Slashdot Mirror

← Back to Stories (view on slashdot.org)

China Electronics Firm To Recall Some US Products After Hacking Attack (reuters.com)

Posted by msmash on from the fixing-things dept.

An anonymous reader writes:Chinese firm Hangzhou Xiongmai said it will recall some of its products sold in the United States after it was identified by security researchers as having made parts for devices that were targeted in a major hacking attack on Friday. Hackers unleashed a complex attack on the Internet through common devices like webcams and digital recorders, and cut access to some of the world's best known websites in a stunning breach of global internet stability. The electronics components firm, which makes parts for surveillance cameras, said in a statement on its official microblog that it would recall some of its earlier products sold in the United States, strengthen password functions and send users a patch for products made before April last year. It said the biggest issue was users not changing default passwords, adding that, overall, its products were well protected from cyber security breaches. It said reports that its products made up the bulk of those targeted in the attack were false. "Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too," the company statement said.

13 of 68 comments (clear)

  1. Wow by AmiMoJo · · Score: 5, Insightful

    How often does any company do a recall for security issues? They seem to be taking the issue at least somewhat seriously.

    Looks like the made the classic mistake of assuming users would be sane enough to change the default password.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Wow by jratcliffe · · Score: 3

      How often does any company do a recall for security issues? They seem to be taking the issue at least somewhat seriously.

      Looks like the made the classic mistake of assuming users would be sane enough to change the default password.

      More like making the classic mistake that consumers are IT professionals. Complaining that users aren't changing the default password is the security version of "you're holding it wrong." If changing the password is important, then it should be a required part of the setup process.

    2. Re:Wow by Desler · · Score: 2

      Your claim about hindsight with respect to default passwords might be true if this was still 1998. Having your devices using a default password that can be found by simple web searches in this day and age is simply gross negligence. And secondly, one of the flaws being attacked in their products is a bug in OpenSSH that is around 12-years-old now. They get no kudos for only now fixing long-ago discovered flaws in the software they ship.

    3. Re:Wow by The+Raven · · Score: 4, Insightful

      You misunderstand. You often can't change the password on the telnet / ssh ports. Per Krebs:

      BUT WAIT, THERE’S MORE

      Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces [...]

      The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.

      --
      "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
    4. Re:Wow by Megane · · Score: 2

      If the password is so important to the security of the device, then they should do it like the makers of DSL modems do (at least the ones used by AT&T), and print a random default password on the device itself. (along with a bar code to load it during factory testing)

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  2. Asking too much` by ScentCone · · Score: 2

    This reminds me of Chinese Foreign Minister Wang Yi's 2015 comment (in the wake of an obvious wave of government- and business-oriented hacking out of a well known government facility in China) that they couldn't possibly be responsible for such things, since as just a developing nation, they didn't have the sophistication.

    Obviously the laziness of users around the world who don't change default passwords is a different problem, but shipping stuff configured and documented in a way that makes not securing it the default mode in the hands of users is just ... laziness.

    --
    Don't disappoint your bird dog. Go to the range.
    1. Re:Asking too much` by Fire_Wraith · · Score: 3, Informative

      Sadly, this sort of thing has nothing to do with being a developing nation. It's horrifyingly commonplace, in fact. Brian Krebs posted a list a few weeks ago including some of the products that were vulnerable to the Mirai botnet exploits, and while it includes several Chinese firms' products, it also includes ones by Samsung, Xerox, Panasonic, Toshiba, etc.
      https://krebsonsecurity.com/20...

    2. Re:Asking too much` by ScentCone · · Score: 2

      The point isn't that they're a developing nation. They're not. It's that they spin things with that sort of description whenever they have to explain away things like selling poisoned baby food or grain shipments full of melamine. Pretending they don't have the technical chops to perform sophisticated industrial espionage, because, you know, they're just a simple farming community ... such nonsense.

      --
      Don't disappoint your bird dog. Go to the range.
    3. Re:Asking too much` by sjames · · Score: 2

      One approach that would allow them to avoid that is to disable the primary function and not accept a gateway address until the user changes the password.

  3. It shouldn't even be an option by Molonel · · Score: 2

    It shouldn't even be an option to misconfigure your product in that fashion. Botnets are nothing new. Assume your customer will go with the defaults, and make those defaults a secure default. Give them an option for doing a factory reset, because yes, many folks will forget the password even though you reminded them to record it. Don't let them make the password "password" or "password123." Because they will.

  4. Re:These vulnerable IoT devices are here to stay by ninthbit · · Score: 4, Insightful

    No we don't. We don't need any reasons for those greedy incompetent asshats to filter our traffic. Instead, manufacturers should be held liable for insecure products, forcing their hand to secure the devices they ship, and to also provide updates. A minimum two year requirement before they can end of life the device, at which point they should have to provide source code for the community to assume updates on or continue to support the device themselves.

    The value of the code is then weighed by the cost of continuing support, and they can decide what's the best option for themselves.

  5. Re:These vulnerable IoT devices are here to stay by AmiMoJo · · Score: 3, Insightful

    The problem is how do you get users to apply updates?

    You could have an update server, but then it too is vulnerable and you would have to force manufacturers to hand over control to... someone when they end support and open source the firmware.

    Relying on users to manually seek out and install updates is obviously never going to work, if they can't even change the default password.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  6. Worm all the IoThings! by FumarMata · · Score: 2

    Only a solution comes to my mind for this to not happen again: create a simple worm that infects and disables ("disables" as in "Kill") all the unprotected devices.

    Yes, I would be pissed off if my devices would suddenly die, but if it has been that easy to infect all those appliances, it should be the manufacturer the responsible for repairing them.

    Next time they'll implement at least basic security.