October 24, 2016

A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.


Last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords. Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors.

In an interim report on the attack, Dyn said: “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

As a result of that attack, one of the most-read stories on KrebsOnSecurity so far this year is “Who Makes the IoT Things Under Attack?“, in which I tried to match default passwords sought out by the Mirai malware with IoT hardware devices for sale on the commercial market today.

In a follow-up to that story, I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products.

The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.

In a statement issued on social media Monday, XiongMai (referring to itself as “XM”) said it would be issuing a recall on millions of devices — mainly network cameras.

“Mirai is a huge disaster for the Internet of Things,” the company said in a separate statement emailed to journalists. “XM have to admit that our products also suffered from hacker’s break-in and illegal use.”

At the same time, the Chinese electronics firm said that in September 2015 it issued a firmware fix for vulnerable devices, and that XiongMai hardware shipped after that date should not by default be vulnerable.

“Since then, XM has set the device default Telnet off to avoid the hackers to connect,” the company said. “In other words, this problem is absent at the moment for our devices after Sep 2015, as Hacker cannot use the Telnet to access our devices.”

Regarding the default user name/password that ships with XM, “our devices are asking customers to change the default password when they first time to login,” the electronics maker wrote. “When customer power on the devices, the first step, is change the default password.”

I’m working with some researchers who are testing XM’s claims, and will post an update here if and when that research is available. In the meantime, XM is threatening legal action against media outlets that it says are issuing “false statements” against the company.

Google’s translation of their statement reads, in part: “Organizations or individuals false statements, defame our goodwill behavior … through legal channels to pursue full legal responsibility for all violations of people, to pursue our legal rights are reserved.”

Xiongmail's electrical components that are white-labeled and embedded in countless IoT products sold under different brand names.

Xiongmail’s electrical components that are white-labeled and embedded in countless IoT products sold under different brand names.

The statement by XM’s lawyers doesn’t name KrebsOnSecurity per se, but instead links to a Chinese media story referencing this site under the heading, “untrue reports link.”

Brian Karas, a business analyst with IPVM — a subscription-based news, testing and training site for the video surveillance industry which first reported the news of potential litigation by XM — said that over the past five years China’s market share in the video surveillance industry has surged, due to the efforts of companies like XiongMai and Dahua to expand globally, and from the growth of government-controlled security company Hikvision.

Karas said the recent Mirai botnet attacks have created “extreme concerns about the impact of Chinese video surveillance products.” Nevertheless,  he said, the threats against those the company accuses of issuing false statements are more about saving face.

“We believe Xiongmai has issued this announcement as a PR effort within China, to help counter criticisms they are facing,” Karas wrote. “We do not believe that Xiongmai or the Ministry of Justice is seriously going to sue any Western companies as this is a typical tactic to save face.”

Update,Oct. 25, 8:47 a.m.: Updated the story to reflect an oddity of Google Translate, which translated the statement from XM’s legal department as Justice Ministry. The threats of litigation come from XM, not the Chinese government. Also made clear that the threat was first written about by IPVM.

102 thoughts on “IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers

  1. Jon

    Are there any non-Chinese security camera manufacturers to consider as an alternative?

    1. G

      Re. non-Chinese cameras etc. as an alternative:

      Panasonic. They’re not cheap, but you get what you pay for.

      They manufacture everything in their own factories (in various countries including Japan, Vietnam, and England), right down to the components on the circuit boards.

      I’m intimately familiar with their PBX/voicemail product line, and from experience and conversations with people in engineering, they are damn good about everything security-related. They tend to cross-pollinate between product lines, so it’s likely that security measures for their commercial-grade camera products follow similar practices.

  2. Stratocaster

    So now the emperor is threatening to sue the media for pointing out that he has no clothes.

  3. Hitoshi

    Somehow this figure seems inflated.

    “We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

    Are there any reference to the TAM (Size of Market) and market share by this vendor ?

    1. null

      See the article “Who Makes the IoT Things Under Attack?“ here, referenced above for more companies.

      I’ve been real curious about the “10s of millions of discrete IP addresses” also. A Million maybe but 10s of millions ?

  4. Nate Guerin

    Correction for article, according to Xiongmai’s statement linked to in the article, they provided a firmware update in April 2015, not September 2015.


    We believe that there are three preconditions that are required for the attackers to attack our products: 1) The device in question had firmware that was made before April 2015; 2…”

    1. BrianKrebs Post author

      Nate, that Sept. 2015 date comes from the statement XM sent to the media. I have pasted that below. It is at odds with the statement posted at http://mp.weixin.qq.com/s?__biz=MzA4MDQ4NjMwOA==&mid=2651450911&idx=1&sn=f4d41b6fae77ece8493fdec1197d97f0&chksm=845ec4d4b3294dc23df1d6ecba1e76ccec9ac6533aef4403ecf34f9b72e4cb3c7c94e57dfc89&mpshare=1&scene=1&srcid=1024DskPGO5o4Jgp1qYNtrDZ#wechat_redirect, which as you note says April 2015.

      Here’s what the company mailed to reporters:

      1) Last year we already found the problem of Telnet default password, unauthorized used by some hackers to tear down connection and access to the devices, we XM already fixed since September, 2015. Since then, XM has set the device default Telnet off to avoid the hackers to connect. In other words, this problem is absent at the moment for our devices after Sep 2015, as Hacker cannot use the Telnet to access our devices.

      2) Regarding the default user name/password, our devices are asking customers to change the default password when they first time to login. When customer power on the devices, the first step, is change the default password.

      3) Only at these circumstances, XM devices maybe be vulnerable:
      a. Firmware version early than Sep 2015.
      b. Customers made the Port Mapping, and all Ports complete open to Internet, without any network firewall protection.

  5. Charles James

    Reaction is Slower than Action

    In karate we have a saying that seems to promote the philosophy of action that, “There is no first strike in Karate.” If you are not careful you may misinterpret that to mean you cannot strike first and have to wait to counter in self-defense – that is patently false in assumption. You can still “Act First” and “Not Strike First” requiring a paradigm shift in thinking and so does the following idea I present regarding the current perception of cyber-fense (I use fense here to incorporate thinking of both offensive and defensive strategies and tactics).

    In a recent article by Krebsonsecurity, READ IT HERE, he mentions that government intervention and regulation is not a way to go to defeat the threat posed in the DDOS through the IoThings. His quote, “I have been asked by several reporters over the past few days whether I think government has a role to play in fixing the IoT mess. Personally, I do not believe there has ever been a technology challenge that was best served by additional government regulation.”

    Quick comment on that, “Don’t assume that government intervention has to be regulations, it is also the cyber-fense we create and institute to protect the sovereignty of our nation and by association its infrastructure both physical and technological in nature. But, he goes on to say, “However, I do believe that the credible threat of government regulation is very often what’s needed to spur the hi-tech industry into meaningful action and self-regulation.”

    With that additional comment I would add, “Don’t wait for credible threats to enact strategies and tactics to combat information terrorism as well as predatory criminal acts.”

    Remember, when a entity waits to counter they are reacting and all theories and research by self-defense, military and civilian authorities like the Police shows that reacting to actions or threats of actions is slower putting us at a disadvantage very, very few are capable of overcoming to succeed. You have to be proactive in all ways, i.e., proactive in creating a solid cyber-fense, etc. You have to be proactive in awareness and detections of the possibilities in information terrorism and crime so that actions can be taken before they strike.

    Now, that does not necessarily mean you start predatory IT types of actions to stop the threat before they leave the gate for it starts long before that so awareness is understanding the threats and taking proactive actions to avoid the threats.

    Herein lies the problem, an awareness also includes taking proactive steps so that such terrorist predatory culprits don’t have a chance and end up “Reacting and Countering” our enforcement and protection tactics and strategies. We have to stop reacting, it is too slow and too damn late.

    Become proactive and start with the industry action of creating safe and secure IoThings to replace the faulty insecure and dangerous IoThings out there already before they are used to cripple us and those profits currently enjoyed become expenses in repairing and revitalizing a damaged nation.

    Waiting is to not act but react – too late. Proactive actions is not waiting, it is putting the bad people on the defensive. If you are defending you are losing and right now from my seat – We are all losing bad right now, take back the initiative – NOW!

  6. HarryDee

    I really don’t see this happening (how can they possibly recall ALL those devices)…

    Just trying to look good for the public and their shareholders…

  7. Ron G

    Hey Brian, please keep on posting your “untrue reports”. I’ll kick a little something into the legal defense fund, when and if that becomes necessary.

    P.S. To paraphrase H. R. Haldeman, Once the Chinese diethylene glycol toothpaste is out of the tube, it’s hard to get it back in.

  8. Ollie Jones

    Hopefully you won’t need it. But if you do please don’t hesitate to ask your readers to chip in a few bucks for a legal defense fund.

    They seem to understand that truth is an excellent defense against libel. That’s good. I hope their US lawyers explain to them about “discovery” and “depositions,” in which your lawyer can compel them to testify about such things as their security practices.

    I wonder, if blackhats can penetrate these devices to enslave them, can’t whitehats penetrate them to disable their telnet ports? (Or even brick them until they’re restarted?)

  9. Precariat

    October 21, the day the IOT, turned into Internet Exploitable Devices, (IED’s), and turned against us. I think that there is no other reasonable option, than that the company responsible, releases all the schematics and code, so that G.O.’s or N.G.O.’s can go out and kill these things for a bounty, and let the companies involved deal with the customer refunds once bricked.

    Problem would be solved quick, and the consumer would not suffer.

    This time.

  10. Paul vG

    What if someone were to modify the Mirai code to find insecure IoT devices and reboot them – and do this over and over? At least for a day or two.

    This would do two things. First, it would make them somewhat unusable for DDoS attacks (at least while the counter attack is ongoing)

    Second, it would pretty obviously cause a lot of owner discontent and would spark a LOT of complaints to the manufacturers and maybe speed up recalls.

  11. Marc

    Could the Chinese rulers/Chinese government be complicit in having or requiring these Chinese manufacturers of the suspect IoT devices to have a back door? Being able to hack millions of devices in the hands of Chinese citizens … or others… just might be the plan of the Chinese security services and the Red Army.

Comments are closed.