The unprecedented distributed denial-of-service (DDoS) attack that disrupted access to scores of websites and services on Friday has led to some action: a product recall.
Hangzhou Xiongmai Technology, a Chinese company whose DVRs and webcams were hijacked and used to carry out the DDoS attack, is recalling all of its webcam models, according to Reuters.
The DDoS attack was powered by open-source malware called Mirai, which takes over poorly secured Internet of Things (IoT) devices like the DVRs and webcams hijacked on Friday. Mirai allows whomever is running the malware to overwhelm their target with requests for information sent from the devices they control.
Despite issuing the recall, Hangzhou Xiongmai is disputing some of claims about the role its products played in the attack, telling Reuters they’re generally secure. They deny that they represent the bulk of the devices used to disrupt Domain Name Servers owned by Dyn, the company that was directly targeted on Friday. Hangzhou Xiongmai insists that customers not changing default passwords isn’t the problem, though they say they issued the recall in part to “strengthen password functions.”
Bruce Schneier has been blogging for years about how IoT devices aren’t secure, and warned last month that hackers were getting much better at harnessing the resources necessary to carry out DDoS attacks like the one on Friday. There’s also the nagging problem that this isn’t easy to fix, even with recalls. Matthew Garrett, a security developer, does a good job explaining why on his blog:
Many of these devices are sold by resellers who have no resources to handle any kind of recall. The manufacturer may not have any kind of legal presence in many of the countries where their products are sold. There’s no way anybody can compel a recall, and even if they could it probably wouldn’t help. If I’ve paid a contractor to install a security camera in my office, and if I get a notification that my camera is being used to take down Twitter, what do I do?
Garrett’s post raises important questions about Hangzhou Xiongmai’s recall. How many customers, especially in the U.S., will actually hear about it let alone understand it’s linked to their not being able to access the internet on Friday? And how many other poorly secured devices are out there? (The alternative, he explains, is internet service providers cutting people off, a huge problem in its own right). While the answers to these questions are worked out, I’ll leave you with one final bit of worrying math from Garrett: