Firm Responsible For Mirai-Infected Webcams Hires Software Firm To Make Its Products More Secure (securityledger.com)

← Back to Stories (view on slashdot.org)

Firm Responsible For Mirai-Infected Webcams Hires Software Firm To Make Its Products More Secure (securityledger.com)

Posted by BeauHD on Friday June 16, 2017 @12:30PM from the cause-and-effect dept.

chicksdaddy writes from a report via The Security Ledger: After seeding the globe with hackable DVRs and webcams, Zhejiang Dahua Technology Co., Ltd. of Hangzhou, China will be working with the U.S. firm Synopsys to "enhance the security of its Internet of Things (IoT) devices and solutions." Dahua, based in Hangzhou, China said it will with Mountain View based Synopsys to "enhance the security of its Internet of Things (IoT) devices and solutions." In a joint statement, the companies said Dahua will be adopting secure "software development life cycle (SDLC) and supply chain" practices using Synopsys technologies in an effort to reduce the number of "vulnerabilities that can jeopardize our products," according to a statement attributed to Fu Liquan, Dahua's Chairman, The Security Ledger reports. Dahua's cameras and digital video recorders (DVRs) figured prominently in the Mirai botnet, which launched massive denial of service attacks against websites in Europe and the U.S., including the French web hosting firm OVH, security news site Krebsonsecurity.com and the New Hampshire based managed DNS provider Dyn. Cybercriminals behind the botnet apparently exploited an overflow vulnerability in the web interface for cameras and DVRs to gain access to the underlying Linux operating system and install the Mirai software, according to research by the firm Level3. In March, Dahua was called out for another, serious vulnerability in eleven models of video recorders and IP cameras. Namely: a back door account that gave remote attackers full control of vulnerable devices without the need to authenticate to the device. The flaw was first disclosed on the Full Disclosure mailing list and described as "like a damn Hollywood hack, click on one button and you are in."

18 comments

Min score:

Reason:

Sort:

click on one button and you are in by I'm+New+Around+Here · 2017-06-16 12:37 · Score: 2

I thought that's how all hacks work. You mean the movies are wrong?

--
If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
1. Re:click on one button and you are in by radarskiy · 2017-06-16 14:38 · Score: 1
  
  Synopsys will instantiate the button module twice, so if you press the wrong one the bomb blows up.
2. Re:click on one button and you are in by Anonymous Coward · 2017-06-16 18:18 · Score: 0
  
  No, you hit one button which initiates a password guesser that lights up on correct digits.
  So a 5 digit password needs at most 50 "rolls" to hit the correct combination.
  --sf
good to hear by bugs2squash · 2017-06-16 12:42 · Score: 2

they seem to be at least trying to do the right thing. Let's hope they get a good reputation for security and profit from it.

--
Nullius in verba
1. Re:good to hear by Anonymous Coward · 2017-06-16 16:03 · Score: 0
  
  Hah. I'll believe it when I see it. Literally, I'd love to actually see a software update be available for my 3 year old IP cam.
2. Re:good to hear by Zontar+The+Mindless · 2017-06-16 16:21 · Score: 2
  
  Oh, they're trying to do the right thing, all right...
  
  --
  Il n'y a pas de Planet B.
3. Re:good to hear by PsychoSlashDot · 2017-06-17 11:37 · Score: 1
  
  they seem to be at least trying to do the right thing. Let's hope they get a good reputation for security and profit from it.
  "...vulnerabilities that can jeopardize our products..."
  
  I don't know. It could just be a language/translation thing, but to me the important issue is "vulnerabilities that can jeopardize our customers". I can't tell for sure if they get the issue from a philosophical standpoint or only a market-share and revenue one.
  
  --
  "Oh no... he found the .sig setting."
Use APPS, NOT LUDDITE SOFTWARE! by Anonymous Coward · 2017-06-16 13:40 · Score: 0

Remember, only apps can app apps!
Apps!
1. Re:Use APPS, NOT LUDDITE SOFTWARE! by Anonymous Coward · 2017-06-17 00:43 · Score: 0
  
  Remember, only twats can twat a twat
Related: by whoever57 · 2017-06-16 15:16 · Score: 2

https://news.synopsys.com/2016...
Synopsys bought a company that specializes in this kind of work a few months ago.
Three years ago, also this:
http://www.bizjournals.com/san...

--
The real "Libtards" are the Libertarians!
1. Re:Related: by Anonymous Coward · 2017-06-16 18:01 · Score: 0
  
  We've been using Coverity at my place of work for a few years; it is good at finding lots of latent bugs, but the setup is a bear and it relies very heavily on the Connect Web server component (earlier versions could do client-only analyses but they've pushed the architecture to really require Connect as well, which of course costs tons more). The license costs have gone up every year so we're trying to retire it before they raise it too much.
  We're moving gradually towards replacing it with Klocwork which has nicer configuration and setup, and easier Eclipse client integration.
Dahua should burn by Anonymous Coward · 2017-06-16 15:57 · Score: 1

Dahua is a really crappy company, and they should just burn. I had the misfortune of getting one of their cameras a few years ago and was flabbergasted at just how piss-poor their development practices are. I knew my device was vulnerable and spent many hours scouring the web for firmware updates to the product. It's not a matter of user incompetence / lazy updating. Dahua just doesn't push updates at all. There are more threads on various av forums with dated information about 3rd party firmware hacks than there is official documentation and support on their products.
Consumers should just steer clear of Dahua. I've been very happy with Amcrest. They take security seriously and make it dead easy to update firmware.
I have an idea by Anonymous Coward · 2017-06-16 16:17 · Score: 0

Stop putting telnet on shit... it's not the 1970's anymore, we have a thing called, SSH, and even then, it doesn't have to be a) enabled by default, b) accessible on the WAN port.
Trust by SniffTheGlove · 2017-06-17 00:41 · Score: 1

It's all about Trust. Trust in the manufacture, trust in the firmware, trust in the company doing the security assessment.
However you can not trust any manufacturer and experience shows every manufacturer will tell everyone there product is secure by the use of obfuscation and downlight lies. How many Chinese firms stamp official certifications marks onto devices and package as a matter of de-facto.
How many times do you here from a big corporation the "ONLY A FEW CUSTOMERS WERE EFFECTED" when in reality it was every customer. Lies and bullshit, so who can you trust
How to enhance the security of IoT devices by najajomo · 2017-06-17 01:33 · Score: 1

Run the device from a binary blob that is protected by a read-write switch.
1. Re:How to enhance the security of IoT devices by Zero__Kelvin · 2017-06-17 05:18 · Score: 1
  
  You don't know what a "binary blob" is, do you?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
2. Re:How to enhance the security of IoT devices by najajomo · 2017-06-17 14:46 · Score: 1
  
  "You don't know what a "binary blob" is, do you?"
  
  I do, but was too lazy to look up the correct term and was relying instead on some genius like yourself to correct me over the Internet.
3. Re: How to enhance the security of IoT devices by Zero__Kelvin · 2017-06-18 00:25 · Score: 1
  
  How did that work out for you?
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun