse for ISP disconnects, and legal if allowed by law.
5-15 minutes? That sounds like unrelated technical issues such as too many splitters before the modem (for cable) or bad phone line in the house (for DSL). If this is router related then I would not recommend running a router from your ISP. Buy one. The modem itself might not be any good. These kinds of problems are what you pay for proper diagnosis of when they send a tech to your home.
That should not be confused with your ISP shutting you down on purpous for being part of a botnet. This is legitimate and is ‘customer equipment’. Just as if your television were found to be responsible for voltage backfeed.
It all comes down to who is controlling these things. Most people don’t want anyone in control that carries the title of ‘hacker’. Most people are not going to assume personal responsibility for any IoT device they own. Any government control becomes an overwhelming totalitarian temptation. ISP’s can and perhaps should be more responsible if not atleast responsive, but they are far more caught up in throttling torrent and other P2P activity to as yet be concerned. The biggest ISP’s can’t seem to care beyond offering old and outdated modes of technology.
In the end, it will very likely turn into something that looks and acts more like what we have all become used to with Apple controlling iphones and ipads.
Do you think it’s technically and legally feasible to ban these devices at the ISP? Seems to be a frightening precedent, but may be the only option to mitigate the install base that’s already out there.
Just as the EU cookies law fixed the privacy issues, so will their new law fix IoT security issues.
I have a much simpler solution: allow anyone to nuke devices with bad security from the internet. I.e. white hat hackers can write bots that scan the internet for Dahua devices, and permanently irrevocably disable them, and the EU will give you immunity for writing such software if you are an EU resident. That’ll kill bad software very quickly, as it simply won’t survive very long.
Or in other words: we allow white hat hackers to write predators to weed, or least control, pests. It’s a model that works elsewhere.
People are calling for lawsuits, but they forget that every fricking piece of software, including M$, is riddled with bugs. One of the main reasons being that programmers continue to use an extremely unsafe programming language called C.
If people who try very hard can’t write secure software, what do you think others will do?
We can try to mandate best practice, but I haven’t seen yet anyone here posting a specific practice that would have have prevented Dahua issues.
What does C have to do with default credentials being hardcoded in software? I mean, yeah, C can be difficult to handle security-wise but it’s more often than not the case of vendors pushing developers to code new features faster and faster so the product can reach the market ASAP. There are very good books about secure coding in C/C++ which every programmer can pick up and read.
And these books are working, we haven’t seen a stack overflow in years!
If you read the story, default credentials were only part of the story, you didn’t even need them. Are you really claiming we can write embedded firmware free of faults?
We know that people should exercise daily, not eat junk food, etc. and there’s still a lot of people who are extremely obese. Even if you read a book doesn’t mean you’ll do what it tells you *especially* when security takes time to implement. The time many developers don’t have as they’re forced to spit out software ASAP. There’s no computer language that’s completely mistake-resistant and there never will be one. Just as there never will be a *complex* piece of software that’s unbreakable. If moving away from C/C++ would solve the problem of security vulnerabilities, it would have been done years (decades?) ago.
This is an argument we have been having since AlGore invented the internet. In this case, the use of an IoT device for nefarious purposes is externality to the manufacturer. SPAM sent through open relays was an externality to ISP’s (until their servers were blacklisted.) The cost of identity theft is primarily borne by the victim, not the owner of the insecure software or network.
Liability law is one way to change the economics of those firms with product defects that are damaging third parties. If they had to pay their share of the true economic damages (i.e. what were your damages, Krebs?) they would then factor those costs when deciding whether they should invest in a better design. (Note, it may be more economical to just pay the damages.)
Other than insuring private parties can properly sue for appropriate damages, government intervention is rarely warranted. Imagine the language for a ‘one-size-fits-all’ law and subsequent regulations required. Technology is moving too quickly. Let the law of economics work.
There is high time to reverse this trend in which highly insecure protocols are developed (like UPNP or WPS) under the pretense of user friendliness. And ditto insecure products relying on P2P to puncture the firewall, with almost never issued firmware updates, with hard-coded passwords and so on.
What I do not understand is how those cameras became accessible for port 23(telnet) from the Internet. Surely most of them are behind a NAT gateway. UpNP would only expose the web stream. Anyone knows ?