Chinese Firm Recalls Botnet-Compromised IoT Devices

Hangzhou XiongMai Technology, based in China, announced it is launching a recall of IoT devices that were compromised by Mirai malware and used to launch a massive botnet attack that took down popular websites such as the New York Times and Paypal.

“Mirai is a huge disaster for the Internet of Things,” the company said in a statement emailed to journalists. “XM have to admit that our products also suffered from hacker’s break-in and illegal use.”

Security blogger Brian Krebs reported that researchers at Flashpoint discovered that one of the default passwords machines infected with Mirai are programmed to seek out is embedded in most of XiongMai’s white-label DVR and IP camera boards. The boards are sold to vendors who use them in their branded products. While users can change the default credentials, the password is hardcoded into the firmware and there is no way to disable it.

Flashpoint noted that “altogether, over five-hundred thousand devices on public IPs around the world appear susceptible to this vulnerability.” While some compromised devices were from Dahua, which also makes IP cameras and DVRs, a very large percentage of the IPs were associated with  XiongMai Technologies-based products.

“Default credentials pose little threat when a device is not accessible from the Internet. However, when combined with other defaults, such as web interfaces or a remote login services like Telnet or SSH, default credentials may pose a great risk to a device. In this case, the default credentials can be used to “Telnet” to the device,” Flashpoint wrote.

XiongMai Technology partially pointed fingers at users, claiming they issued patches for the security flaws in 2015 and turned off default Telnet access. They said that users are responsible for keeping their devices updated and passwords changed, but said they will issue a recall of millions of IP cameras and other devices that simply cannot be fixed due to the hardcoding issue above.

Meanwhile, the Chinese Ministry of Justice is coming to XiongMai’s defense, issuing a strongly worded statement claiming many news outlets were publishing false information about the company.

According to Google Translate, the statement reads in part: “Organizations or individuals false statements, defame our goodwill behavior … through legal channels to pursue full legal responsibility for all violations of people, to pursue our legal rights are reserved.”

Experts don’t believe that the company or Chinese government will actually follow through on the threats, and that it’s just a PR move to try and save face.

More on this topic:

IoT security best practices: expert interview