Hangzhou Xiongmai Technology – a major Chinese electronics company – has announced it is recalling thousands of IoT devices after they were hijacked by hackers and used in a spate of massive distributed denial of service (DDoS) attacks.
Many of its devices have been added to the Mirai botnet – a network hundreds of thousands of IoT devices used to flood Internet services with traffic rendering them unavailable. The Mirai botnet has been used for massive DDoS attacks on Krebs on Security and the French Hosting company OVH in early October, the latter exceeding 1 Tbps. The Mirai botnet was also used in a massive DDoS attack that took down large sections of the Internet on Friday.
The latest attack resulted in some of the biggest websites on the Internet being made inaccessible for several hours on Friday. Sites such as Twitter, AirBnB, Paypal, Fox News, CNN, Reddit, Netflix, and GitHub were affected when US-based DNS service provider Dyn was targeted. Amazon’s web services also suffered an outage which lasted several hours. The attack, which came in three waves, used tens of millions of IoT devices.
A wide range of devices were used in the attacks including security cameras and digital recorders, although Friday’s attack also used hundreds of thousands of webcams. Many of these IoT devices contain parts manufactured by the Chinese electronics firm. The attacks on the devices have been made possible due to weak default passwords. If passwords are not changed, any vulnerable online device can be added to the botnet.
The security vulnerabilities in Hangzhou Xiongmai Technology devices were discovered last year. The flaw was addressed with a firmware update and device users have been urged to change the passwords, although many have either not received the warning or have not taken any action. Unfortunately, the firmware update did not work on products that were shipped before April 2015. The product recall will see 10,000 web cams recalled, many of which were used in the DDoS attack on Friday.
Meanwhile, the U.S. Department of Homeland Security is conducting a thorough investigation into the attack. Shortly after the attack occurred, DHS held a conference call with 18 major communication service providers to work on developing a strategy to deal with the threat and to prevent the hijacking of IoT devices.
Unfortunately, in the race to bring IoT devices to market, manufacturers are failing to install adequate security controls in their IoT devices. Unfortunately, it is simply too easy for the devices to be added to botnets and used in massive DDoS attacks.
More than a million IoT devices have already been compromised and used in these attacks. The problem is unlikely to be resolved in the short term and massive attacks are likely to continue.
While the criminals behind the DDoS attacks are not known, security experts do not believe the DDoS attacks are nation-state sponsored. Allison Nixon, director of security research at Flashpoint said “The evidence that we have strongly suggested is amateur, attention-motivated hackers.” Part of the evidence comes from a recent Mirai botnet attack on a gaming company, which would typically not be attacked by nation-state backed hackers.