Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Why aren't botnet-fodder vendors' names (XiongMai, Dahua) in the news?
36 points by myself248 on Oct 22, 2016 | hide | past | favorite | 15 comments
I had to dig into a few articles to find the names of the devices involved, but they're not in the headlines like Samsung has been. And for all the Note fires, Samsung hasn't even taken down the internet. (Yet.) Among all the "it's going to get worse before it gets better" talk about IoT and embedded security, where's the pressure to get better? I'm sure a few technical folks who made these devices are ashamed, but they won't get additional resources to implement better security or to update old products until the CEOs feel the heat. How can this best be achieved?


I suppose these vendors are not major household names like Samsung, so it doesn't make as good of a story. I also wonder if perhaps the general public views attacks as inevitable -- sort of a force of nature -- whereas we view it as a problem that can be greatly reduced with specific actions.

As a software developer in the consumer electronics industry, I am quite concerned about these vulnerabilities and the industry's casual acceptance of them. :(


> inevitable -- sort of a force of nature

Yeah, sort of! The attempts are inevitable, but I don't think the vulnerabilities are.

I've long used the Three Little Pigs story when explaining security: Yes, the wolf is always there, don't act shocked when you build a house of straw and suddenly a horrible bad nasty despicable and thoroughly evil (just trying to feed his family) wolf shows up.

The pig who hauled the brick did more work than the pigs who hauled sticks or straw, but ended up not getting eaten. Everyone from the breakroom to the boardroom should understand this analogy. I've found it helpful, anyway.


True, but today's steel is tomorrow's sticks when it comes to vulnerabilities like this one. Over time, old security protocols are cracked and new vulnerabilities are found in existing devices.


I work in this industry, but I might have some facts incorrect.

My understanding was that the devices that were hijacked are older (2-3 years minimum) model NVR's and IP Cameras. The firmware for these devices is built on top of Busy box. From what I can tell, this firmware comes with telnet enabled and after many years of exploits, these companies fixed the firmware and removed the exploit in newer releases (within the last 2 years).

The hijacked devices shared the same characteristics: telnet can be abused and credentials to log into the device were set to default (admin/admin).

Add in a global registry of these devices (shodan.io) and you can essentially tap into these devices fairly easily.

Whoever was behind the attacks using this firmware exploit must have a very intricate understanding of the firmware IMO.

If it was the Chinese gov't, they would be impacting one of the largest providers of CCTV from China (Dahua). The Chinese gov't favors another company (Hikvision) who has raised 6 billion dollars to expand in the US; some if this money came from the Chinese gov't. If China is behind these attacks, it might be to mess with the US and protect their investment (which sounds like a bit of a stretch).

Should these companies have their names out in the open? Probably not; firmware in the last 2 years has removed telnet. You might be able to do some damage with their HTTP API, but the device has to use default credentials. Putting their name out might also encourage others to attempt the same type of attacks.


I have reviewed the code and indeed, it is fairly well written. Definitely a professional coder. Not sure if they would have to have a deep understanding of the firmware though. Busybox is linux based and that's all they needed to know. I also think the problem would be fairly easy to fix albeit, through unconventional channels. If it can be hacked, it can be patched and locked down, probably using the same code that the attacks are based on.


Can you share the code? I am curious to see the what kind of attack vectors were applied.

Having enough product knowledge to be able to exploit the specific firmwares is what I meant by a deep understanding of the firmware.

My hypothesis is that either the person spent some time working out which cameras to attack, they had previous experience within the surveillance industry, or they did research on common network recorder exploits.


List of the XiongMai-based devices: https://krebsonsecurity.com/2016/10/who-makes-the-iot-things...


Pure speculation, but maybe it's actually the Chinese?

We know it's Chinese equipment, we also know that industry there has strong ties to the Government, see the Huawei investigation as an example ( https://intelligence.house.gov/sites/intelligence.house.gov/... )

Maybe the Chinese Government encouraged their suppliers to pump out unsecured crap, knowing they'd be in a position to flood the market and take advantage of it later?


The "movie plot" part of my brain loves this theory, but Hanlon's razor suggests otherwise.


For those unfamiliar, a geeky etymology [1] of Hanlon's Razor.

[1] https://en.m.wikipedia.org/wiki/Hanlon%27s_razor#Origins_and...


There's been a plenty of Ubiquiti botnets too, not at all limited to Chinese stuff.


Why should they be in the news? We're talking about a few hundred thousand compromised devices at best. Windows malware regularly hits millions.


You were just one day too early, the names are beginning to drop now


Why aren't news in the news? I see no coverage at al


The attack was on the front page of the NYT website yesterday

here's the article: http://www.nytimes.com/2016/10/22/business/internet-problems...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: