Chinese electronics firm Xiongmai is initiating a product recall after the enormous hacking attack that took down much of the internet on the eastcoast of the US and also affected Europe on Friday. The root of the attack, was a network of hacked “Internet of Things” devices, such as webcams and digital recorders, many of which were made by Xiongmai. IT security experts from Redscan, ESET, AlienVault, prpl Foundation and NSFOCUS commented below.
Robert Page, Lead Penetration Tester at Redscan:
“In the interests of keeping up with competitors and making IoT devices easier to use, hardware manufacturers routinely compromise the security of customers. By rushing to get new products to market, companies can unwittingly introduce vulnerabilities through sloppy software source code or by a failure to allow sufficient time for testing. This ‘release now, fix later’ approach puts users at risk as hackers will purposely compromise newly-released devices.
Shipping devices with default credentials that are easy to crack using brute force is another common failing. As is use of insecure web interfaces that are vulnerable to common attack methods such as SQL injection and cross-site scripting.
To improve security of IoT devices, organisations should heed common failings and continually review and penetration test their products to ensure that they are as safe as possible. Through better user education and implementation of regular updates, end-to-end data encryption and proactive network monitoring, manufacturers can significantly reduce their likelihood of being exploited.”
Mark James, Security Specialist at ESET:
I don’t think Xiongmai could be held liable for this attack, but they obviously recognise a concern here and are making good steps in the right direction by recalling products that may have been affected. Hopefully other manufacturers will follow suit and take a look at what they can do to increase security of their own products. It seems these days that security takes a back seat, low cost affordable mass consumer use seems to be the preferred option and it has to change if we want a safer environment for our digital presence.
One of the biggest problems with IoT is its lack of security, the race is currently on to get customers involved with your product. The divide between usability and security is hard to get right at the early adoption stage. People like ease, sadly the average user will very often choose ease over security and if offered cheaper or safer, will choose cheaper every time.
IoT device manufacturers have to design security into their products from day one, it has to stop being an afterthought or sadly in some cases no thought. As our digital presence expands we need to accept security is everyone’s responsibility, if we stop buying insecure products and force the manufacturers to make better and safer products things will have to change.
As for IoT devices already in use, you can secure them by upgrading through firmware. In some cases minor changes may make them more secure but in most cases it’s getting those updates out to the public. A lot of IoT devices are purchased, configured, installed and forgotten about, the idea of checking for updates on those devices is alien to most users.
Javvad Malik, Security Advocate at AlienVault:
“IoT devices have proliferated at a rapid pace, and anyone that can take control of them can wield significant power. The Mirai botnet has given us the first real glimpse into the power of an IoT botnet and the damage that can be done.
With no patching feasible for most devices, there is no easy fix in sight. IoT device manufacturers will need to consider architecting fundamental security principles into the designs, such as avoiding the use of default credentials.
Until such a time that IoT devices have secure options, these devices will continue to feature prominently at the forefront of cyber security attacks.
The challenge with IoT devices is that not only are they often insecure by design, but they lack the options to apply patches or upgrade. Enterprises deploying IoT devices may spend the time needed to change default credentials, place the devices in a segregated network zone, or otherwise harden their systems – but consumers are highly unlikely to implement any such measures.”
Cesare Garlati, Chief Security Strategist at prpl Foundation:
Could Xiongmai be liable for this attack?
Regulators can certainly go after vendors who fail to provide basic security in any consumer products – see FCC Vs Asus precedent. This is an area where regulators must play a role and, for example, ban from sale any connected devices that ship with standard/default/no passwords or heavily fine vendors who fail to recall/patch these devices.
In addition, regulators may force ISPs to temporarily block IP addresses known from being part of active botnets/DDOS – i.e. the ones detected by the Level 3 analysis. A more drastic approach might even include a deliberate cyber attack targeted to these devices to make them unusable – and therefore harmless. In the end, this is no different than stopping a vehicle with broken tail lights to prevent accidents on a highway – just multiplied by hundreds of thousands. There is no need for new technology to block these kinds of unsophisticated attacks – just a good dose of concentration and common sense.”
Is such basic security common across IoT devices?
IoT devices tend to run in constrained environments so security is a bit more difficult to implement on “bare metal” applications but certainly possible using the principals of open source and security by separation using hardware virtualisation.
What should IoT device manufacturers be doing to secure their products?
Prpl’s Security Guidance for Critical Areas of Embedded Computing lays out its revolutionary vision for a secure Internet of Things. It describes a fresh hardware-led approach that is easy to implement, scalable and interoperable. Based on open source and interoperable standards, it proposes to engineer security into connected and embedded devices from the ground up, using three general areas of guidance. These are not the only areas that require attention, but they will help to establish a base of action as developers begin deal with security in earnest.
Can anything be done to secure IoT devices which are already in use?
The prpl Smart Home Security report recommends the top 10 ways end users can take more control over the security of their devices:
- Regularly check router firmware updates
- Change default admin password on router
- Configure firewall policies – close all ports
- Enable MAC filtering
- Use guest network for guest devices
- Use guest network for all home devices
- Enable wireless isolation
- Disable DNS setting via DHCP
- Disable USB file sharing
- Disable UPnP
Any other comments?
“This new massive attack to core Internet services confirms the importance of securing IoT devices. Individually, they don’t represent a serious threat but combined in the hundreds of thousands they can easily disrupt critical infrastructure. It also confirms the low level of sophistication of the exploit: mostly directed to common/default user ID and passwords and insecure Internet protocols, which should never been enabled on devices that connect to the public Internet.”
Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS IB:
Could Xiongmai be liable for this attack?
Theoretically speaking, Xiongmai could be held somewhat liable for their technologies being used as an accessory to the attack that occurred last Friday; however, that’s a stretch by any imagination. If an organisation can tangibly prove the attack caused a loss of revenue or maybe even a loss of life, then Xiongmai could hypothetically be held accountable. Again is has to do with the concept of “due care”, or lack thereof. As a result, Xiongmai has taken the responsible approach by initiating a recall and also providing a patch to their systems that are already deployed. Their pre-emptive actio