Chinese electronic firm Hangzhou XiongMai (XM) says
it will recall some of its IoT devices, including webcams, after claims that
they were widely exploited by malicious hackers that launched a massive
denial-of-service attack on Friday October 21st.
The distributed denial-of-service attack targeted
domain name service Dyn, who confirmed this weekend in a statement that it was hit by a “sophisticated
attack”, which included tens of millions of attacks from from IP addresses
associated with Mirai, a botnet compromised of hijacked IoT devices.
As a consequences many web users found that they
were unable to visit a wide array of popular online services, including Twitter,
Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, and
the Playstation network.
To be clear, the attack didn’t come entirely out of
the blue.
At the end of September, the full force of the
Mirai botnet was directed at the
website of security blogger Brian Krebs, throwing him offline for a
day or two until he regrouped under the protective umbrella of Google Project Shield.
What disrupted Krebs’s security blog, and impacted
companies relying upon Dyn’s DNS services, was the Mirai botnet built on the
shoulders of tens of thousands – if not millions – of hackable IoT devices,
left poorly protected
by default passwords that made it relatively trivial for attackers
to hijack them for their own purposes.
As Reuters reports, Hangzhou XiongMai has said it will
recall some of the products it has sold in the United States, strengthen
passwords and send out a patch for some devices.
At first glance that sounds like a reasonably
speedy reaction by the electronics firm, but it’s worth bearing in mind that
its vulnerable components are used by third-party manufacturers in a wide range
of white-labeled IoT goods.
It is all of these devices that are believed to be
using the default username/password combination of root : xc3511.
There must be concerns that even if Hangzhou
XiongMai issues a recall, the number of devices that will be returned for a fix
could be shockingly small – meaning that the problem will not be going away
anytime soon.
As an aside, Brian Krebs reports that XiongMai and the Chinese Ministry
of Justice are considering taking legal action against what they describe as
“false statements” that could damage the firm’s reputation.
Whether the threat of legal action is serious or
not remains to be seen.
In the wake of the Mirai attack on KrebsOnSecurity,
no less an authority than the Department of Homeland Security issued a warning to users and administrators about the
steps that they should take to ensure that their IoT devices are not open to
easy exploitation.
The DHS’s advice is just as sensible today, in the
wake of the Dyn DDoS attack, as it was when Krebs was the one being targeted:
·
Ensure all
default passwords are changed to strong passwords. Default usernames and
passwords for most devices can easily be found on the Internet, making devices
with default passwords extremely vulnerable.
·
Update IoT
devices with security patches as soon as patches become available.
·
Disable
Universal Plug and Play (UPnP) on routers unless absolutely necessary.
·
Purchase IoT
devices from companies with a reputation for providing secure devices.
·
Consumers
should be aware of the capabilities of the devices and appliances installed in
their homes and businesses. If a device comes with a default password or an
open Wi-Fi connection, consumers should change the password and only allow it
to operate on a home network with a secured Wi-Fi router.
·
Understand
the capabilities of any medical devices intended for at-home use. If the device
transmits data or can be operated remotely, it has the potential to be
infected.
·
Monitor
Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain
unauthorized control over IoT devices using the network terminal (Telnet)
protocol.
·
Look for
suspicious traffic on port 48101. Infected devices often attempt to spread
malware by using port 48101 to send results to the threat actor.
And, of course, it’s worth remembering that it’s
not just internet-enabled webcams, DVRs and baby monitors that are being
exploited by online criminals.
Research published by ESET last week revealed that 15% of all home
routers use weak passwords, and 20% have open telnet ports.
As long as insecure devices continue to be attached
to the internet, there will be opportunities for malicious hackers to exploit
them and use them for their own ends. The IoT botnet attacks we have seen in
recent weeks may only be the tip of the iceberg.
For more commentary on the DDoS attack and its
impact, be sure to read Stephen Cobb’s analysis of 10 things to know
about the October 21 IoT DDoS attacks.