Recalls May Become The Norm For IoT Devices If Security Doesn’t Improve Significantly

[Lucian Armasu]

Xiongmai Technologies, a Chinese component maker for DVRs, NVRs, and IP cameras, issued a recall due to these products being part of Friday's DDoS attack against Dyn. The recall may set a precedent for how to deal with DDoS attacks in the future.

Recalls May Become The Norm For IoT Devices If Security Doesn’t Improve Significantly : Read more

 

[blazorthon]

Securing devices like these from such botnet usage shouldn't be difficult. You can do something as simple as having a hardware switch to control write access to what the devices can connect to and then they can no longer connect to web services they aren't supposed to connect to. If there's a hardware inability to connect to Dyn DNS, then you can't disrupt their services even if someone gets into the devices!

Or you could, ya know, change the password from the default. At least make the hackers have to exploit one of the infinite vulnerabilities that are sure to be there to get access and control. Tell your customers that they need to change the passwords of products they buy before the products can be used. You can even go as far on DVRs and the like to have a randomized password that is printed on a sticker on the side like some routers have. At least then physical access is needed to get the password.

 

[Jeff Fx]

Securing devices like these from such botnet usage shouldn't be difficult. You can do something as simple as having a hardware switch to control write access to what the devices can connect to and then they can no longer connect to web services they aren't supposed to connect to. If there's a hardware inability to connect to Dyn DNS, then you can't disrupt their services even if someone gets into the devices!

Or you could, ya know, change the password from the default. At least make the hackers have to exploit one of the infinite vulnerabilities that are sure to be there to get access and control. Tell your customers that they need to change the passwords of products they buy before the products can be used. You can even go as far on DVRs and the like to have a randomized password that is printed on a sticker on the side like some routers have. At least then physical access is needed to get the password.

The problem is that companies are financially rewarded for getting a product out the door before their competitors, and there's no penalty for producing dangerously insecure devices. All they care about is that things work well enough to not be returned.

 

[problematiq]

Securing devices like these from such botnet usage shouldn't be difficult. You can do something as simple as having a hardware switch to control write access to what the devices can connect to and then they can no longer connect to web services they aren't supposed to connect to. If there's a hardware inability to connect to Dyn DNS, then you can't disrupt their services even if someone gets into the devices!

Or you could, ya know, change the password from the default. At least make the hackers have to exploit one of the infinite vulnerabilities that are sure to be there to get access and control. Tell your customers that they need to change the passwords of products they buy before the products can be used. You can even go as far on DVRs and the like to have a randomized password that is printed on a sticker on the side like some routers have. At least then physical access is needed to get the password.

A problem is not that there is not a fix, there is. A simple firmware update fixes the vulnerability. The real problem is that no one is going to update their firmware of there cameras, they just don't care. This problem will stay till the cameras are phased out in a 7-15 year timeline.

You are correct, with little effort they could mitigate these problems before selling them.

Also these are "usually" hardcoded passwords on the OS of the camera, there is no way of changing them without updating the firmware.

The only semi-practice fix would be on the network level.

Edit: Additional info.

 

[termathor]

I think the US gov is probably the only one to realise how IoT is gonna be a gigantic lens for any kiddie attack onto internet components if nothing is done to regulate this market security.

Pending regulation, as we've seen over the last 5+ years, manufacturors JUST. DON'T. CARE. It's Somebody Else's Problem !
And they've addressed it, so far, just like that, upon discovery of the really awfull snafu:
- issue a statement "we take our users security seriously, blah, blah"
- come up with a half baked new FW, addressing only the most easily exploitable flaw

With big money spent for each snafu, this may change.