China Electronics Firm To Recall Some US Products After Hacking Attack (reuters.com)

← Back to Stories (view on slashdot.org)

China Electronics Firm To Recall Some US Products After Hacking Attack (reuters.com)

Posted by msmash on Monday October 24, 2016 @02:00AM from the fixing-things dept.

An anonymous reader writes:Chinese firm Hangzhou Xiongmai said it will recall some of its products sold in the United States after it was identified by security researchers as having made parts for devices that were targeted in a major hacking attack on Friday. Hackers unleashed a complex attack on the Internet through common devices like webcams and digital recorders, and cut access to some of the world's best known websites in a stunning breach of global internet stability. The electronics components firm, which makes parts for surveillance cameras, said in a statement on its official microblog that it would recall some of its earlier products sold in the United States, strengthen password functions and send users a patch for products made before April last year. It said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches. It said reports that its products made up the bulk of those targeted in the attack were false. "Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.

68 comments

Min score:

Reason:

Sort:

Wow by AmiMoJo · 2016-10-24 02:09 · Score: 5, Insightful

How often does any company do a recall for security issues? They seem to be taking the issue at least somewhat seriously.
Looks like the made the classic mistake of assuming users would be sane enough to change the default password.

--
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
1. Re:Wow by Desler · 2016-10-24 02:23 · Score: 1
  
  If they were really taking things seriously, it would've recalled or patched these products a long time ago when the security problems were first identified. Their statement just reads as PR spin.
2. Re:Wow by Anonymous Coward · 2016-10-24 02:37 · Score: 1
  
  ... a statement that is true of every single device currently attached to the internet. There is no general purpose computing device that cannot be subverted in some manner.
  Everyone has 20/20 hindsight. The point is, this company is acting better than many other companies have when their products experience some security breach. At least Xiongmai is standing up and trying to do the right thing.
3. Re:Wow by jratcliffe · 2016-10-24 02:46 · Score: 3
  
  How often does any company do a recall for security issues? They seem to be taking the issue at least somewhat seriously.
  Looks like the made the classic mistake of assuming users would be sane enough to change the default password.
  More like making the classic mistake that consumers are IT professionals. Complaining that users aren't changing the default password is the security version of "you're holding it wrong." If changing the password is important, then it should be a required part of the setup process.
4. Re:Wow by Desler · 2016-10-24 02:50 · Score: 2
  
  Your claim about hindsight with respect to default passwords might be true if this was still 1998. Having your devices using a default password that can be found by simple web searches in this day and age is simply gross negligence. And secondly, one of the flaws being attacked in their products is a bug in OpenSSH that is around 12-years-old now. They get no kudos for only now fixing long-ago discovered flaws in the software they ship.
5. Re:Wow by avgjoe62 · 2016-10-24 03:09 · Score: 1
  
  They get no kudos for only now fixing long-ago discovered flaws in the software they ship
  I agree that patching a twelve year old bug now is not laudable, but in comparison to other manufacturers this is an example of what should be done and is something to be acknowledged as a step in the right direction.
  
  --
  How come Slashdot never gets Slashdotted?
6. Re: Wow by Anonymous Coward · 2016-10-24 03:13 · Score: 0
  
  No, there should be no default password.
  The device password should be random and printed on a sticker attached to the device.
7. Re:Wow by The+Raven · 2016-10-24 03:28 · Score: 4, Insightful
  
  You misunderstand. You often can't change the password on the telnet / ssh ports. Per Krebs:
  
  BUT WAIT, THERE’S MORE
  Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces [...]
  The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.
  
  --
  "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
8. Re:Wow by Megane · 2016-10-24 03:42 · Score: 2
  
  If the password is so important to the security of the device, then they should do it like the makers of DSL modems do (at least the ones used by AT&T), and print a random default password on the device itself. (along with a bar code to load it during factory testing)
  
  --
  #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
9. Re:Wow by Anonymous Coward · 2016-10-24 05:37 · Score: 1
  
  Nah, sorry, fuck those other manufacturers and fuck this one. A step in the right direction is them getting litigated into oblivion.
10. Re:Wow by ShaunC · 2016-10-24 05:56 · Score: 1
  
  If they were really taking things seriously, it would've recalled or patched these products a long time ago when the security problems were first identified.
  They released a firmware update more than a year ago to fix the default credentials problem. Any devices manufactured after September 2015 require the user to set a password, instead of coming pre-configured with a default. The firmware update also addresses this, but good luck getting consumers to install a firmware update.
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
11. Re:Wow by marka63 · 2016-10-24 08:42 · Score: 1
  
  Every time you see a company issue a CVE. That is a software product recall. They are done thousands of times a year worldwide.
12. Re:Wow by Anonymous Coward · 2016-10-24 11:09 · Score: 0
  
  hahaha you're so funny. Like that will ever happen.
Yeah good luck with that by Anonymous Coward · 2016-10-24 02:10 · Score: 0

That particular board or whatever is probably in stuff they don't even know about (endless re-branding and all that).
Asking too much` by ScentCone · 2016-10-24 02:11 · Score: 2

This reminds me of Chinese Foreign Minister Wang Yi's 2015 comment (in the wake of an obvious wave of government- and business-oriented hacking out of a well known government facility in China) that they couldn't possibly be responsible for such things, since as just a developing nation, they didn't have the sophistication.

Obviously the laziness of users around the world who don't change default passwords is a different problem, but shipping stuff configured and documented in a way that makes not securing it the default mode in the hands of users is just ... laziness.

--
Don't disappoint your bird dog. Go to the range.
1. Re:Asking too much` by fustakrakich · 2016-10-24 02:28 · Score: 1
  
  They could use the device serial number as the default password. At least they would be semi-unique that way.
  
  --
  “He’s not deformed, he’s just drunk!”
2. Re:Asking too much` by Fire_Wraith · 2016-10-24 02:38 · Score: 3, Informative
  
  Sadly, this sort of thing has nothing to do with being a developing nation. It's horrifyingly commonplace, in fact. Brian Krebs posted a list a few weeks ago including some of the products that were vulnerable to the Mirai botnet exploits, and while it includes several Chinese firms' products, it also includes ones by Samsung, Xerox, Panasonic, Toshiba, etc.
  https://krebsonsecurity.com/20...
3. Re:Asking too much` by ScentCone · 2016-10-24 02:49 · Score: 2
  
  The point isn't that they're a developing nation. They're not. It's that they spin things with that sort of description whenever they have to explain away things like selling poisoned baby food or grain shipments full of melamine. Pretending they don't have the technical chops to perform sophisticated industrial espionage, because, you know, they're just a simple farming community ... such nonsense.
  
  --
  Don't disappoint your bird dog. Go to the range.
4. Re:Asking too much` by Anonymous Coward · 2016-10-24 03:13 · Score: 0
  
  That's my first thought too (or something like that). But my second thought is that the extra step of programming each device with unique data in its CMOS/Flash/Whatever writable memory costs money. Even if it's 2 or 3 cents per unit, that's probably too much money for a hardware manufacturer to stomach. Whether we like it or not, hardware manufacturers from an unknown Chinese factory, all the way up to General Motors, count costs in PENNIES, and are looking to drive out every penny of cost they can. I think the only way to make them swallow security as a 'cost of doing business', is through regulatory action. Customers aren't going to ask for more security. In fact, they are going to ask for less, because they want their IoT products to be plug-and-play and JUST WORK.
5. Re:Asking too much` by Anonymous Coward · 2016-10-24 03:37 · Score: 0
  
  Unique, but predictable - preferable to have a password that can't be predicted.
6. Re:Asking too much` by Anonymous Coward · 2016-10-24 03:52 · Score: 0
  
  They're not a developing nation, they're just claiming to be one while simultaneously attempting to assert themselves as a global superpower.
7. Re: Asking too much` by Anonymous Coward · 2016-10-24 04:23 · Score: 1
  
  The gov won't enforce security. In fact they want less. Just see what the FBI demanded of Apple.
8. Re:Asking too much` by sjames · 2016-10-24 06:10 · Score: 2
  
  One approach that would allow them to avoid that is to disable the primary function and not accept a gateway address until the user changes the password.
9. Re:Asking too much` by Anonymous Coward · 2016-10-24 14:06 · Score: 0
  
  You clearly know nothing about China.
A complex attack? by Anonymous Coward · 2016-10-24 02:12 · Score: 0

Really? So you're less sophisticated than a script kiddie? Maybe tech-journalism isn't for you; tabloids are better suited for sensationalist bullshit.
Thats why... by 110010001000 · 2016-10-24 02:13 · Score: 1

...I only use genuine Sorny products.
1. Re:Thats why... by Anonymous Coward · 2016-10-24 02:21 · Score: 0
  
  Back when I used to work for a well known telco equipment manufacturer we got a laugh when we found genuine "Hericsson" phones for sale. I'll leave it as an exercise to the reader to figure out what company I worked for at the time.
2. Re:Thats why... by 110010001000 · 2016-10-24 02:36 · Score: 1
  
  Halcatel?
It shouldn't even be an option by Molonel · 2016-10-24 02:14 · Score: 2

It shouldn't even be an option to misconfigure your product in that fashion. Botnets are nothing new. Assume your customer will go with the defaults, and make those defaults a secure default. Give them an option for doing a factory reset, because yes, many folks will forget the password even though you reminded them to record it. Don't let them make the password "password" or "password123." Because they will.
1. Re:It shouldn't even be an option by Anonymous Coward · 2016-10-24 03:07 · Score: 0
  
  Amazon 1 star review: "Not plug and play. Too hard to set up. Returned for refund."
  
  See why hardware manufacturers might not want to do this?
2. Re: It shouldn't even be an option by Anonymous Coward · 2016-10-24 04:25 · Score: 0
  
  NSA: we need a back door
3. Re: It shouldn't even be an option by Anonymous Coward · 2016-10-24 05:01 · Score: 0
  
  Well that's a plus then. That means one less
  Compromised machine. Which means one less person taking part In the botnet.
  Security should always come first. Being ignorant is not a defense. Either learn to use the devices securely or don't use them at all.
These vulnerable IoT devices are here to stay by sinij · 2016-10-24 02:14 · Score: 1

These vulnerable IoT devices are here to stay, so we need an ISP-level solution to this.
1. Re:These vulnerable IoT devices are here to stay by ninthbit · 2016-10-24 02:22 · Score: 4, Insightful
  
  No we don't. We don't need any reasons for those greedy incompetent asshats to filter our traffic. Instead, manufacturers should be held liable for insecure products, forcing their hand to secure the devices they ship, and to also provide updates. A minimum two year requirement before they can end of life the device, at which point they should have to provide source code for the community to assume updates on or continue to support the device themselves.
  The value of the code is then weighed by the cost of continuing support, and they can decide what's the best option for themselves.
2. Re:These vulnerable IoT devices are here to stay by sinij · 2016-10-24 02:41 · Score: 1
  
  A minimum two year requirement before they can end of life the device,
  So what happens after 2 years? Do you expect to also mandate automatic patching? If yes, this also means that you have to have signed updates. Currently, all of this is done with RSA, but what about post-quantum?
  
  at which point they should have to provide source code for the community to assume updates on or continue to support the device themselves.>
  
  No vendor would ever agree to this.
3. Re:These vulnerable IoT devices are here to stay by AmiMoJo · 2016-10-24 02:48 · Score: 3, Insightful
  
  The problem is how do you get users to apply updates?
  You could have an update server, but then it too is vulnerable and you would have to force manufacturers to hand over control to... someone when they end support and open source the firmware.
  Relying on users to manually seek out and install updates is obviously never going to work, if they can't even change the default password.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re: These vulnerable IoT devices are here to stay by Anonymous Coward · 2016-10-24 03:39 · Score: 0
  
  if the ISP is providing routers with UPNP enabled by default, then they should be held responsible for that.
5. Re:These vulnerable IoT devices are here to stay by Anonymous Coward · 2016-10-24 04:32 · Score: 0
  
  The problem is how do you get users to apply updates?
  Charge them for whatever they're doing. If you participate in botnets, that ought to impact your bottom line every month. Maybe a lot, maybe just a little. Bytes is bytes. At that point, the users can weigh the benefits of botnet participation vs the inconvenience of keeping their software maintained. Dollars are the units of measure.
6. Re:These vulnerable IoT devices are here to stay by ninthbit · 2016-10-24 05:38 · Score: 1
  
  You'll never find a perfect solution. But that doesn't mean you don't implement at least the most modest of controls. If the manufacture is held liable for security, then devices won't ship with default passwords and goatse sized vulnerabilities.
  After two years of updates, the majority of vulnerabilities that do ship will mostly be identified and patched (or should be at least). After that, a general herd immunity will develop. The devices left insecure after two years will have so much variety between them with different models and versions that it becomes impractical to target them.
  IoT devices are less complex then PCs. They serve typically a single purpose with minor user interaction. A secure kernel, running a well written web interface makes for a VERY SMALL attack surface. These devices are only targetable right now because of the blatant disregard for any measurable sign of security.
7. Re:These vulnerable IoT devices are here to stay by Bob+the+Super+Hamste · 2016-10-24 06:06 · Score: 1
  
  A secure kernel, running a well written web interface
  You may be wishing for a bit much with these little trash devices. You are correct in that they only way to get things to improve would be to hold manufactures responsible for the security of their devices by law but until then we can expect more things like this.
  
  --
  Time to offend someone
8. Re:These vulnerable IoT devices are here to stay by ninthbit · 2016-10-24 07:15 · Score: 1
  
  Nice.... So someone with a cell phone sniffs the network, hacks the device, and then uses it to load malware onto the card's photo partition, that then will likely get ran on the next computer the owner plugs the card into.
  Not to mention the card itself is a WiFi seeking botnet drone.
  I really don't see why they can't get sued for negligence. Car manufactures do, and so does EVERYONE else. Perhaps Dyn should take the largest manufactures of the infected devices to court for just that. Sue for damages due to their negligently unsecured devices.
Good for them. by Anonymous Coward · 2016-10-24 02:22 · Score: 0

Kudos. Really. I'm impressed.
This is far more than I expected: again, thank you.
1. Re:Good for them. by Desler · 2016-10-24 02:36 · Score: 1
  
  You're impressed that they've done the bare minimum after having had insecure products on the market for years? You must be easily impressed.
2. Re:Good for them. by Zontar+The+Mindless · 2016-10-24 02:48 · Score: 1
  
  Their products were shown to have a problem and they're volunteering to take positive action regarding same. Would you like a pony with that, too?
  
  --
  Il n'y a pas de Planet B.
3. Re:Good for them. by Desler · 2016-10-24 02:53 · Score: 1
  
  Oh how generous of them! We should all bow down at their graciousness to *gasp* fix their shitty products!
4. Re:Good for them. by Anonymous Coward · 2016-10-24 03:22 · Score: 0
  
  Their products were shown to have a problem and they're volunteering to take positive action regarding same. Would you like a pony with that, too?
  your 401K got stolen by hackers but at least you can get a software update for your security camera, too bad you have to sell the property it overlooks
5. Re:Good for them. by Zontar+The+Mindless · 2016-10-24 03:39 · Score: 1
  
  What's with the mocking attitude? There *are* places in between "throw kisses at their presence" and "throw presents at their kisser", you know. Maybe by the time you're old enough to buy your own beer, you'll have figured that out.
  
  --
  Il n'y a pas de Planet B.
"Insecure by default" means insecure. by Anonymous Coward · 2016-10-24 02:25 · Score: 0

Looks like the made the classic mistake of assuming users would be sane enough to change the default password.
Frankly, if I buy a lightbulb or a smoke detector, I really don't want to spend twenty minutes trying to figure out the protocol to reset passwords. "Insecure by default" means insecure.
1. Re:"Insecure by default" means insecure. by AmiMoJo · 2016-10-24 03:27 · Score: 1
  
  A random default password, printed on the device itself, would fix 90% of these vulnerable products.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
2. Re:"Insecure by default" means insecure. by Anonymous Coward · 2016-10-24 07:31 · Score: 0
  
  And it's people who cannot be arsed to screw around with passwords after they buy an Internet-attached appliance that are the very source of this problem.
  In other words, people like you.
You pay what you get for... by Anonymous Coward · 2016-10-24 02:33 · Score: 0

Anything made by them is either crap or worthless after one use.
1. Re:You pay what you get for... by Anonymous Coward · 2016-10-24 03:08 · Score: 0
  
  Another fellow Keurig owner!
Worm all the IoThings! by FumarMata · 2016-10-24 03:01 · Score: 2

Only a solution comes to my mind for this to not happen again: create a simple worm that infects and disables ("disables" as in "Kill") all the unprotected devices.
Yes, I would be pissed off if my devices would suddenly die, but if it has been that easy to infect all those appliances, it should be the manufacturer the responsible for repairing them.
Next time they'll implement at least basic security.
1. Re: Worm all the IoThings! by DraconPern · 2016-10-24 04:28 · Score: 1
  
  Thankfully turning it off and on fixes the problem!
Kudos to Hangzhou Xiongmai ... by QuietLagoon · 2016-10-24 03:03 · Score: 1

... for doing the recall. More IoT companies should follow their trailblazing lead on this issue.

... It said the biggest issue was users not changing default passwords ...

Given the disastrous ramifications of not changing the default passwords, IoT devices should be little more than bricks until the default password is changed to something better.
1. Re:Kudos to Hangzhou Xiongmai ... by Anonymous Coward · 2016-10-24 03:15 · Score: 0
  
  Repeating what I commented elsewhere:
  
  Amazon 1 star review: "Not plug and play. Too hard to set up. Returned for refund."
  
  See why hardware manufacturers might not want to do this?
2. Re:Kudos to Hangzhou Xiongmai ... by flyingfsck · 2016-10-24 03:23 · Score: 1
  
  It can be plug and play - just don't make it configurable over a routable network, only over 192.168.x.y, 172.x.y.z or 10.x.y.z.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
3. Re:Kudos to Hangzhou Xiongmai ... by QuietLagoon · 2016-10-24 03:41 · Score: 1
  
  See why hardware manufacturers might not want to do this?
  Do what? I am not sure what you are referring to.
4. Re:Kudos to Hangzhou Xiongmai ... by Anonymous Coward · 2016-10-24 06:19 · Score: 0
  
  Making their product a brick until the password is changed. Giving the customer something extra to do before 'it just works'.
You know it's going to suck for China... by MikeRT · 2016-10-24 03:08 · Score: 1

When they go to war with us and lo and behold they find that their people have just as many, if not far more, of these shit for quality IoT devices on their domestic internet. It's going to be the Internet equivalent of two countries nuking each other off the face of the planet as China-controlled bots in the US attack us and NSA-controlled botnets in China attack them.
The Chinese government needs to wake up to the fact that these devices are just as much of a threat to them as they are to us and work with us to make the whole ecosystem more secure.
1. Re:You know it's going to suck for China... by Anonymous Coward · 2016-10-24 03:35 · Score: 0
  
  Why would it suck for China? It's the country that gets their population off internet first that can build an actual army.
  The whole "cybercommando" thing and the idea that modern nations will fight an information war or having drones fight for them is just BS.
  A war doesn't end until one nation runs out of blood to spill.
2. Re:You know it's going to suck for China... by Anonymous Coward · 2016-10-24 06:16 · Score: 0
  
  I think you forgot to take your medicine. Or maybe you took too much of it. It's one of the two.
3. Re:You know it's going to suck for China... by Anonymous Coward · 2016-10-24 07:26 · Score: 0
  
  Nah, Chinese critical systems all runs on SOCs and IC that are never even exported -- export is forbidden. The software is compiled on compilers that no one is the West is supposed to even have access to. Most of the real spook work is trying to get a copy of this stuff smuggled out. But generally the stuff the NSA can attack is stuff the Chinese don't really care about. Take out the commercial internet and some dude in Beijing cant order his widgets from Alibaba but the PLA and their tanks in the field wont notice or care that this is going on.
"some US products".... by Bearhouse · 2016-10-24 03:45 · Score: 1

Hmmm...I wonder how many, and what the recall process will be for the customer.
I suspect "not many" and "horrible" respectively...
I think I see your problem there... by Anonymous Coward · 2016-10-24 05:05 · Score: 0

if you think you have computer security but you buy your hardware from the Communist Chinese army...
It's probably just a recall to install updated spyware
Americans/Brits/Aussies/Japanese etc who buy from "companies" like Lenovo are just stupidly giving the Chinese government backdoor access into everything. There's no such thing as a non-government "business" in communist China - it's all run by The Party, or people well-connected to The Party, or tolerated by The party as long as it does anything (like injecting malware, building-in backdoors, etc) tells it to do. Unlike a western democracy, in China The Party and the people's army are one, inseparable....one political party running the nation, it's economy, its military, its "businesses", its people's lives...
Impressive response by Anonymous Coward · 2016-10-24 06:18 · Score: 0

by this Chinese company. Meanwhile, Xerox, Cisco, etc. are just pumping out hardware with NSA backdoors in it. It's funny how much bullshit and stupid accusations are thrown towards China, while they're doing more right than most of the countries in the west.
Xiongmai is not afraid by Anonymous Coward · 2016-10-24 10:37 · Score: 0

Xiongmai is not afraid
Courageous Xiongmai
(This is not a Haiku)
And in other news... by hyades1 · 2016-10-31 03:24 · Score: 1

...Six software engineers were quietly executed at Phuc Tup Prison for making government-ordered back door access to the devices so blatantly obvious even barbaric Western script kiddies were on them faster than a priest on a one-legged choir boy.

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.