Chinese electronic firm Hangzhou XiongMai (XM) says it will recall some of its IoT devices, including webcams, after claims that they were widely exploited by malicious hackers that launched a massive denial-of-service attack on Friday October 21st.
The distributed denial-of-service attack targeted domain name service Dyn, who confirmed this weekend in a statement that it was hit by a "sophisticated attack", which included tens of millions of attacks from from IP addresses associated with Mirai, a botnet compromised of hijacked IoT devices.
As a consequences many web users found that they were unable to visit a wide array of popular online services, including Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, and the Playstation network.
To be clear, the attack didn't come entirely out of the blue.
At the end of September, the full force of the Mirai botnet was directed at the website of security blogger Brian Krebs, throwing him offline for a day or two until he regrouped under the protective umbrella of Google Project Shield.
What disrupted Krebs's security blog, and impacted companies relying upon Dyn's DNS services, was the Mirai botnet built on the shoulders of tens of thousands - if not millions - of hackable IoT devices, left poorly protected by default passwords that made it relatively trivial for attackers to hijack them for their own purposes.
As Reuters reports, Hangzhou XiongMai has said it will recall some of the products it has sold in the United States, strengthen passwords and send out a patch for some devices.
At first glance that sounds like a reasonably speedy reaction by the electronics firm, but it's worth bearing in mind that its vulnerable components are used by third-party manufacturers in a wide range of white-labeled IoT goods.
It is all of these devices that are believed to be using the default username/password combination of root : xc3511.
There must be concerns that even if Hangzhou XiongMai issues a recall, the number of devices that will be returned for a fix could be shockingly small - meaning that the problem will not be going away anytime soon.
As an aside, Brian Krebs reports that XiongMai and the Chinese Ministry of Justice are considering taking legal action against what they describe as "false statements" that could damage the firm's reputation.
Whether the threat of legal action is serious or not remains to be seen.
In the wake of the Mirai attack on KrebsOnSecurity, no less an authority than the Department of Homeland Security issued a warning to users and administrators about the steps that they should take to ensure that their IoT devices are not open to easy exploitation.
The DHS's advice is just as sensible today, in the wake of the Dyn DDoS attack, as it was when Krebs was the one being targeted:
- Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
- Update IoT devices with security patches as soon as patches become available.
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
- Purchase IoT devices from companies with a reputation for providing secure devices.
- Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
- Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
- Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.
And, of course, it's worth remembering that it's not just internet-enabled webcams, DVRs and baby monitors that are being exploited by online criminals.
Research published by ESET last week revealed that 15% of all home routers use weak passwords, and 20% have open telnet ports.
As long as insecure devices continue to be attached to the internet, there will be opportunities for malicious hackers to exploit them and use them for their own ends. The IoT botnet attacks we have seen in recent weeks may only be the tip of the iceberg.
For more commentary on the DDoS attack and its impact, be sure to read Stephen Cobb's analysis of 10 things to know about the October 21 IoT DDoS attacks.