back to article Chinese electronics biz recalls webcams at heart of botnet DDoS woes

Chinese electronics firm Hangzhou Xiongmai is set to recall swathes of webcams after they were compromised by the Mirai botnet. Mirai exploits the low security standards of internet-connected devices, from routers to webcams, and after enslaving them with malware uses their network connections to launch DDoS attacks, such as …

  1. Anonymous Coward
    Anonymous Coward

    How are these devices accessed from the internet though?

    What am I missing here? Most consumer products are sat behind NAT devices (standard home routers) so unless port forwarding has specifically been enabled, they shouldn't theoretically be accessible that easily from the internet, right?

    Or are there really that many devices being hooked up directly to the 'net using public facing IPs?

    1. Dan 55 Silver badge

      Re: How are these devices accessed from the internet though?

      We have UPnP to thank for that.

    2. steve-b

      Re: How are these devices accessed from the internet though?

      A big selling point is that they are accessible from some app remotely. I'd imagine most of them are upnp devices requiring very little setup. Couple that with home routers doing dynamic dns and such and its a recipe for this kind of disaster.

    3. Dwarf

      Re: How are these devices accessed from the internet though?

      Check out what uPNP does for your home network.

      Its a standard that got dropped into home grade router firmware and turned on by default, so that internal devices can ask the firewall to open up various ports without the user having to worry about the complexity of setting up port forwarding. This is why when you add in a games console "it just works"

      Now add in a dose of "We've got an iphone|android application" that the marketing people thought would be a good idea, Sprinkle a little Dynamic DNS so you can always find your home network's public IP address and connect to the application from your phone (obviously using the hard coded / internal password or one you also use for facebook)

      Now add a spash of "your device registers to our cloud" - marketing ware, which establishes some more outbound connections and probably some uPNP inbound so it can talk back to you, rather than use keep-alive connections, which the cloud provider would have to maintain as open too.

      Add a sprinkle of IoT to the mix which will then try and use all the above, again lowering your security but at least your fridge can tell you when the eggs are reaching their sell by date.

      As you can see, now you have swiss cheese on your Firewall with NAT. Don't forget that NAT isn't a security standard and in all of these cases, the firewall will just handle the traffic like any other stateful outbound traffic in your state table (ie like browsing this web site)

      Since the devices sit on your LAN, once one of them is compromised, you need to treat your whole home LAN as compromised.

      As you can see, each of the "handy marketing" ideas looks good on paper, but the security behind each of them is fairly non-existent. Security standards need a reboot on home grade devices as today's solutions is about as secure as hanging a key on a peg outside your door with a large flashing neon sign saying "key".

      1. Charles 9

        Re: How are these devices accessed from the internet though?

        OK, so how do you fix the problem without getting complaints (and defections) from the customers? As for standard, who follows them when they'll just go around them like smugglers during Prohibition?

        1. Dwarf

          Re: How are these devices accessed from the internet though?

          @Charles 9

          That's the million dollar question. Answers on a post card please.

          The problem as I see it is :

          1. Bad marketing ideas - Web enabled printing; The IoT fridge (or IoT anything for that matter, they are just decides); the remotely controllable CCTV devices.

          2. Marketing companies keeping up with the other vendors who "already have a product" so their engineers can do it, why can't we ?

          3. Users are completely clueless when it comes to anything with technology, other than showing off with "look what I just got" type statements.

          4. The lack of any standards or accountability for any of the cruft that people chuck into the market. Who suffered the most following last weeks issue - Dyn customers / unrelated companies, or the vendors who made the vulnerable junk ??

          5. We can't even get electrically safe chargers that don't electrocute people or batteries that don't catch fire when being charged, so what hope is there of more complex things like entire computers with changing hardware components and stacks of protocols that make up their inner workings.

          6. Corporate greed. Companies want our cash and dangle shiny stuff in front of us for unbelievably low prices

          7. User stupidity - people look at the previous point and reason along the lines of "Well, they are selling it, so it MUST be OK since SOMEONE must be making sure they stick to the standards right ?"

          8. The race to make the next big thing. (company : 1. Make Device, 2 ..... 3. Profit !!)

          9. Doing it properly costs in terms of time and makes the products more expensive, hence they do not compete with the tat vendors in the same market place, hence they cut corners until its the absolutely cheapest they can get it to.

          To fix the problems, I think that we need :

          1. Mandatory standards, a bit like we have for cars - Scratch that, Dieselgate, didn't work), er, Electronic safety like CE approval (Conformite Europeene) - Scratch that, China Export made a mockery of that), We still need standards, but they need teeth and those who bend the rules or ignore them need to be held accountable.

          2. Vendors need to be accountable for their products for a long period, e.g. 5-10 years, so it costs them in terms of recalls, replacements and penalties. It needs to be cheaper for them to do it right, not do it cheap and nasty. The car market is a good example of this, but it needs to apply to other devices too.

          3. Customers need to be selective on what they buy - buy good things, not random junk

          4. Customers need to be able to easily see whats going out of their house and can turn off things that they don't want. WiFi on my fridge - nope. CCTV remote access - Nope. Win 10 slurp, etc.

          5. Anyone, without impunity have a crack at any device, since it should be secure. If they find a vulnerability, the need a way of registering these to a world-wide entity with teeth. The manufacturer has to pay the person who found the vulnerability an amount based on the severity and number of units sold. The manufacturer has to resolve the issue and make it available to customers for free. This makes a market from securing devices and makes manufacturers accountable for compliance with security and standards. Obviously things like the DMCA that makes it illegal to reverse engineer something would need a clean up, but that's small detail, since bad guys ignore it already. This also makes it more likely that the gifted people who can find their way into devices make money legally from it.

          1. dajames

            Re: How are these devices accessed from the internet though?

            It needs to be cheaper for them to do it right, not do it cheap and nasty.

            Hear! Hear!

            ... and if charging enough to do it right pushes the prices of IoT devices right out of the market so much the better!

        2. Alan W. Rateliff, II
          Paris Hilton

          Re: How are these devices accessed from the internet though?

          Well, one of statements prior is to use OUTBOUND connections, only. Though this requires the provider build a better infrastructure, thus a potential increase in price. But markets adjust: as properly working and better secured devices appear on the market, the price will drop as they become more successful and price for manufacture and support go down.

          Automated VLAN of "guest" devices would be a way, as well. Though that will not cut down on the hijacked devices nuking a target if UPnP port forwards are still in progress. Whether in-bound or out-bound connections are being made, internal users could still make contact with the devices. Though if it is something like a DLNA broadcaster... one could override in the firewall/router.

          Software integration with the firewall might be a neat tool, too. Some way for the firewall to interact with anti-virus/firewall software on a computer in order to notify a user when not just a program wants Internet access but also a device, along with access options for said device. The presumption being the owner of the network uses a computer and not devices, solely. Well, then an app on a device, anything to cover the bases.

          Anyway... yes, there are solutions.

      2. Anonymous South African Coward Bronze badge

        Check out what uPNP does for your home network.

        So glad that I can disable uPnP on my Smoothwall. I'll jolly well manage my own devices thank you verra much.

        I'll rather have the schlepp to VPN in to my network and check what my doohickeys are doing than opening the whole kaboodle to world+dog with the potential for mischief (eg fridge orders 200l of milk by itself) ...

        Or, better still, not have any IoT frippery in your house at all, and know that there is no way that ne'er-do-wells can pull pranks on you (like getting your fridge to warm the contents for an hour or so while you're at work, then cool everything down nicely before you get home)...

        Naaah, I think IoT is overrated at this point in time.

      3. sisk

        Re: How are these devices accessed from the internet though?

        UPNP is convenient. There's no denying that, and I suspect it's been a godsend for the average user. But for me, and I suspect for around 75-90% of El Reg readers, the benefits it offers are outweighed by the security risks inherent in it because what it does is not all that difficult to manage better manually. Instead of half a dozen devices opening who knows how many holes in your firewall to talk to the outside world we can open just one port connected to a hardened web server that provides the control interface for our IoT devices (or, better yet if you have a router that supports it - not all consumer grade ones do - set up a DMZ). Such a task should be well within the capabilities of anyone who works in IT and completely negates the need for UPNP. Then you can turn off UPNP on your router and thus greatly improve your network security.

        That's pretty much the route I've taken with my IoT devices, but then both my current IoT devices (a smart power strip, which is also the above mentioned hardened web server because it was my first IoT device so it made sense to have it run its own control server, and a much-fancier-than-strictly-necessary alarm clock) were hand built around small SBCs so they were built from the ground up for that sort of control. I also don't have any game consoles or the like to worry about (or, more accurately, they haven't been plugged in for so long that I'm seriously considering just selling them).

        1. Mage Silver badge

          Re: UPNP is convenient.

          But like Autorun, ultimately stupid and not needed.

          Either manually set up a port (but with sensible rules, to a sensible device or else your LAN is exposed), or a VPN. I set up a VPN server on an old PC and later on my router instead (Open WRT) and put it on port 80 so I could use home LAN to access email securely (or at all! I don't use Web based email) away from home, or other home resources. Why port 80? Because hotels, cafes, University especially may block various ports. They don't block 80, thinking it's only used for HTTP.

          Not all VPN clients can use arbitrary ports. But I found one for Windows for my kids at Uni that did (this was 10 years ago).

          1. Mage Silver badge

            Re: UPNP is convenient.

            For those that don't know (a minority here), VPN = Virtual Private Network. Properly done it adds and extra "network port" on your PC/Tablet/phone which is actually the VPN client software. It's creating an encrypted connection into your VPN server. It then can expose everything on you LAN as if you are on the LAN, or just stuff on the VPN Server, and/or the Internet as seen by your home LAN. So stuff on the internet that's blocked (due to local router / NAT rules of a University OR because you are in America and your home Router is in UK) is then visible via the home internet connection. So you can use VPN for four reasons:

            1) Access stuff like POP/SMTP on your own ISP's mail server as if at home, securely in a WiFi cafe, possibly avoiding MiM attacks.

            2) Access files or whatever on the VPN server, securely.

            3) Access random device on your LAN as if you are on the LAN

            4) Bypass geoblock or local port blocks.

            If properly set up:

            1) You need user/pass that is very secure to connect at all.

            2) The data is all securely encrypted, possibly even good enough to block hypothetical quantum computers cracking.

            The keys are made at home, and loaded on the device at home* so the classic problem of key distribution is solved.

            [*You can write it on rice paper and eat it]

            1. Charles 9

              Re: UPNP is convenient.

              But Joe Stupid isn't smart enough to do everything you say, and it's HIS devices that are running roughshod all over the Internet making life miserable for everyone else. Like you said, standards mean nothing to device makers who hide behind the sovereignty of a hostile power and can always use the gray markets to sidestep around regulations (and few countries can embargo another, especially one as large and powerful as China, without retaliation).

              We need a solution that even a brick can understand (and this knowing bricks can understand few things other than perhaps a hammer blow, which is against civilized society when applied to humans).

              1. dajames

                Re: UPNP is convenient.

                But Joe Stupid isn't smart enough to do everything you say, and it's HIS devices that are running roughshod all over the Internet making life miserable for everyone else.

                If, without uPNP, Joe Stupid is unable to set up HIS devices at all, so they can't see the internet (or be seen from it) then HIS devices will not be carrying out DoS attacks.

                What's the problem?

                1. Slartybardfast

                  Re: UPNP is convenient.

                  Sorry but "Joe Stupid" could well be a professor of physics or a doctor etc, just not I.T aware, networking experts or sys admins. Blocking these people from using the products they have bought, just because they aren't aware of the implications is just wrong. It's the fault of the standards committees and manufactuers/developers not the users.

                  1. Mark 85

                    Re: UPNP is convenient.

                    Sorry, I don't see the problem with doctors, professors, etc. being blocked. We go to doctors because they are the experts in medicine. They should go to the IT professional because they are the experts. As for professors... pretty much live in their own world and no not much outside so they definitely should seek IT help.

                    Standards would be great if they were universal, applied properly, and adhered to by ALL manufacturers and developers. Fat chance of that though in today's world.

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: UPNP is convenient.

                      Oh damn, I forgot to turn off UPNP when I got a new router. Well it's off now.

                      Not that I have anything on my network that would use it - the router itself is my only "IOT" device.

                    2. Slartybardfast

                      Re: UPNP is convenient.

                      My point is the "Joe Stupid" doesn't have to be STUPID to get caught up in this. Not literally that doctors and professors are a special case. I thought you may have realised this, but obviously I have to spell it out to you.

                      "They should go to the IT professional because they are the experts" - So that includes everyone who wants to plug in a PS4 and just have it work? You are living in cloud cuckoo land.

                      "Standards would be great if they were universal, applied properly, and adhered to by ALL manufacturers and developers" - Correct, and?

                      1. dajames

                        Re: UPNP is convenient.

                        My point is the "Joe Stupid" doesn't have to be STUPID to get caught up in this. Not literally that doctors and professors are a special case.

                        I think the "Joe Stupid" referred to by 'Charles 9' is stupid by definition -- too stupid to follow instructions to punch a hole in his own firewall (and too ignorant to know how to do it without instructions) -- and wouldn't be able to get his IoT stuff to work without uPNP. He is, then, not a doctor or a professor as while these people may not be skilled in IT they can usually read and follow instructions.

                        However, if uPNP is dangerous for Joe it is doubly so for these smarter people. If they had to follow instructions to configure their firewalls they might realize that they were allowing an inexpensive device -- sufficiently inexpensive that not much can have been spent to make it secure -- to make itself visible to the Big Bad Internet; and they might then decide not to do it. uPNP lets them set up the device without thinking, and that's not good.

                        uPNP is also used by some botnet malware to open a port through the router so that it can receive instructions. That alone is reason enough to disable uPNP.

                        1. Charles 9

                          Re: UPNP is convenient.

                          And my point is that turnkey solutions are what the customers want. Good or ill, that's where they're paying, so sink or swim. The fact the gray market is booming shows that regulation won't help, much like Prohibition. The customer won't care unless it kills them.

                          1. sisk

                            Re: UPNP is convenient.

                            Sadly I know some very intelligent people who wouldn't be able to follow instructions to punch holes in their firewalls. It's not so much a matter of intelligence as it is a matter of knowledge. If you don't know the terminology then the instructions are worthless to you. "Joe Stupid" need not be stupid. It's sufficient for him to be non-technical enough to not know how to log into their router. I think we all know someone who is fairly intelligent but would be confused if told to do that.

              2. Mage Silver badge
                Unhappy

                Re: Joe Stupid isn't smart enough to do everything you say

                Given current design of the Internet and how a Firewall works and the desire of IoT makers to "phone home", if there was no uPNP, the instructions would explain how to put your entire LAN in the DMZ, or some other such foolishness.

                I'd thought of having every router & gadget, phone, laptop, tablet etc have a short range two way IR link to exchange keys and settings, even then have unique key per device. It's simple HW & SW but the makers would object to the extra $2. Unscrupulous vendors would connect stuff in a way worse than today.

                The design of Internet is flawed, assumed good users and well behaved devices. The design of eMail ignored spam issues on Telex, RTTY, and earlier Telegraph and added almost no security at all and missed out the idea of whitelists.

                Systems never envisaged to be used by other IT Admins in responsible establishments.

                There are sticking plasters, but no solution. The triple whammy of rise of IoT, outsource to cloud and giant Corporations stealing (or conning people into giving it) all our private info and usage and monetising it doesn't bode well at all.

                If mobile credit balance, ATMs, Point of Sale, Infrastructure control, smart Meters, Retailer's stock ordering / ERP systems etc all outsourced to the "Cloud" and a that has many areas of mono-culture, what if DNS, Edge Routers, what ever is taken down by IoT or a bad patch released late Friday set to auto-install and propagate on the Cloud ...

                Or timing of Exchanges, Datacentres, DTT, DAB, Mobile stupidly relying on cheap GPS instead of a local Atomic Clock (under $1000 now) and there is a flare that knocks out all satellite, inc GPS. One in the 19th C. was big enough. There was another that fortunately missed us!

                We aren't there yet, but rushing toward it.

                1. Richard 12 Silver badge

                  $2 is way too expensive

                  The CPU on many IoT devices costs that much.

                  Even 10 US cents is probably too much, the margins on really are that tight.

                  They only exist because the hardware is dirt cheap and the software can be built with stickle-brick components from various open source projects.

                  It doesn't even need to be stable, let alone secure or supportable.

                  The map download software for my last (probably ever) satnav was the most unstable piece of **** I'd ever seen, yet three/four years later there has never been a single patch for it, despite the satnav itself still being a current product. I don't think it will run at all on Windows 10.

                2. Charles 9

                  Re: Joe Stupid isn't smart enough to do everything you say

                  "The design of Internet is flawed, assumed good users and well behaved devices. The design of eMail ignored spam issues on Telex, RTTY, and earlier Telegraph and added almost no security at all and missed out the idea of whitelists."

                  Well, here's your fork in the road. The only alternative to the current Anarchy of the Internet is a Stateful Internet, and that means bye bye privacy, hello Police State. From the way things are going, no third option is possible because any inroads will be abused to take us back to one or the other.

                  So, pick your poison.

        2. dajames

          Re: How are these devices accessed from the internet though?

          ... for me, and I suspect for around 75-90% of El Reg readers, the benefits [uPNP] offers are outweighed by the security risks inherent in it

          No, for 75-90% of El Reg readers there are NO security risks inherent in uPNP, because they have turned it OFF.

          ... or so I should damn well hope!

      4. Jon B

        Re: How are these devices accessed from the internet though?

        Commentards like this one is why the El Reg is so good.

    4. Anonymous Coward
      Anonymous Coward

      Re: How are these devices accessed from the internet though?

      Thanks for the replies. The uPnP thing was a big WOW - I (foolishly) thought it was a protocol for devices on an internal network to communicate (I'm not a networking guy!). Had no idea it could open inbound ports and so forth. I will be tightening up my security before and after installing some IP cameras.

      I understand even more now why El Reg is on the case of this. Unreal.

    5. razorfishsl

      Re: How are these devices accessed from the internet though?

      This "hack" targets any devices that are publicly accessible.

      And yes there is a lot, like the ones people enable so they can watch shit on their mobile phones.

      The hack is basically a search program, (can be written very simply, google/basic), after finding the devices, a simple program is uploaded via available functions, and the DDOs begins.

    6. gnarlymarley

      Re: How are these devices accessed from the internet though?

      Most consumer products are sat behind NAT devices (standard home routers)

      My guess is that most people do not realize that NAT DOES work with IPv6, and are wasting a public facing IPv6 address on their camera.

      1. Anonymous Coward
        Anonymous Coward

        Re: How are these devices accessed from the internet though?

        "My guess is that most people do not realize that NAT DOES work with IPv6, and are wasting a public facing IPv6 address on their camera."

        But NAT's not supposed to work with IPv6. It breaks the end-to-end principle (and yes, it's documented at least as far back as 1988). The endpoint's supposed to be able to safeguard itself, not rely on a firewall that may or may not be there.

  2. Dan 55 Silver badge
    Flame

    Nice

    Tat that as well as being broken is not even updatable.

    Better to throw them away instead of participating in the recall and letting this bunch of shysters send them straight out the door to another country which isn't as scary as the US.

    1. Charles 9

      Re: Nice

      Um, China's scary enough as it is. They've got nukes and an eastern mentality to warfare (meaning they could be more accepting of MAD).

  3. sisk

    Things like this are why I built all the IoT devices in my house myself. I know the security on them is solid because I've applied the same skillset that has kept a couple thousand (mostly script kiddie, some seemingly automated botnet) attackers a week out of the web server at work for the last decade.

  4. Anonymous Coward
    Anonymous Coward

    Router Rules

    Upnp - Disable (If you need port forwarding then do it manually)

    WPS - Disable

    Password - Change from default

    and the most important thing is to set up url filtering to block "www.dailymail.co.uk" and "www.facebook.com"

    1. Charles 9

      Re: Router Rules

      How do you teach that to Joe Stupid, though? You need a turnkey solution for him or he'll complain...or find someone who accommodates him.

      1. Anonymous Coward
        Anonymous Coward

        Re: Router Rules

        @Charles 9

        That's a good point, a part solution would be to have a http landing page once the router is connected that forces you to change the password before it activates and connects to the internet.

        1. kevjs

          Re: Router Rules

          That's what ntl: used to do, Inevitably the password chosen was "password".... And that was the modem directly connected to a PC - the Router was a separate device back then that required extra configuration, a job I ended up doing for plenty of my, IT, course mates at uni (hence why I knew the modems password was password!) :(

          At least Virgin have a "random" password on there routers nowadays.

        2. Charles 9

          Re: Router Rules

          "That's a good point, a part solution would be to have a http landing page once the router is connected that forces you to change the password before it activates and connects to the internet."

          Then something hits, the router goes bonkers, and people forget the password (which if you'll recall happens ALL THE TIME which is why passwords are not considered a reliable identity metric). And they won't take, "You lose" for answer; they'll answer with scathing reviews and defections.

    2. Peter Gathercole Silver badge

      Re: Router Rules @AC

      Totally agree re. uPNP and WPS, but if you want to set up the port forwarding rules yourself, you probably have to fix the IP addresses of the servers you want to port-forward to, either with manual IP addresses or fixed DHCP MAC-to-IP mappings.

      Changing the password is a no-brainer that people do immediately anyway, isn't it? I even generate my own WiFi keys so as not to use the default, just in case it can be derived from some other information on the router, and hide the routers behind a Linux firewall and separate DSL modem.

      The thing is, people I know ask why I do all this, when all they do is plug it all in, and press that little button on the router to register a device. "It's so much easier", they say.

      If only I could directly implicate their network as being part of the botnet, I could show them the error of their ways...

      1. sisk

        Re: Router Rules @AC

        Changing the password is a no-brainer that people do immediately anyway, isn't it?

        Based on the people who've given me their wifi passwords for one reason or another, I'd have to say that, sadly, no it isn't. Granted at this point all my friends and family have heard the lecture about why you shouldn't use default passwords so it doesn't happen anymore, but for a while every other time I needed to get on someones wifi network it was the default password still.

      2. Velv
        Boffin

        Re: Router Rules @AC

        "...fixed DHCP MAC-to-IP mappings..."

        DHCP is great for managing the address space automatically, but on a private network you generally have more than enough addresses in the scope to cover every device so they never need to share. Since the DHCP protocol asks to keep the same address at 50% of the lease you don't really need to worry about reservations. It's a very small risk for devices such as cameras that are almost always on.

        1. Peter Gathercole Silver badge

          Re: Router Rules @Velv

          That scheme (allowing DHCP to allocate addresses and hope that devices get the same addresses even when the lease expires) works until it doesn't, and then the consumer who didn't need to know how things work will be completely stuck when their port forwarding rules stop working.

          Most DHCP servers on consumer grade routers allow you to reserve persistent IP addresses for certain MAC addresses. I don't see what is so difficult about setting up persistent addresses that will be fixed. After all, in order to set up port forwarding rules, one has to know something about IP and port addressing.

  5. Anonymous Coward
    Anonymous Coward

    What else they do then...

    From (http://www.hktdc.com/manufacturers-suppliers/Hangzhou-Xiongmai-Technology-Co-Ltd/en/1X0976RR/)

    Hangzhou Xiongmai Technology Co.,Ltd., established in 2009 year, is a high-tech enterprise focusing on audio and video hardware development, is a leading global solutions provider of security and surveillance products. Currently, our products and solutions have been applied to more than 80 countries, providing services for a large number of manufacturers.

    In 2013 year, we created “Building family memories, change family life” concept which is committed to building the “Future Family”. “Future Family” can provide a variety of smart products, make life smarter,safer,more convenient and more beautiful. Our products include smart home cameras, smart car dash cameras, sports cameras, smart socket, smart bulbs, smart multimedia box,smart speakers and so on.

    Xiongmai “Future Family” layout in the IoT field,has entered into a strategic partnership with Kingsoft,Tencent,Alibaba and JD, also cooperate with Lenovo and 360, is gradually building “Future Family” ecosystem.

    1. Anonymous South African Coward Bronze badge

      Re: What else they do then...

      WTF is "smart speakers"? Can they be haxx0red to blow raspberries randomly?

      1. Peter Gathercole Silver badge

        Re: What else they do then... @A. S. A. C.

        Probably WiFi connected room speakers, like the ones SONOS sell, and using UPnP to allow the music appliance to find them. Not my cup of tea, but whatever.

        My speakers are connected to their amp via some old-fashioned 5A multi-strand lighting cable. Funny, I tried to buy some cable recently, and got the distinct impression that it was no longer available (at least as mains cable), I suspect because in the UK mains cable now needs to be double-insulated.

        All I can get now appears to be specific 'speaker' cable, at stupid prices!

        Progress?

        1. Captain Badmouth
          Holmes

          Re: What else they do then... @Peter Gathercole speaker cable

          Try and get hold of some 2 core cable as per this link :

          https://www.tlc-direct.co.uk/Main_Index/Cable_Index/Flex_White/index.html

          HTH. Simples.

          1. Peter Gathercole Silver badge

            Re: What else they do then... @Peter Gathercole speaker cable

            Yeah. Double insulated, as I said. It will work, but I miss the figure-of-eight cross section cable that I've always used.

            Stupid really, that I should want to continue to use what I've used in the past.

  6. Brian Miller

    What percentage returned?

    So they issued a recall. What percentage will be returned? Maybe 1%? Were the owners even aware that anything happened?

    What is needed is an auto-hack system to log into the devices, and just give them a hard reboot. Knock the things offline, and the attacks will diminish. Then the owners will wonder why their cheap cameras keep rebooting, and do something about it.

    1. MotionCompensation

      Re: What percentage returned?

      Why not have their ISP disconnect them? For abusing their internet connection by participating in a DDOs attack. Put this in the terms and conditions of the ISP. And automate the detection and disconnecting part.

      Once consumers realize that misbehaving devices will get them disconnected, they may start demanding secure devices. Or even better, think twice before connecting stuff to the internet.

      1. Mage Silver badge

        Re: What percentage returned?

        "Why not have their ISP disconnect them? "

        Its DDOS attack. How would the ISP know?

        1. MotionCompensation

          Re: What percentage returned?

          Good point. Perhaps part of the ddos sources could be logged and reported, a variant of the old email abuse reporting system. Maybe someone else has a better idea. In my opinion, those causing the problem, both those making these devices as those using them irresponsibly, should somehow have a problem too when their devices misbehave. Or else this will indeed continue until there is no more internet.

          1. Charles 9

            Re: What percentage returned?

            Then we're probably up the creek because we probably won't get either side to cooperate. Most of the devices in question are made in China, who could care less about what happens to the West. As for the users, they're just ordinary people in search of turnkey solutions. They don't WANT to learn and aren't interested in licensing or such for things they do in the privacy of their homes.

  7. Will Godfrey Silver badge
    Unhappy

    Too Late

    Not only was Pandora's box opened, but it was then thrown into a hurricane.

  8. Mage Silver badge
    Happy

    Amazing...

    A company actually recalling IoT stuff for security.

    AND they are Chinese!

    1. Anonymous Coward
      Pint

      You have got to smile

      From their website http://www.xiongmaitech.com/en/index.php/about/company/19

      Company’s Vision:

      Being a first-class company in the security field, to achieve in fifty years

      1. Slartybardfast

        Re: You have got to smile

        Their English is probably better than your Chinese

  9. Allan George Dyer
    FAIL

    Recalling "some of the products it had sold in the US"

    See icon.

    More to do with lawsuits than actually solving the problem.

  10. fidodogbreath

    UPnP is a red herring in this thread

    The problem is that so many Thingies are easily hacked. The mechanism whereby they traverse the NAT firewall is irrelevant.

    Thingie makers have to figure out ways to walk Joe and Jane Average through the process of securing Thingies and their traffic. Given the huge variety of routers in use, it's just not reasonable to expect to solve this problem at the home gateway level.

    1. Mage Silver badge

      Re: UPnP is a red herring in this thread

      Not entirely as it's a really easy one. However you are right that even UPnP didn't exist there would still be a problem.

      There is no complete solution. The Internet is going to get unreliable as if we are all living in some sort of post atomic war dystopian society. Add Facebook/Google etc slurping and outsource of core business function to the "cloud" when they should be in house, and the future looks unpleasant.

    2. Dwarf

      Re: UPnP is a red herring in this thread

      @Fidodogbreath (great handle BTW). I kind of agree with you. but probably for not the reasons you expect. The @AC asked how the compromise worked, hence the thread.

      UPnP is part of the problem because its there and because of what it does, It exposes insecure things to to the outside world in an automatic manner, This just builds on the previous solution of "home security" as touted by many ISP's with their ADSL routers with stateful firewalls and NAT which was sold as two layers of security in years gone by. So, we just went full circle back to no effective security, but dangerously with the perception that its still there.

      If we step forwards a bit, imagine if every device was accessible and each device had to secure its self in a recognised way using some industry standard, UPnP and NAT would cease to be necessary and then we are in a far better place. IPv6 is the obvious way forwards here, since it can do end-to-end encryption out of the box. Additionally, the need for Dynamic DNS goes away, since you have enough of your own space and you can take your IP addresses out to other parts of the Internet and still be reachable using the Mobile IPv6 capabilities.

      So, IPv6 will help to raise security as it will force vendors to better secure their devices and remove the false perception of security in most homes. Another byproduct is that the IPv6 protocol is heavier than the IPv4 protocol due to its expanded functionality, so there is a good chance that it will drive the home devices (including any IoT junk) to use more powerful processors, which in turn opens up more security options such as hardware assisted encryption, this is already present in some ARM processors (Arm v8's as an example), but not in things like Arduino's.

      I know that many here don't believe IPv6 is going to help, personally, I think that its going to help a lot as the home infrastructure and the connectivity between devices is going to change radically. The groundwork has already been done to fix much of these problems. The gap I see is the lack of some trusted home focused authentication realm so that we can get away from passwords as that's where many of these issues originate from.

      Is this cultural change that much different from when we went from dial-up to always-on Internet ? Security was only there in that case as the connection was down unless you were using it, so layer-1 security was used and nobody had even considered the other layers at that point.

      All that happening is that the security needs to go further up the stack, so that its end-to-end.

    3. Peter Gathercole Silver badge

      Re: UPnP is a red herring in this thread @fidodogbreath

      You have a point, but to be hacked, you need a vector to get to one of these devices.

      If they are snug and secure behind a firewall (even one in a consumer grade DSL router), it will not be possible to even get to the device to attack it, regardless of how easy it is to hack. The reason why UPnP is being mentioned so much is that it is commonly used to expose the services of this type of device to the internet through a firewall.

      Unless you can show that the devices were either on an un-firewalled network or directly connected to the Internet, you're going to have to come up with a way that the attacker could initially get to the device to hack it other than UPnP. Until you do, that is still going to be the most likely culprit.

      Whether you like it or not, UPnP is a way for undisciplined devices to expose themselves. It's just a flawed service, and many knowledgeable people agree.

      1. fidodogbreath

        Re: UPnP is a red herring in this thread @fidodogbreath

        If they are snug and secure behind a firewall (even one in a consumer grade DSL router), it will not be possible to even get to the device to attack it

        That's true, but it doesn't take into account that remote access to an IoThingie is most (if not all) of its value proposition.

        Consumers want IoThingies, and they will put them on their network...which is controlled by a router that shipped with UPnP enabled by default. Most users have no idea what that even means, much less how to change it.

        That's why railing against UPnP is pointless: that train left years ago. The solution has to lie elsewhere:

        EX1: Thingie vendor supplies a wizard to walk users through setting up a proper password, and does not make a UPnP port call until after that has been completed.

        EX2: Thingie comes pre-loaded with a randomly-generated ID and password that's printed on the device. If the user doesn't change them, well, at least they're not admin and password.

        Yes, UPnP sucks, but we're stuck with it. The security focus has to turn to the devices themselves and the apps and cloud systems that power them.

        1. Charles 9

          Re: UPnP is a red herring in this thread @fidodogbreath

          "EX1: Thingie vendor supplies a wizard to walk users through setting up a proper password, and does not make a UPnP port call until after that has been completed."

          User doesn't HAVE a computer, so trying to talk them through a configuration process that may have to rely on an underpowered, non-spec portable device is just asking for hell desk trouble.

          "EX2: Thingie comes pre-loaded with a randomly-generated ID and password that's printed on the device. If the user doesn't change them, well, at least they're not admin and password."

          People lose the sticker. More hell desk trouble.

  11. Adam 52 Silver badge

    "Until there is a standards crackdown, and vulnerable devices are pulled offline, this will continue on and on until there is no internet left."

    This I dispute. Taken to its logical conclusion that means no unlicensed devices. No homebrew routers. No Raspberry PI projects. No operating system tinkering. Everything connected to the Internet approved by Big Brother.

    1. Anonymous Coward
      Anonymous Coward

      Right on. Without kids tinkering with OSes on their Rasperry PIs there won't be a next generation of developers to implement said standards. The end result will be the same: "this will continue on and on until there is no internet left."

    2. Charles 9

      But without Big Brother, you'll just end up where we are now, in the anarchy of an Internet where no one can rein in the bad guys. Bad guys, in this case, protected by sovereignty.

    3. NullReference Exception

      Then things will have come full circle to where we were in 1967: only [Bell] approved devices may be connected to the [telephone] network. Connection of unapproved devices may result in network damage and is strictly prohibited...

      1. Charles 9

        Except this time the rogue devices have PROVEN to cause damage, so there's a legal basis now.

  12. Androgynous Cow Herd

    El Reg reported/predicted this sort of thing months ago:

    http://www.theregister.co.uk/2016/06/28/25000_compromised_cctv_cameras/

    In the comments, I reported one possible attach vector:

    "Not long ago I deployed IP cameras around my building - high traffic area with lots of tourists and others. I had the rest of the infrastructure (Cisco VSM) and my platform is ONVIF compatible, so I went to Amazon and bought some fairly generic ONVIF compatible cameras, rather than paying Cisco tax. The cameras work as needed and are actually nice, but the bundled software was amazingly bad from a security standpoint - will only run on windows, must be run from a browser, browser must be Internet Exploiter, turn off ALL security for the session with the camera app, install these plugins, trust the camera app to do lots of things it should not need to do ever....and then you are able to blow a new IP address into the camera. However, the camera was configured out of the box to connect to various "Free" services automagically and had factory settings that would have put the camera right on the internet and likely checking in with some CiC location when first plugged in if the user had used the default settings in their consumer grade router.

    No way to simply log into the camera and set IPs as I would expect, you had to deploy the craplication to configure the camera at all.

    A sandboxed VM was used to re-IP the cameras for the PoE subnet (and subsequently deleted), the camera switches are on a discreet switches with their own dedicated subnet and an invalid gateway, and the firewall supporting the does not show anything unexpected. But the out-of -box experience caused me to realize that this sort of IoT crap can be an entirely new attack vector."

    1. Anonymous Coward
      Anonymous Coward

      "In the comments, I reported one possible attach vector:"

      SEE what you have done!

  13. Frumious Bandersnatch
    Unhappy

    未来って?

    過去に戻りたい。未来を見たことがあります。人殺しです。

    1. cray74

      Re: 未来って?

      The future eventually murders everyone so don't let that stop you from moving forward.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like