China Electronics Firm To Recall Some US Products After Hacking Attack

An anonymous reader writes:Chinese firm Hangzhou Xiongmai said it will recall some of its products sold in the United States after it was identified by security researchers as having made parts for devices that were targeted in a major hacking attack on Friday. Hackers unleashed a complex attack on the Internet through common devices like webcams and digital recorders, and cut access to some of the world's best known websites in a stunning breach of global internet stability. The electronics components firm, which makes parts for surveillance cameras, said in a statement on its official microblog that it would recall some of its earlier products sold in the United States, strengthen password functions and send users a patch for products made before April last year. It said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches. It said reports that its products made up the bulk of those targeted in the attack were false. "Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.

Wow

[AmiMoJo]

How often does any company do a recall for security issues? They seem to be taking the issue at least somewhat seriously.

Looks like the made the classic mistake of assuming users would be sane enough to change the default password.

Re:

[Desler]

If they were really taking things seriously, it would've recalled or patched these products a long time ago when the security problems were first identified. Their statement just reads as PR spin.

Re:

[Anonymous Coward]

... a statement that is true of every single device currently attached to the internet. There is no general purpose computing device that cannot be subverted in some manner.

Everyone has 20/20 hindsight. The point is, this company is acting better than many other companies have when their products experience some security breach. At least Xiongmai is standing up and trying to do the right thing.

Re:

[Desler]

Your claim about hindsight with respect to default passwords might be true if this was still 1998. Having your devices using a default password that can be found by simple web searches in this day and age is simply gross negligence. And secondly, one of the flaws being attacked in their products is a bug in OpenSSH that is around 12-years-old now. They get no kudos for only now fixing long-ago discovered flaws in the software they ship.

Re:

[avgjoe62]

They get no kudos for only now fixing long-ago discovered flaws in the software they ship

I agree that patching a twelve year old bug now is not laudable, but in comparison to other manufacturers this is an example of what should be done and is something to be acknowledged as a step in the right direction.

Re:

[Anonymous Coward]

Nah, sorry, fuck those other manufacturers and fuck this one. A step in the right direction is them getting litigated into oblivion.

Re:

[ShaunC]

If they were really taking things seriously, it would've recalled or patched these products a long time ago when the security problems were first identified.

They released a firmware update more than a year ago to fix the default credentials problem. Any devices manufactured after September 2015 require the user to set a password, instead of coming pre-configured with a default. The firmware update also addresses this, but good luck getting consumers to install a firmware update.

Re:

[AmiMoJo]

A random default password, printed on the device itself, would fix 90% of these vulnerable products.

Re:Wow

[jratcliffe]

How often does any company do a recall for security issues? They seem to be taking the issue at least somewhat seriously.

Looks like the made the classic mistake of assuming users would be sane enough to change the default password.

More like making the classic mistake that consumers are IT professionals. Complaining that users aren't changing the default password is the security version of "you're holding it wrong." If changing the password is important, then it should be a required part of the setup process.

Re:

[Megane]

If the password is so important to the security of the device, then they should do it like the makers of DSL modems do (at least the ones used by AT&T), and print a random default password on the device itself. (along with a bar code to load it during factory testing)

Re:Wow

[The Raven]

You misunderstand. You often can't change the password on the telnet / ssh ports. Per Krebs [krebsonsecurity.com]:

BUT WAIT, THERE’S MORE

Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces [...]

The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.

Re:

[marka63]

Every time you see a company issue a CVE. That is a software product recall. They are done thousands of times a year worldwide.

Asking too much`

[ScentCone]

This reminds me of Chinese Foreign Minister Wang Yi's 2015 comment (in the wake of an obvious wave of government- and business-oriented hacking out of a well known government facility in China) that they couldn't possibly be responsible for such things, since as just a developing nation, they didn't have the sophistication.

Obviously the laziness of users around the world who don't change default passwords is a different problem, but shipping stuff configured and documented in a way that makes not securing it the default mode in the hands of users is just ... laziness.

Re:

[fustakrakich]

They could use the device serial number as the default password. At least they would be semi-unique that way.

Re: Asking too much`

[Anonymous Coward]

The gov won't enforce security. In fact they want less. Just see what the FBI demanded of Apple.

Re:

[sjames]

One approach that would allow them to avoid that is to disable the primary function and not accept a gateway address until the user changes the password.

Re:Asking too much`

[Fire_Wraith]

Sadly, this sort of thing has nothing to do with being a developing nation. It's horrifyingly commonplace, in fact. Brian Krebs posted a list a few weeks ago including some of the products that were vulnerable to the Mirai botnet exploits, and while it includes several Chinese firms' products, it also includes ones by Samsung, Xerox, Panasonic, Toshiba, etc.
https://krebsonsecurity.com/20... [krebsonsecurity.com]

Re:

[ScentCone]

The point isn't that they're a developing nation. They're not. It's that they spin things with that sort of description whenever they have to explain away things like selling poisoned baby food or grain shipments full of melamine. Pretending they don't have the technical chops to perform sophisticated industrial espionage, because, you know, they're just a simple farming community ... such nonsense.

Thats why...

[110010001000]

...I only use genuine Sorny products.

Re:

[110010001000]

Halcatel?

It shouldn't even be an option

[Molonel]

It shouldn't even be an option to misconfigure your product in that fashion. Botnets are nothing new. Assume your customer will go with the defaults, and make those defaults a secure default. Give them an option for doing a factory reset, because yes, many folks will forget the password even though you reminded them to record it. Don't let them make the password "password" or "password123." Because they will.

These vulnerable IoT devices are here to stay

[sinij]

These vulnerable IoT devices are here to stay, so we need an ISP-level solution to this.

Re:These vulnerable IoT devices are here to stay

[ninthbit]

No we don't. We don't need any reasons for those greedy incompetent asshats to filter our traffic. Instead, manufacturers should be held liable for insecure products, forcing their hand to secure the devices they ship, and to also provide updates. A minimum two year requirement before they can end of life the device, at which point they should have to provide source code for the community to assume updates on or continue to support the device themselves.

The value of the code is then weighed by the cost of continuing support, and they can decide what's the best option for themselves.

Re:

[sinij]

A minimum two year requirement before they can end of life the device,

So what happens after 2 years? Do you expect to also mandate automatic patching? If yes, this also means that you have to have signed updates. Currently, all of this is done with RSA, but what about post-quantum?

at which point they should have to provide source code for the community to assume updates on or continue to support the device themselves.>

No vendor would ever agree to this.

Re:These vulnerable IoT devices are here to stay

[AmiMoJo]

The problem is how do you get users to apply updates?

You could have an update server, but then it too is vulnerable and you would have to force manufacturers to hand over control to... someone when they end support and open source the firmware.

Relying on users to manually seek out and install updates is obviously never going to work, if they can't even change the default password.

Re:

[ninthbit]

You'll never find a perfect solution. But that doesn't mean you don't implement at least the most modest of controls. If the manufacture is held liable for security, then devices won't ship with default passwords and goatse sized vulnerabilities.

After two years of updates, the majority of vulnerabilities that do ship will mostly be identified and patched (or should be at least). After that, a general herd immunity will develop. The devices left insecure after two years will have so much variety between t

Re:

[Bob the Super Hamste]

A secure kernel, running a well written web interface

You may be wishing for a bit much with these little trash devices. You are correct in that they only way to get things to improve would be to hold manufactures responsible for the security of their devices by law but until then we can expect more things like this [wordpress.com].

Re:

[ninthbit]

Nice.... So someone with a cell phone sniffs the network, hacks the device, and then uses it to load malware onto the card's photo partition, that then will likely get ran on the next computer the owner plugs the card into.

Not to mention the card itself is a WiFi seeking botnet drone.

I really don't see why they can't get sued for negligence. Car manufactures do, and so does EVERYONE else. Perhaps Dyn should take the largest manufactures of the infected devices to court for just that. Sue for damages due

Re:

[Desler]

You're impressed that they've done the bare minimum after having had insecure products on the market for years? You must be easily impressed.

Re:

[Zontar The Mindless]

Their products were shown to have a problem and they're volunteering to take positive action regarding same. Would you like a pony with that, too?

Re:

[Desler]

Oh how generous of them! We should all bow down at their graciousness to *gasp* fix their shitty products!

Re:

[Zontar The Mindless]

What's with the mocking attitude? There *are* places in between "throw kisses at their presence" and "throw presents at their kisser", you know. Maybe by the time you're old enough to buy your own beer, you'll have figured that out.

Worm all the IoThings!

[FumarMata]

Only a solution comes to my mind for this to not happen again: create a simple worm that infects and disables ("disables" as in "Kill") all the unprotected devices.

Yes, I would be pissed off if my devices would suddenly die, but if it has been that easy to infect all those appliances, it should be the manufacturer the responsible for repairing them.

Next time they'll implement at least basic security.

Re: Worm all the IoThings!

[DraconPern]

Thankfully turning it off and on fixes the problem!

Kudos to Hangzhou Xiongmai ...

[QuietLagoon]

... for doing the recall. More IoT companies should follow their trailblazing lead on this issue.

... It said the biggest issue was users not changing default passwords ...

Given the disastrous ramifications of not changing the default passwords, IoT devices should be little more than bricks until the default password is changed to something better.

Re:

[flyingfsck]

It can be plug and play - just don't make it configurable over a routable network, only over 192.168.x.y, 172.x.y.z or 10.x.y.z.

Re:

[QuietLagoon]

See why hardware manufacturers might not want to do this?

Do what? I am not sure what you are referring to.

Re:

[account_deleted]

Comment removed based on user account deletion

"some US products"....

[Bearhouse]

Hmmm...I wonder how many, and what the recall process will be for the customer.
I suspect "not many" and "horrible" respectively...

And in other news...

[hyades1]

...Six software engineers were quietly executed at Phuc Tup Prison for making government-ordered back door access to the devices so blatantly obvious even barbaric Western script kiddies were on them faster than a priest on a one-legged choir boy.