Firm Responsible For Mirai-Infected Webcams Hires Software Firm To Make Its Products More Secure (securityledger.com) 18
chicksdaddy writes from a report via The Security Ledger: After seeding the globe with hackable DVRs and webcams, Zhejiang Dahua Technology Co., Ltd. of Hangzhou, China will be working with the U.S. firm Synopsys to "enhance the security of its Internet of Things (IoT) devices and solutions." Dahua, based in Hangzhou, China said it will with Mountain View based Synopsys to "enhance the security of its Internet of Things (IoT) devices and solutions." In a joint statement, the companies said Dahua will be adopting secure "software development life cycle (SDLC) and supply chain" practices using Synopsys technologies in an effort to reduce the number of "vulnerabilities that can jeopardize our products," according to a statement attributed to Fu Liquan, Dahua's Chairman, The Security Ledger reports. Dahua's cameras and digital video recorders (DVRs) figured prominently in the Mirai botnet, which launched massive denial of service attacks against websites in Europe and the U.S., including the French web hosting firm OVH, security news site Krebsonsecurity.com and the New Hampshire based managed DNS provider Dyn. Cybercriminals behind the botnet apparently exploited an overflow vulnerability in the web interface for cameras and DVRs to gain access to the underlying Linux operating system and install the Mirai software, according to research by the firm Level3. In March, Dahua was called out for another, serious vulnerability in eleven models of video recorders and IP cameras. Namely: a back door account that gave remote attackers full control of vulnerable devices without the need to authenticate to the device. The flaw was first disclosed on the Full Disclosure mailing list and described as "like a damn Hollywood hack, click on one button and you are in."
click on one button and you are in (Score:3)
I thought that's how all hacks work. You mean the movies are wrong?
Re: (Score:2)
Synopsys will instantiate the button module twice, so if you press the wrong one the bomb blows up.
good to hear (Score:3)
Re: (Score:3)
Oh, they're trying to do the right thing [google.com], all right...
Re: (Score:2)
they seem to be at least trying to do the right thing. Let's hope they get a good reputation for security and profit from it.
"...vulnerabilities that can jeopardize our products..."
I don't know. It could just be a language/translation thing, but to me the important issue is "vulnerabilities that can jeopardize our customers". I can't tell for sure if they get the issue from a philosophical standpoint or only a market-share and revenue one.
Related: (Score:3)
https://news.synopsys.com/2016... [synopsys.com]
Synopsys bought a company that specializes in this kind of work a few months ago.
Three years ago, also this:
http://www.bizjournals.com/san... [bizjournals.com]
Dahua should burn (Score:1)
Dahua is a really crappy company, and they should just burn. I had the misfortune of getting one of their cameras a few years ago and was flabbergasted at just how piss-poor their development practices are. I knew my device was vulnerable and spent many hours scouring the web for firmware updates to the product. It's not a matter of user incompetence / lazy updating. Dahua just doesn't push updates at all. There are more threads on various av forums with dated information about 3rd party firmware hacks
Trust (Score:1)
It's all about Trust. Trust in the manufacture, trust in the firmware, trust in the company doing the security assessment.
However you can not trust any manufacturer and experience shows every manufacturer will tell everyone there product is secure by the use of obfuscation and downlight lies. How many Chinese firms stamp official certifications marks onto devices and package as a matter of de-facto.
How many times do you here from a big corporation the "ONLY A FEW CUSTOMERS WERE EFFECTED" when in reality it
How to enhance the security of IoT devices (Score:1)
Re: (Score:2)
Re: (Score:1)
I do, but was too lazy to look up the correct term and was relying instead on some genius like yourself to correct me over the Internet.
Re: How to enhance the security of IoT devices (Score:2)