Ask HN: Why aren't botnet-fodder vendors' names (XiongMai, Dahua) in the news?
I had to dig into a few articles to find the names of the devices involved, but they're not in the headlines like Samsung has been. And for all the Note fires, Samsung hasn't even taken down the internet. (Yet.)
Among all the "it's going to get worse before it gets better" talk about IoT and embedded security, where's the pressure to get better? I'm sure a few technical folks who made these devices are ashamed, but they won't get additional resources to implement better security or to update old products until the CEOs feel the heat. How can this best be achieved?
15 comments
[ 1.8 ms ] story [ 42.5 ms ] threadWe know it's Chinese equipment, we also know that industry there has strong ties to the Government, see the Huawei investigation as an example ( https://intelligence.house.gov/sites/intelligence.house.gov/... )
Maybe the Chinese Government encouraged their suppliers to pump out unsecured crap, knowing they'd be in a position to flood the market and take advantage of it later?
[1] https://en.m.wikipedia.org/wiki/Hanlon%27s_razor#Origins_and...
As a software developer in the consumer electronics industry, I am quite concerned about these vulnerabilities and the industry's casual acceptance of them. :(
Yeah, sort of! The attempts are inevitable, but I don't think the vulnerabilities are.
I've long used the Three Little Pigs story when explaining security: Yes, the wolf is always there, don't act shocked when you build a house of straw and suddenly a horrible bad nasty despicable and thoroughly evil (just trying to feed his family) wolf shows up.
The pig who hauled the brick did more work than the pigs who hauled sticks or straw, but ended up not getting eaten. Everyone from the breakroom to the boardroom should understand this analogy. I've found it helpful, anyway.
here's the article: http://www.nytimes.com/2016/10/22/business/internet-problems...
My understanding was that the devices that were hijacked are older (2-3 years minimum) model NVR's and IP Cameras. The firmware for these devices is built on top of Busy box. From what I can tell, this firmware comes with telnet enabled and after many years of exploits, these companies fixed the firmware and removed the exploit in newer releases (within the last 2 years).
The hijacked devices shared the same characteristics: telnet can be abused and credentials to log into the device were set to default (admin/admin).
Add in a global registry of these devices (shodan.io) and you can essentially tap into these devices fairly easily.
Whoever was behind the attacks using this firmware exploit must have a very intricate understanding of the firmware IMO.
If it was the Chinese gov't, they would be impacting one of the largest providers of CCTV from China (Dahua). The Chinese gov't favors another company (Hikvision) who has raised 6 billion dollars to expand in the US; some if this money came from the Chinese gov't. If China is behind these attacks, it might be to mess with the US and protect their investment (which sounds like a bit of a stretch).
Should these companies have their names out in the open? Probably not; firmware in the last 2 years has removed telnet. You might be able to do some damage with their HTTP API, but the device has to use default credentials. Putting their name out might also encourage others to attempt the same type of attacks.
Having enough product knowledge to be able to exploit the specific firmwares is what I meant by a deep understanding of the firmware.
My hypothesis is that either the person spent some time working out which cameras to attack, they had previous experience within the surveillance industry, or they did research on common network recorder exploits.