24
Oct 16

IoT Device Maker Vows Product Recall, Legal Action Against Western Accusers

A Chinese electronics firm pegged by experts as responsible for making many of the components leveraged in last week’s massive attack that disrupted Twitter and dozens of popular Web sites has vowed to recall some of its vulnerable products, even as it threatened legal action against this publication and others for allegedly tarnishing the company’s brand.

iotstuf

Last week’s attack on online infrastructure provider Dyn was launched at least in part by Mirai, a now open-source malware strain that scans the Internet for routers, cameras, digital video recorders and other Internet of Things “IoT” devices protected only by the factory-default passwords. Once infected with Mirai, the IoT systems can be used to flood a target with so much junk Web traffic that the target site can no longer accommodate legitimate users or visitors.

In an interim report on the attack, Dyn said: “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

As a result of that attack, one of the most-read stories on KrebsOnSecurity so far this year is “Who Makes the IoT Things Under Attack?“, in which I tried to match default passwords sought out by the Mirai malware with IoT hardware devices for sale on the commercial market today.

In a follow-up to that story, I interviewed researchers at Flashpoint who discovered that one of the default passwords sought by machines infected with Mirai — username: root and password: xc3511 — is embedded in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use them in their own products.

The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.

In a statement issued on social media Monday, XiongMai (referring to itself as “XM”) said it would be issuing a recall on millions of devices — mainly network cameras.

“Mirai is a huge disaster for the Internet of Things,” the company said in a separate statement emailed to journalists. “XM have to admit that our products also suffered from hacker’s break-in and illegal use.”

At the same time, the Chinese electronics firm said that in September 2015 it issued a firmware fix for vulnerable devices, and that XiongMai hardware shipped after that date should not by default be vulnerable.

“Since then, XM has set the device default Telnet off to avoid the hackers to connect,” the company said. “In other words, this problem is absent at the moment for our devices after Sep 2015, as Hacker cannot use the Telnet to access our devices.”

Regarding the default user name/password that ships with XM, “our devices are asking customers to change the default password when they first time to login,” the electronics maker wrote. “When customer power on the devices, the first step, is change the default password.”

I’m working with some researchers who are testing XM’s claims, and will post an update here if and when that research is available. In the meantime, XM is threatening legal action against media outlets that it says are issuing “false statements” against the company.

Google’s translation of their statement reads, in part: “Organizations or individuals false statements, defame our goodwill behavior … through legal channels to pursue full legal responsibility for all violations of people, to pursue our legal rights are reserved.”

Xiongmail's electrical components that are white-labeled and embedded in countless IoT products sold under different brand names.

Xiongmail’s electrical components that are white-labeled and embedded in countless IoT products sold under different brand names.

The statement by XM’s lawyers doesn’t name KrebsOnSecurity per se, but instead links to a Chinese media story referencing this site under the heading, “untrue reports link.”

Brian Karas, a business analyst with IPVM — a subscription-based news, testing and training site for the video surveillance industry which first reported the news of potential litigation by XM — said that over the past five years China’s market share in the video surveillance industry has surged, due to the efforts of companies like XiongMai and Dahua to expand globally, and from the growth of government-controlled security company Hikvision.

Karas said the recent Mirai botnet attacks have created “extreme concerns about the impact of Chinese video surveillance products.” Nevertheless,  he said, the threats against those the company accuses of issuing false statements are more about saving face.

“We believe Xiongmai has issued this announcement as a PR effort within China, to help counter criticisms they are facing,” Karas wrote. “We do not believe that Xiongmai or the Ministry of Justice is seriously going to sue any Western companies as this is a typical tactic to save face.”

Update,Oct. 25, 8:47 a.m.: Updated the story to reflect an oddity of Google Translate, which translated the statement from XM’s legal department as Justice Ministry. The threats of litigation come from XM, not the Chinese government. Also made clear that the threat was first written about by IPVM.

Tags: , , , , , , , ,

102 comments

  1. Pembrint Fnoove

    The first time I ever heard of the Internet of Things, I thought, “Why?” It just seemed like one of those things that people do because they can, with no regard for the consequences. I expected a poorly executed implementation of a poorly conceived idea. Looks like that’s exactly the way it has turned out.

    That’s not to say that there’s no utility in the concept; but given the mischief it already has caused, the MINIMUM feature enhancement that manufacturers of such devices ought to add is a “kill” switch—something that completely disables Internet connectivity.

    Better yet, web connectivity should be off by default, and the device documentation should contain suitable warnings to the user about enabling it.

    • I’m afraid iOT is here to stay. People love the idea that they can check their phone to see what is in the refrigerator, for their shopping list, before they go home from work. There are a million uses for them in the modern “smart home”. Of course we now wonder just how smart it is!

      • Smart home? hah! Yeah right!

        None of this stuff measures current through the lines of breakers, compressors, or motors. The only things that gives it the label of ‘smart’ are IP addressable thermostats etc. I would like to see these thing capable of measuring current so as to differentiate a failing compressor from a clogged filter. Now THAT would be closer to what ACTUALLY defines ‘smart’.

        • Nothing stopping you from building a discrete component that can measure this sort of thing and attaching it to a microcontroller with TCP/IP..

          • Your right. I guess the only way I can truly have the ‘smart home’ is to build it myself. The only other question I guess is: What do I need all these other products (like Nest) for anyway? It’s all just insecure non-sense that just amounts to toys anyhow. The real thing just isn’t part of the mainstream tech world yet.

            • I stayed in an AirBnB with a Nest thermostat. I admit that the circular dial was a really nice way of adjusting the temperature compared to the up/down buttons and tiny levers that are more common, so they’ve that much going for them.

    • Why, you ask? How can one possibly live these days without an internet connected, Bluetooth enabled nose hair trimmer that tweets to the world every time you groom your snot holes? Gheez, what a bunch of luddites… /s

      Oh, dear… now that I’ve thought about it, I’m off to the patent orifice…

      • Wonderful! Thanks for the laugh.

      • I’m in for a share. Couple it with an app for remote, online ear obstruction and you got an instant hit. Then we ‘ll use them to dominate the world.

      • Will it work while you sleep?

      • Woah,

        I’m thinkin’ it needs a tiny camera on it so that it can beam video, over that Bluetooth connection, to your phone so that you can see exactly what you are trimming inside your ears and nose.

        Yep, that feature will be THE selling point.

        • As long as it seamlessly interfaces with Instagram to allow sharing of all your crowd-pleasing, faux-Lomo, moody nostril shots.

    • Neil Anuskiewicz

      Off by default! It should require effort to enable Internet access. It should not require effort to disable it.

  2. The next question, and one that will never be answered, is was this intentional? Did the Chinese government build in “fixed” back doors so that they would be able to infiltrate the devices themselves at some future date. Call be paranoid but it seems especially odd to me that someone making such sophisticated electronic modules would be so stupid as not put in less than minimal security. Just saying…

    • Re: “Was this intentional?”

      That possibility eliminates the utility of Mr. Fnoove’s closing suggestion.

    • Okay, you’re paranoid, but I was about to post the same thought. I will only observe that it would have made more sense in the Cold War anti-capitalist days. It’s such an inept flaw that it hardly qualifies as a sophisticated backdoor waiting for agents to unleash it at just the right time. The only deliberate intention I can see behind it is to disrupt worldwide commerce, and China has too much of a stake in that right now.

      • Re: “China has too much of a stake in that right now.”

        Gotta love that “right now”…is that the part of your rational mind that isn’t 100% invested in “Making U.S. $$s is and will be the only goal every individual and nation-state in the whole, wide world has forever and ever and ever!” whispering?

      • Every heard the old expression “hiding in plain site”? Again…Just saying…

    • I think the Chinese will be a little more sophisticated than fixed passwords, this was sloppy planning and someone wanting cheap manuals, not having to print unique passwords for each device cuts costs
      When the Chinese use there IoT army it’ll be a more inline with what we see below
      https://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/

  3. ralph l. seifer

    Brian–As I’ve written on an earlier occasion, experienced lawyers find the most efficient defense to these vague threats is simply to ignore them. It is, as you probably know, blustering and posturing which isn’t worth responding to.

    If a genuine complaint gets dropped on you, then it’s time to make a move, but certainly not at this time.

    This reminds me very much of the present situation with Donald Trump and his accusers, whom he threatens to sue for defamation. But interestingly, this isn’t a move that Donald needs to defer until after the IRS gets finished auditing his taxes.

    If Trump really intends to file against these ladies, he needs to be reminded that the civil courts are open today, from 8 to 5, and will be open every day through Friday. That goes for this week, next week, and on and on…

    A classic example of blowhard posturing and raving. I seriously doubt any of these women are trembling over the empty threat.

    Ralph L. Seifer, Attorney at Law, retired
    Long Beach, California

    • @ralph

      As you know, the last place Trump or any these firms wants to wind up is in court. How many are drooling to depose Trump?

      I used to do quite a bit of work fighting scams on the Internet. We were threatened with lawsuits many times. None happened. Even when we offered to pay the costs of suing us, the scammers declined. Seems like they are allergic to depositions and court rooms.

      On another note, DHS has retreated to buzzwords such as “strategic” while convening conference calls to address security 101 issues.

      dB

    • You’re missing the point and dragging in ugly politics for no good reason…we can read all about that on any other site…almost not worth responding to here.

      But the interesting point here is that by recalling the devices they are admitting there is a problem.

  4. IRS ITUNE cards

    We are still importing so much of these Chinese electronics , why are people still thinking that these security products are one hundred percent trustworthy ?

    Why do we still trust the Chinese?

    • Re: “Why do we still trust the Chinese?”

      It is very, very, very profitable to trust nations with labor costs contained via currency manipulation and iron (or bamboo, as it were) fists.

      You pocket your money and let somebody else worry about the nation’s security; after all, you can always blame the consequences of your unrelenting greed upon the current government.

      • IRS ITUNE cards

        It’s not profitable when China builds products that are used against the US economy in trade deals and also against the individuals and businesses of this country using DDos attacks.

        Build electronic equipment in the United States, then it’s better secured because the quality control stays here verses someone in a communist county making a dollar an hour

    • You forgot, it’s called unfettered capitalism. Other people forgot, you get what you pay for.
      Security, like they said, is to be better, and is since then. But to use in insecure locations? How about secure locations, or your bedroom?

    • I was thinking the same thing.

    • I am always suspicious about the encrypted flash drives that are widely used that have a “Made In China” label. I am probably being paranoid but…

  5. I don’t buy into the intentional angle, I think this is merely technical incompetence.

    congrats Brian on annoying the Chinese Ministry of Justice – that Asian vacation is off the schedule for the time being I guess…

    • Re: “I don’t buy into the intentional angle, I think this is merely technical incompetence.”

      How much source code do you think it takes to program a video camera? It’s not like they’re running Apache and OpenOffice.

      I’d conclude that it is rather difficult to overlook an “extra” user with so few lines of code and such simple directory structures…

      • Maybe the developer wanted telnet access for development. Maybe he forgot to remove it before the product moved up the ladder to production. Or maybe he was not there when someone else kicked the product up the ladder. I have made the mistake myself.

  6. In your story “DDOS Source Code for IoT Botnet ‘Mirai’ Released” I find no reference to “Mirai” using spam to infect the home network.

    Yet, the mainstream media is reporting that as fact.

    Based on your reports it appears most/all of these IoTs are reachable on the internet – based on security scans – without having to compromise home networks with spam.

    Please clarify.

    As for mitigation, couldn’t the government attack these same botnets with Mirai and their own version of malware that eliminates the individual bots ? It would seem the attackers will tire of having to keep re-creating their bot networks if we make it harder.

  7. I think it’s paranoid to say the Chinese government is behind something. I think what they are behind is only allow cheap products with no quality control to be distributed all over the world. They’ve shown absolutely no willingness to correct labor laws in these factories, combat unsafe counterfeit/pirate devices, or require even the most basic of common security in what these companies produce.

    The only time they seem to be willing to exert their control is over free speech and freedom of knowledge, or if the market is going south in their country.

    I wish there were more multi-national companies outside of China that could produce bare metal components. I mean for once, couldn’t the big dogs in the tech industry like IBM, Intel, Apple, Google, and Microsoft come together to fund bare metal factories in the Western world for all of their uses and decent security? You think it would pay off in the longrun having their own downstream manufacturers as well as the ridiculous costs of their own security for horrible devices.

    • Chinese QC. Or lack thereof. A friend gets aluminum wheels made in China. It proved very expensive for him when his customers began calling about their tires going flat. It seems that someone skipped QC to make shipment goals at the manufacturer.

  8. If the FCC would add cyber security inherent product integrity verification to its RF device type acceptance check list IoT devices that are deficient wouldn’t be sold in the USA.

  9. Why is the Chinese Justice Ministry getting involved in what should at best be a civil case?

    I agree, it’s a lot of red faced huffing and puffing.

    If the government were so interested in getting directly involved with protecting the brand, they would issue an apology and a fully funded refund program.

    • re: “Why is the Chinese Justice Ministry getting involved…”?

      Were I to speculate, I would first observe that the concerns and objectives of the PRC’s different entities of government are a lot more…centrally….coordinated than they are in, say, the United States.

      Secondly, our internet sleuths are a bit…faddish. Perhaps the PRC’s “Justice Ministry” perceives a need to quash further nosing about in e-things-PRC sooner rather than later.

    • Yeah, in China the line between private & state owned companies are blurred, the state typically defends private and state companies alike from pretty much all bad press, deserved or not.

      Right now they’re portraying this as poor little China being beaten up by the West for no good reason in order to save face. If the manufacturer came clean and admitted they had sold products with defects and hadn’t thought ahead to allow firmware updates to correct those defects then the company would lose face. At that point company owners could face increased scrutiny, even prosecution, from the state. Needless to say, you don’t want to be prosecuted in China.

      • So… you say that people don’t know what communist countries are? With all the info available at a single click?

        • The comment I replied to would indicate otherwise, since it appeared to think XM was part of the government, when it’s an independent company.

          However this is less a communist country issue and more an eastern asia custom issue, since saving face is very important in the region, regardless of what style of government a particular country chooses.

          In a more well known example, think of the Japanese custom of committing ritual suicide in order to retain their honor after losing face.

          Needless to say, Brian’s update that the statement was issued by XM and not the government should render this discussion less politically charged.

  10. Chinese in common with other east Asian peoples cannot bear to lose face.

  11. How can a consumer find out whether their IP address is being used as part of these attacks or in other words their computer and/or vulnerable devices are infected? apologies in advance if this is such a basic question.

  12. There’s no evil Chinese conspiracy at work here – just the race to the bottom accidentally caused some issues, we’re only noticing now.
    How to fix it?
    Well all I can think of is that it’s down to the ISPs. In the same way you used to get a kicking for having an open mail relay, you need to be ‘restricted’ for having crappy gadgets.
    Now the kicking could be pretty constructive:
    1) Please change the default admin login for device X
    2) Please upgrade firmware for device X from here and change the login etc.

    FFS telling a user people can look out of their webcam, I’d have thought in most cases would illicit mutually beneficial compliance.
    Problem arises how you deal with the ‘stick’ – yep ISPs are going to have to restrict people. ISPs that don’t join in are going to have to be partially blocked etc.

    • “There’s no evil Chinese conspiracy at work here ”

      Of course, Chinese people are always looking after Western Countries. They are loyal, well intended and always wanted to make other countries’ population feel kings.

  13. A suggestion….

    I for one have a NUMBER of Dahua cams. All from 2016.

    Checking serial numbers is a joke. I can USE Telnet – both on my PRIVATE and PUBLIC side of the net.

    What we NEED is a basic set of instructions for “crack your own Cam”. I’ve searched…. and found little.

    Look, it’s already been DONE – hence, the problems. Tell us how to duplicate an attack. Then, we can TEST whatever we have – and do what we can to mitigate. I, for one, would love some “bang my net” code…. goal? SCREAM when there is an entry point.

    • If you can telnet into it and get a shell prompt, it is vulnerable.
      How about a tool that can check an IP range?

      We’ll design one if there is a demand for it.

      • @dex you will design what? Nmap?

        • I don’t recall NMAP having the possibility to try to login via telnet (or SSH) using a list of credentials / no credentials and issuing basic commands (like the ones used by Mirai).

          • @dex, better look up “telnet-brute” and nmap in the same google search. There, I’ve designed half your proposal.

            • So you sat that the average user should install nmap + other tools + probably a native Linux just to test his devices?

              And do it every time he needs a scan + fingerprinting + some brute force?

              Interesting…

          • I think there is something in the Kali Linux disk that does this. However, that means that it is out of the abilities of novice to average users…imo of course.

    • Check out Shodan (shodan.io). It’s a site that will search for public facing devices based on your public IP address.

      • Shodan is good for static IPs and for the case that an infected device is not going to try to infect other devices on the local network.

        But how about Dynamic IPs? And other devices on the network that might be vulnerable, but don’t have an Internet-facing port?

  14. They admit it’s their fault by issuing a recall but accuse everyone of “false reports.” How cute. Yea, sorry, but if you recall something you know is bad, that’s an admission of guilt, and you can’t immediately turn around and call everyone else a liar about the situation. But I guess what the article said is true; they want to save face with the Chinese people.

  15. You can know the quality of a reporter by their enemies. You are collecting quite a set.

  16. We, the internet, ought to sue them for making this possible and easy. You must repay every business that was affected by the downtime.

  17. Wow. I guess all the media attention is affecting the quality of comments even on KoS !

    Imagine. Governments (particularly nasty evil governments – ie – not OUR governments) putting nasty back doors into software or leveraging their access to the source code to exploit.

    Would never happen with Juniper or Cisco…

    Oh right. Of course it actually already did happen !

    Fortunately I think it this case it’s unlikely to be part of China’s plan for world domination – and as a couple of commentators have suggested – a race to the bottom in terms of cost and quality !

  18. History will repeat itself with or without the iot because of greed, fear, and laziness. Pray for all kids futures, automation is coming. Here a thought, instead of building ai that could produce zero day, nexgen, undetectable hacks, why not stop the madness that they call technological progress and try to be humble and thankful for what we currently have?

  19. From the book Future Crimes, by Marc Goodman, on the future of IOT:

    (the new) IPv6, on the other hand, can handle 340,282,366,920,938,463,463,374,607,431,768,211,456 connections. The implications of a number this large are mind-boggling. There are only 1019 grains of sand on all the beaches of the world. That means IPv6 would allow each grain of sand to have a trillion IP addresses…..Though in 2013 there were only thirteen billion online devices, Cisco Systems has estimated that by 2020 there will be fifty billion things connected to the Internet, with much more room for exponential growth thereafter.

    • IPV6 has a large enough address space that, at 20% utilization, one can assign a unique address to every square angstrom on the surface of the earth.

  20. Fascinating, far right wing Wall Street corporate criminality is a world-wide problem, not just a problem we suffer from in the United States. Who do these filthy Republicans in China think they are? Scientology?

  21. The system behind those lawsuit threats has the name SLAPP:
    https://en.wikipedia.org/wiki/Strategic_lawsuit_against_public_participation

    Hopefully Brian lives in a state where it is already forbidden.

  22. Look the best Serving as the CEO of Big Data Developer, LLC, Luke Lonergan has demonstrated a profound commitment to fulfilling his responsibilities.
    Luke Lonergan

  23. david in toronto

    The cartoonist J. Klossner has done several cartoons on IoT and security going back several years …

    Salesman asking about firewalls with toasters
    A family having to eat out as the appliances aren’t talking

  24. ” In the meantime, the Chinese Ministry of Justice is threatening legal action against media outlets that it says are issuing “false statements” against the company. ”

    They are ticked off, because an attack avenue by the Chinese has been brought to light. The company can say they are “recalling” this junk, but in the end, how many are going to send stuff back?

    In the end, they shut off telnet temporarily and change the backdoor user/pass to something else.

    They get the rep they deserve. For decades they produce inferior gear, and if THEY want to use that crap, let them. If it comes from that country in any way, shape or form, its always been highly questionable.

    • To be fair, the company deserves bad rep, not the country (China). We are talking about hard-coded default credentials here. There are certainly many large US and European companies that have made the same mistake in the past.

      And I say mistake, because a hard-coded password in connected equipment will always be detected. Especially in consumer products that sell millions of devices. It’s not a good backdoor.

      • The country needs stricter controls on all IoT devices. problems exist FAR more than this incident. Look at TV’s Vacuum cleaners and general household items. It’s fair game to point a finger at a country that continues to ignore security issues, but holds a hand out for cash for inferior products across the board.

  25. Hello Brian,
    is there a list of all affected IoT devices?
    brands? model numbers? mac-adress ranges?
    or something else to identify potentially dangerous devices?
    thank you from Europe
    Johannes

  26. So, newb question. If you have a normal Linksys, Netgear router that has had its problem in the past with security. So if you leave the default user & pass on the router config & you have it set to not respond to icmp, telnet. Can it still be hit from the outside?

    • Depends. Why would you leave it on default name/pass? Write on it with a sharpie the new name/pass if you think you might forget.

      Anyway, if there’s an exploit it might still be vulnerable.
      Or what about SSH encrypted telnet session? That’s a different service/port. Or a lot of routers have TFTP for firmware updates, is that disabled? Most of these items should only be accessible from internal network.

      Best to just change the pass

  27. You overlooked, it’s called liberated private enterprise. Other individuals overlooked, you get what you pay for.

    Security, similar to they said, is to be better, and is from that point forward. Yet, to use in uncertain areas? What about secure areas, or your room?

  28. Since the product is provably made in china there were possible of vulnerabilities of backdoor attack.

  29. Well, here are the stats of the DVRs in the article on the internet…

    Dahua = 197,617 devices connected with that manufacture’s name
    Hikvision = 236,673 not sure all these are DVRs
    XC3511 = 1,395 Not all have port 80 open and I am not trying to login, since that is getting on the legality side of things. Telnet should work for logging in as well.

    To reset password use telnet access with login “root” and password “xc3511”. Then go to “/mnt/mtd/Config/” (cd /mnt/mtd/Config/) directory and delete all files “Account” (use “rm -f Account*” command). After reboot DVR will accept empty password for admin.

  30. Why are you censoring me. This is the second time?

    • Censoring? I see two comments from you, and nothing from you pending. I don’t censor comments, except from people who claim I am censoring them. In any case, you don’t have a right to post here. So please, either be courteous or go away if you think I’m censoring you. I’ve no patience for comments like that.