Slashdot Mirror

← Back to Stories (view on slashdot.org)

China Electronics Firm To Recall Some US Products After Hacking Attack (reuters.com)

Posted by msmash on from the fixing-things dept.

An anonymous reader writes:Chinese firm Hangzhou Xiongmai said it will recall some of its products sold in the United States after it was identified by security researchers as having made parts for devices that were targeted in a major hacking attack on Friday. Hackers unleashed a complex attack on the Internet through common devices like webcams and digital recorders, and cut access to some of the world's best known websites in a stunning breach of global internet stability. The electronics components firm, which makes parts for surveillance cameras, said in a statement on its official microblog that it would recall some of its earlier products sold in the United States, strengthen password functions and send users a patch for products made before April last year. It said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches. It said reports that its products made up the bulk of those targeted in the attack were false. "Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.

4 of 68 comments (clear)

  1. Wow by AmiMoJo · · Score: 5, Insightful

    How often does any company do a recall for security issues? They seem to be taking the issue at least somewhat seriously.

    Looks like the made the classic mistake of assuming users would be sane enough to change the default password.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Wow by The+Raven · · Score: 4, Insightful

      You misunderstand. You often can't change the password on the telnet / ssh ports. Per Krebs:

      BUT WAIT, THERE’S MORE

      Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces [...]

      The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.

      --
      "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
  2. Re:These vulnerable IoT devices are here to stay by ninthbit · · Score: 4, Insightful

    No we don't. We don't need any reasons for those greedy incompetent asshats to filter our traffic. Instead, manufacturers should be held liable for insecure products, forcing their hand to secure the devices they ship, and to also provide updates. A minimum two year requirement before they can end of life the device, at which point they should have to provide source code for the community to assume updates on or continue to support the device themselves.

    The value of the code is then weighed by the cost of continuing support, and they can decide what's the best option for themselves.

  3. Re:These vulnerable IoT devices are here to stay by AmiMoJo · · Score: 3, Insightful

    The problem is how do you get users to apply updates?

    You could have an update server, but then it too is vulnerable and you would have to force manufacturers to hand over control to... someone when they end support and open source the firmware.

    Relying on users to manually seek out and install updates is obviously never going to work, if they can't even change the default password.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC