China’s Xiongmai Tech admits product flaws contributed to cyberattack on US sites

Chinese company Hangzhou Xiongmai Technology has admitted that its webcam and digital video recorder products were partially responsible for a cyberattack against several major internet sites last Friday, as experts called for stronger cybersecurity measures for Internet of Things (IoT) devices.

Dyn, a US-based internet infrastructure company, experienced a distributed denial of service (DDoS) on its server infrastructure on Friday when malicious traffic from multiple sources flooded its system, resulting in disruptions for internet companies such as Twitter, Spotify and Amazon Web Services.

The attack was in part due to a malware known as Mirai, which scours the internet for IoT devices – such as digital video recorders and webcams from Hangzhou Xiongmai Technology with weak default passwords and vulnerable code – and instructs the devices to direct traffic towards an online service until it crashes.

“We observed tens of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack,” Kyle York, chief strategy officer for Dyn, said in a statement.

Hangzhou Xiongmai Technology called Mirai a “huge disaster for the Internet of Things” in an emailed statement to US-based IDG News Service.

“[We] have to admit that our products also suffered from [the] hacker’s break-in and illegal use,” it said.

The company said it had patched the flaws in its products last September and now requests customers to change the default password when the devices are first used. However, products running older versions of its firmware are still vulnerable to attacks.

Xiongmai is now advising customers to update their device firmware and reminding them to change user names and passwords.

Michael Gazeley, chief executive of security company Network Box, said that the Internet of Things is fast becoming the “Vulnerability of Everything”.

“Businesses are now facing cyber threats ... which a few short years ago would have seemed like something out of a science fiction movie,” he said.

Gazeley said that companies producing internet-connected devices often forego security for the sake of convenience, even going to the extent of hard-coding passwords into their products since customers often want devices such as routers or webcams to work right out of the box.

“One also has to take note of the fact, that while most users know how to scan their laptop computer with an antivirus programme, they almost certainly don’t know how to do the same with their television, printer, or refrigerator,” he added.

David Maciejak, head of Fortinet’s FortiGuard Lion R&D team in Asia-Pacific, said that DDoS attacks that leverage IoT devices will continue as they are “easy to carry out”.

“Current incidents like Dyn ... are just the beginning. Such IoT attacks will intensify if IoT device manufacturers don’t quickly move to incorporate better security into their products,” he said.

“One can draw a parallel between DDoS attacks and ransomware attacks. The former can be used to extract large ransoms from organisations, and hackers may see them as a feasible alternative to launching ransomware attacks against many individuals and trying demand small ransoms from each victim,” Maciejak added.

Bryce Boland, chief technology officer for Asia-Pacific at cybersecurity company FireEye, pointed out that IoT devices often get little attention after being set up in a network and users need to take a more active role to prevent their devices from being compromised.

“IoT devices are often deployed into networks where they will operate for years with no or little administration. Unfortunately, these devices have many security weaknesses, and this creates risks for their owners as well as the wider community of internet users,” he said.

Boland advised companies to run IoT devices on a closed network and limit access to the device from the internet, as well as restricting the device to accessing only the services it requires.