Iot devices are the new emerging world .. roughly 10 billion such devices are in our daily lives at this moment, and this number is expected to multiply quickly. What are these devices – look at your wrist, your home thermostat, your TV, your lighting, the HVAC at your office, the traffic (ground and air) systems, and billions of more internet connected sensors around the world.
IoT hacked, weaponized
Most recently, and publicly, an online journalist website was taken down with the use of commandeered consumer IoT devices (about 500,000). This was not hard, and can easily be replicated by anyone with about an extra 10 hours on their hands (and a bit of legal protection). The analysis linked below is rich and worth diving in, but I wanted to highlight a different view point:
- First, White Label risks, if you are branding a chip, gadget, component, software package, and such from another business – YOU must ensure the technology is up to your standard. Secure, high quality, safety to the user and an enjoyable experience. Liability risks would be interesting to explore, but beyond those costs …
- Second, customer experience ruined with your device / service. If you had a vulnerable piece of technology (because you didn’t vet it), and then every device you sold was suddenly rebooting, not working, ruining that vital NetFlix binge, etc …. how do you think consumers will react? Not a pleasant scene given how hard we each work to build beautiful customer experiences with our products.
- Finally, this problem won’t go away. Everyone of those vulnerable (500k!!!) devices will ALWAYS be vulnerable given that the weaknesses were hard coded (permanently written into the product), and cannot be changed. Not a fun recall process and with so low margin, how many will actually mandate it / be required to do so / who is looking over this fast and loose area of products?
- I firmly believe we can do better, must do better, and will either be be given the chance or mandated to do just that. How are others vetting these processes? How could all of these white label sourcing / procurement teams have caught this sooner? How complex would it have been to detect and validate? Given the amount of successful attacks on this single product, it seems quite easy to have accomplished. Tongue and cheek, I’d recommend my book that I wrote for my family, How Not To Be Hacked, as it highlights specifically NEVER to leave default passwords – but in this case, the vendor made them permanent.
Let’s do better together and make richer experiences. The only true solution to stopping these zombie IoT Devices will be for carriers to block them wholly on the wire, Internet-Bricking / Banishing them to an offline world.
The culprit behind the KrebsOnSecurity.com and OVH attacks is traced back to one white-box DVR manufacturer, China-based XiongMai Technologies. The company sells white-labeled DVRs, network video recorders and IP camera circuit boards and companion software to a large number of vendors who in turn use the technology in their own products, according to Flashpoint blog post on the DDoS attacks posted Friday.In the case of XiongMai Technologies, it made the fatal error of using a default username “root” and password “xc3511” combination on each of the 500,000 devices used in the DDoS attacks.