
Webcams used to attack Reddit and Twitter recalled - rietta
http://www.bbc.com/news/technology-37750798
======
piker
Forgive me if I overlooked it in the article, but if this recall is being
conducted at Hangzhou Xiongmai's own initiative, it should be applauded. No
doubt it'll be expensive to fix these up, and it's not clear that the
organization has any real liability for the security faults. People are
suggesting that we should "name and shame", and I somewhat agree, but I think
we should also applaud efforts of those who are taking the expensive steps of
fixing the problem with no direct incentive to do so.

Because the DDOS's costs are borne externally to the consumer, consumers can't
really be counted on to mandate security fixes. On the other hand,
establishing liability for a company adding to a preexisting botnet through
security faults seems tenuous.

One solution seems to be regulation (self or third-party), and it's exciting
to see a manufacturer take this issue seriously and start us down the path of
self-policing.

[edit: for clarity]

~~~
adrianratnapala
I join you in applauding Hangzhou Xiongmai in doing the recall.

Still, I think liability (for either users or manufacurers) is the right
answer. If your device is participating in a DDOS, then it is a bad actor and
you should pay for that.

As for regulation, I am in favor of the _right_ regulations (which I suspect
will be rules about liability). The danger is that we end up with rules
forcing particular engineering methods and security certifications.

That will benefit the incumbent companies who already used the official
methods, without necessarily improving the software. In fact it would create
"standing targets" that will benefit attackers.

~~~
thomasahle
> If your device is participating in a DDOS, then it is a bad actor and you
> should pay for that.

I wonder how that would play into the debate on gun manufacturers being
responsible for people shot and car manufacturers for people run over.

It's hard to find a good way to do make a law about this, that doesn't end up
taking ownership away from the owners.

~~~
adrianratnapala
Gun users and car users are already liable in these cases.

In the case of IoT security, it's probably more realistic that we see
manufacturers held liable. But in my book owner liability would be fine
exactly because it keeps ownership with the owner.

If some DDOS victim can show your camera was pinging them, then he can sue you
for 1 cent per ping or something. It's only $200 in total, no big deal. But it
will make you ask for more security on your next IoT purchase.

~~~
Larrikin
$200 would be devastating to large swathes of the population in the US

~~~
cfjgvjh
True, but I wonder if they'd be buying IoT devices in the first place.

------
alex1
There should be recalls from more manufacturers. Someone I know purchased a
surveillance camera with a major brand name (Samsung) from Costco [0] just a
few weeks ago that gave me a root shell by simply telneting in as root with no
password and no way to reliably set a root password or disable telnet. It was
returned the following day. Last I checked, Costco is _still_ selling it. This
problem isn't confined to cheap Chinese cameras you can buy online. Vulnerable
devices are being sold at major American retailers and they are still on the
shelves.

[0] [http://www.costco.com/Samsung-SmartCam-HD-Plus-1080p-Wi-
Fi-I...](http://www.costco.com/Samsung-SmartCam-HD-Plus-1080p-Wi-Fi-IP-
Monitoring-Camera-Bundle-SNH-V6414BN.product.100234327.html)

~~~
rietta
Yeah, this is one reason I still don't have security cameras setup on my home
network. If I decide to get them, I am going for a dedicated ethernet network
just for cameras and no internet connection. I _may_ allow a VPN to a inside
the house server to see footage. According to the Wirecutter, Nest cameras are
some of the better commercial one but I've still not bought one or done any
review myself.

~~~
exhilaration
When we were shopping for a baby cam to keep an eye on the baby, I opted to
get a simple RF cam [1] instead of the more popular IP cameras that allow you
to use your smartphone and monitor from anywhere.

The lower tech approach means you can park a van in my driveway and probably
pick up the signal but that's a lot harder (and more obvious) than scanning an
IP range from anywhere in world and finding vulnerable devices.

[1] [https://www.amazon.com/Foscam-FBM3501-Wireless-Digital-
Monit...](https://www.amazon.com/Foscam-FBM3501-Wireless-Digital-
Monitor/dp/B00DNBA82S)

~~~
thomaskcr
I got a Wansview camera and assigned it a static IP and just don't allow any
traffic not originating from the chromecasts or tablet -- it's nice because
all the TVs do picture in picture with the baby camera.

Still pretty weird seeing the constant log entries trying to reach a couple
servers - I've been doing traffic capture since I'd like to see what it's
trying to do. One is obviously the plug-n-play stuff, but it's crazy that
those packets apparently get broadcast outside the network (? - I haven't
really looked into how that PnP IP/port is handled but it's getting caught at
my firewall).

------
rietta
Is this recall of IoT devices the first of a kind? While it is but a drop in
the bucket of IoT insecurity, it has to be an expensive way for the Chinese
firm Hangzhou Xiongmai to learn that having the same password on all devices
is a security bad idea. Other manufacturers should take note.

~~~
coldcode
At least shaming the manufacturers into considering security is a good thing
if it makes them avoid being shamed in the future by caring about security.
But I doubt most people who bought and use these devices will care as long as
they still work.

~~~
mkertajaya
Agreed. This is a good business decision to issue a recall. It probably won't
cost too much since very few people will actually return it.

------
0xmohit
It's common to see people frown upon seeing

    
    
      curl ... | sh
    

Sad that we happily allow a _black box_ to connect to our internet without any
inkling of the fact that it might be used to attack someone, spy upon someone
(ourselves?), ...

~~~
witty_username
What is wrong with curl | sh with HTTPS?

Linux does essentially the same thing with GPG signatures instead.

~~~
antocv
It doesnt ever work.

Ive yet to see a "curl
[https://thisshit.net/trust/us/really/we/have/https](https://thisshit.net/trust/us/really/we/have/https)
| bash" script which didnt fail for whatever dumb reason, such as only working
on specific variants of Ubuntu, with specific packages installed in specific
version, and/or RedHat.

Usually these shit scripts fail when trying them out, for curiosity, in
ArchLinux, Gentoo or Alpine Linux.

Sandstorm.io looking at you.

If you are already going to invest in making "an install script" with
defined/researched which packages/versions with which your software needs, for
various platforms - submit this data to that platform as an
debian/{control,etc} to make a .deb or specfile for .rpm or PKGBUILD or
whatever, and use the platforms _build tools_ to generate a platform specific
package - be a package mantainer if you have to.

Another side effect of telling your users to curl | bash, is I wont ever use
your software. You didnt make the effort to do the right thing with packaging,
why would you have done any better for whatever it is youre trying to do with
your shit software? (sandstorm again).

~~~
geofft
Don't all the same criticisms apply to `./configure && make install`?

~~~
antocv
Sure, so make it clear what curl | bash is, tell your users "we dont have any
packages for your system, here is the source and we use X build tool, please
do ./configure && make install, or cmake or whatever", that would have been
nice.

When I have to install packages from source, I have a more secure/locked down
linux container, with seccomp applied, dropped capabilities etc, then if I
intend to use the the software over longer time, and expect updates, I skim
the source and build-system quality, quickly write a PKGBUILD or APKBUILD,
build it, install it into its own new container - with iptables filtering
outgoing connections, and thats it, sometimes submit the APKBUILD to alpine
testing or aur.

And all this is easier than curl | bash oh watch it fail for dumb reason in
the install script - and I did try that, the time spent troubleshooting the
install script is longer than time to sandbox the whole thing as described
above.

So, if I can do it, why cant the project? Why spend their efforts on writing
an install script instead of package-build instructions to various
distributions?

~~~
geofft
For Sandstorm in particular, it doesn't necessarily run inside a container
since it is itself a container management / sandbox tool, makes use of seccomp
protections, etc. I'm not sure what the best way to sandbox Sandstorm is.
Maybe get a separate VM instance.

(I am a Sandstorm fan, but I don't have it installed because it wants me to
flip some sysctl about user namespaces or something, and I don't currently
have a separate machine to do that on)

~~~
kentonv
> it wants me to flip some sysctl about user namespaces or something

FWIW, this is no longer needed! Sandstorm has been updated to work without
user namespaces and this installer script change will remove the check from
the installer (will probably ship this week):

[https://github.com/sandstorm-
io/sandstorm/pull/2656](https://github.com/sandstorm-io/sandstorm/pull/2656)

(You will need to let Sandstorm start as root if you don't want to flip the
sysctl, though.)

~~~
antocv
> You will need to let Sandstorm start as root

Joke of today, thanks for the laugh.

~~~
geofft
What do you run as root that isn't accessible to other users on your system,
and why are you deploying Sandstorm on this machine?

If it's a single-user machine, any process running at any privilege level can
trivially get root by editing ~/.bashrc and aliasing the sudo command.

~~~
antocv
Aliasing the sudo command? Are you serious?

I dont even have sudo, let alone if I had it, I wouldnt use its dumb caching
of credentials/session or "ask no password" "feature".

Just because my system is single-user doesnt mean I run every process with
that one user, in fact I run firefox as its own user, chrome has its own, mpd
as its own user, nginx is its own user and so on. This is basic security
practice.

If you seriously think that it is so easy to get root just because you can run
a process as a normal user - "by aliasing sudo command", then by all means run
everything as root, whats the harm or big deal, right? Why do you even have a
user which is non-root?

Why cant sandstorm run like lighttpd or nginx - as their own user, requiring
no capabilites, in fact even syscalls can be revoked from them with seccomp
and they will still work fine. All they need is socket api, file system api (
open close create), and some others, no they dont need to load kernel modules,
ptrace or open_file_handle_at and so on.

~~~
kentonv
nginx usually needs to _start_ as root, in order to bind low-numbered ports,
but the worker processes run as non-root.

Sandstorm works exactly the same way.

nginx _can_ run as completely non-root, if you are OK with high-numbered
ports.

Sandstorm can too, if you are OK with high-numbered ports and if unprivileged
user namespaces are enabled.

(It sounds like you actually use UID separation for security on a desktop.
That's cool, although keep in mind that if everything is talking to the same X
server, then UID separation probably doesn't help much. If you're serious
about this approach you should probably be using QubesOS.)

------
vanderZwan
> _The web attack enrolled thousands of devices that make up the internet of
> things - smart devices used to oversee homes and which can be controlled
> remotely._

It's almost poetic that the IoT devices in question are remote-controllable
webcams, since constant surveillance is the _other_ symbol of a dystopian Big
Brother society.

------
bitmage
Has anyone seen an explanation of how the telnet port on these devices is
getting exposed to the internet to be exploited? I would think that most home
users are behind a NAT device. Even with UPnP, why would the manufacturer have
that port set to be forwarded?

~~~
stevetrewick
It's UPnP [0]. It was _always_ going to be UPnP. UPnP is the wrong set of
trade offs and always was. And even making it 'off by default' won't solve the
problem because the standard instructions for getting any multiplayer game or
IoT gizmo to work are 'turn on UPnP'.

Not that this in any way absolves the OEM for the utter idiocy of including
the telnet port in their forwards at all and the absolute negligence of having
it active by default and 'secured' by a single or small combination of well
known auth tuples.

But yeah, that's really what they did. Here's the section of Mirai's scanner.c
that sets up the destination port. [1]

    
    
        // Set up TCP header
        tcph->dest = htons(23);
        tcph->source = source_port;
        tcph->doff = 5;
        tcph->window = rand_next() & 0xffff;
        tcph->syn = TRUE;
    
    

They really did just forward port 23. Tempting to call malfeasance but at best
massive incompetence.

[0] [https://www.us-cert.gov/ncas/alerts/TA16-288A](https://www.us-
cert.gov/ncas/alerts/TA16-288A)

[1] [https://github.com/jgamblin/Mirai-Source-
Code/blob/master/mi...](https://github.com/jgamblin/Mirai-Source-
Code/blob/master/mirai/bot/scanner.c)

~~~
voltagex_
I've never seen any embedded UPnP implementation (I think the spec is
"Internet Gateway Device") require any kind of authentication before
forwarding ports. I wonder if that's even possible?

------
zitterbewegung
Is this the first time that this has happened? A severely insecure device
leading to a recall.

~~~
brk
The other company that was widely affected by this, Dahua (see my coverage
here: [https://ipvm.com/reports/dahua-
ddos?code=hn](https://ipvm.com/reports/dahua-ddos?code=hn)) also issued a
statement that they would offer a trade-in discount for affected devices. It
wasn't a full recall, and you have to jump through some hoops (work with
authorized dealer, etc.) in order to get it.

------
phonon
Underwriter's Laboratories should start including basic security hardening in
their tests.

~~~
pjc50
Vulnerabilities can be surprisingly hard to find:
[http://mjg59.dreamwidth.org/45098.html](http://mjg59.dreamwidth.org/45098.html)

(Matthew is an absolute expert at breaking into cheap IoT devices)

~~~
blueatlas
But with this particular vulnerability, e.g. weak passwords and no way to
reset it, I would think that UL could in fact test for this and fail the
device.

I like the idea of UL testing for at least _basic_ security vulnerabilities.

~~~
SolarNet
I think you mean testing for basic security best practices. Testing for
vulnerabilities is the hard part, but having good practices is easier to test
(e.g. is it a vulnerability or a feature it can't reset?).

------
DenisM
One down, one million to go.

Thee is no way these horses can be put back into the barn, there are too many
of them. As long as consumers make their decision based on price there is
every incentive for the manufacturers to continue cutting corners - the ones
that put extra work into security will be at disadvantage compared to those
playing fast and lose.

Can we talk about BGP flowspec instead? Filtering offensive traffic early and
often can end DDoS once and for all.

~~~
ra1n85
>Can we talk about BGP flowspec instead? Filtering offensive traffic early and
often can end DDoS once and for all.

What about spoofing? Until broadband providers get serious about BCP 38, this
is just cat and mouse.

~~~
jjawssd
Is BCP 38 difficult to implement? It seems like something most edge routers
should already support.

------
brk
And at the same time, the company recalling those products is issuing threats
against anyone who is defaming their "goodwill":
[https://news.ycombinator.com/item?id=12778954](https://news.ycombinator.com/item?id=12778954)

------
creeble
This article doesn't mention the brand names of cameras manufactures by
Hangzhou Xiongmai. Anyone know any?

~~~
agalarza
It appears that on Amazon they're sold under the name "XM".

[https://www.amazon.com/Surveillance-Infrared-Recording-
Wirel...](https://www.amazon.com/Surveillance-Infrared-Recording-Wireless-
included/dp/B01DNHFC2C)

If you sort by the seller there you can see they make dashcams and webcams.

------
beamatronic
Was it possible to take control of these cameras even if they were behind a
consumer firewall? Is the issue that consumers were connecting them directly
to the Internet, not behind a firewall?

------
nickjackson
Would it not make sense for broadband router manufacturers to step up here,
especially ISPs who provide routers to customers.

First of all, IoT devices really need to be connected on isolated vlans with
very strictly controlled WAN capabilities. Obviously this already exists, but
not in the fashion a layman, who wants to put their fridge on the wifi will
understand. The average home routers need cleaner interfaces and clearer
abstractions rather than the cruft that exists now.

Does your fridge really need to access the internet, and if it does, perhaps
you could setup your router to only allow access at certain times, to a single
host and with circuit breaker protections in case traffic has a signature that
matches that of a DDoS attack. This circuit breaker pattern could be extended
to all traffic running through the router, and provide the user with reports
of potential infected devices and traffic hungry users.

------
davidf18
As someone who was a VLSI design engineer for 4 years, as well has extensive
software experience, much of the disruption happened because of poor
engineering. There should always be redundancies in critical systems. The
groups such as Twitter, Reddit and Spotify did not use redundant DNS providers
relying only on Dyn. Moreover, DNS should be designed so that the systems are
more resilient to attacks. The initial design of the internet was meant to
withstand nuclear attacks after all.

There is absolutely no way that we can protect all devices on the internet
from being bots, etc. Just as it is almost pointless blaming hackers when in
most cases the hacks were because breeches from failure to update software, to
put in proper security software, and to hire top level consultants to
implement secure systems.

Put another way, we can't possibly jail everyone who would want to steal
money. That is why we use safes.

~~~
jjawssd
Fair point, but how do you decide how much redundancy is excessive? I can
always construct a scenario which will require more redundancy and more cost.

~~~
davidf18
It would depend on how critical the element is to the system. I would expect
at least one backup system. That is there should be a least one major backup
DNS provider for example. Some systems on airliners have two backups.

------
perch56
A significant number of these cameras were bought on Aliexpress and EBay. How
are they going to do the recall when they don't even know the end customer?

~~~
icebraining
Aliexpress and Ebay don't ship the products, the sellers do know who the
buyers are, at least their name and address.

~~~
perch56
Ok when I said "they" I meant the manufacturer(s). Look at Samsung and their
inability to do a proper recall for the Note 7. A lot of the stores from
Aliexpress disappear after one year of existence. I think the proper thing to
do immediately is to reverse Mirai and force a password reset on the affected
devices.

------
glennos
It's disappointing the article doesn't give any actionable detail of the
recall. From what I can see, Hangzhou Xiongmai is a components manufacturer,
not a retail brand, so there's no practical way to identify an affected device
with the information here.

------
Alex3917
So by subsidizing each webcam by a dollar or two, China is able to deploy
millions of pieces of hardware to the U.S. that can be used to map and destroy
our infrastructure for a total cost of a few hundred thousand dollars. If done
purposefully, this has to be one of the most efficient military spends in
history.

~~~
tdkl
You forgot the part where people are voluntarily buying those, because they
cost less. Of course those made in California would be totally safe, but damn
shame about that globalism.

~~~
the_trapper
> Of course those made in California would be totally safe

Maybe I'm too cynical, but from what I know about the NSA and other three
letter US Government agencies, I beg to differ.

Additionally, good luck finding any type of electronic device that is entirely
made in the USA. I honestly can't think of anything with a printed circuit
board that is assembled in the USA from 100% American-made parts.

Then of course there's always the whole engineers taking shortcuts to meet
unrealistic deadlines thing. Somehow network security tends to be very low on
the list of priorities when you have to make a profit.

~~~
dimino
This has nothing to do with governments, it's freaking _hard_ to build secure
software. There'd be bugs in American software just like there are bugs in the
foreign software.

------
abc_lisper
I think I see a opportunity for something new here.

Why isn't there a uber secure OS written in a high level language that would
prevent easy privilege escalations, vulnerabilities caused by buffer overruns
etc?

It would be nice to have a standard security approving body (like FCC) that
gives out graded standards.

It is like every generation forgets the mistakes of the past and repeats them.
When $5 Raspberry Pi is powerful enough to run desktop OS, I see no reason to
not adopt a high-level language that prevents basic security violations at the
roots.

~~~
jjawssd
I think this method requires too much effort and attention to detail to be
realistic, although I do agree this would be an ideal solution. It makes more
practical and economic sense to put an electronic network "condom" around a
dirty, likely misconfigured and insecure IoT device.

------
zaroth
I think the real problem here lies in the lack of auto-update. Devices will
always have vulnerabilities, constantly being discovered, which once
weaponized will be just as trivial to own a large swath of devices as
telneting for root was here.

The UCC provides an implied warranty for suitability for intended purpose. The
FTC defines unfair and deceptive business practices to require a baseline
level of security commensurate with the sensitivity of the data that could be
exposed or the potential damages that can be inflicted. As in most cases, new
laws tend to make things worse, we just need to do better with the old laws.

It's not that it's illegal to sell someone a Io(S)T device that can be owned
for running a DDoS, but I am willing to bet it is illegal or at least creates
significant liability for the manufacturer to sell such a device that also has
no way to be fixed after that flaw is discovered.

What would be nice is a simple industry standard labeling that indicates a
device has auto-update functionality, along with a large numeral indicating
the number of years from date of purchase that updates will be provided. The
same decal could be used on computers, phones, routers, and IoT.

Just like we trained consumers to look for the WiFi Alliance logo to know the
router or card they are buying will "just work" I think we are missing a label
which would drive consumer confidence and encourage good behavior by the
manufacturers.

Probably an industry consortium already exists for something like this, but I
just haven't heard of it... Because there's no such thing as a new idea,
right?

------
Too
Wow, with more and more crap entering the market and more and more people
connecting things, it seems like in the future it would be nearly impossible
to prevent these types of attacks.

Who could you hold responsible? The user for not setting a password or the
manufacturer for accidentally creating a backdoor? Neither is really
reasonable nor feasible. Filtering the attack is also extremely hard due to
the scale of distribution.

Will this lead to a more locked down internet?

~~~
skywhopper
Hopefully it will lead to some regulation of these devices. That's a dirty
word to many, but the fact is that Internet-connected devices are part of a
global community, and need to behave safely, and being open to hijacking by
criminals is not safe.

The proposal I like best is that the industry should get out in front of this,
and build a self-regulator organization now which issues recommendations and
certifications of Internet-connected products. Then governments could simply
require compliance with the industry norms, established and vetted by the
industry, and we can keep political institutions out of micromanaging the
electronics industry.

The model to follow here is Underwriters Laboratory, which sets standards and
grants certifications for electrical and industrial supplies and equipment.
Then, for example, city governments can just specify that everyone installing,
say, outdoor lighting at their home must purchase lights and outlets rated for
wet outdoor usage by the UL.

~~~
kefka
Egress filtering, or filtering packets not of the source network, would go a
long way here. It wouldn't fix everything, but it would be a definite start.

------
keysersosa
Though I'm happy we got top billing in the headline, Reddit wasn't actually
impacted directly (though of course many of the sites we linked to were).

------
socmag
You guys are crazy. A probably small creative team simply made an error while
building a camera in good faith that was abused by criminals. Who is the
victim here?

What's all this crap about simple fun web cameras as "Bad Actors"... In fact
the use of the term "Actor" as applied to a pretty dumb piece of electronics
is pretty creepy in itself. What are we trying to do here?

The term "State Actor" is fairly new in terms of popular usage. Thanks to CNN
and media, we are being trained to know this word in a particular context.

Now, we are being trained to place dumb pieces of electronics in the same
bucket as Russia and China. LOL

I'm sure there wasn't a meeting where the camera manufacturer execs set around
a table and said let's make these things blow up the world.

And you know, even if there was, the shame lies on the fact that we don't have
better edge level security that can detect and shut down abnormal traffic
patterns close to source.

There is some fairly low hanging fruit here. Routers and gateways with pretty
damn simple algorithms could detect and prevent these types of attacks if they
were available.

The network should protect itself against "Bad Actors", because... trillions
of devices are a coming, and we can't expect them all to be certified to
protect the network. The concept itself is completely absurd.

Fat better to improve the infrastructure than to impose per device level
policies. It's the IETF that needs to step up. Not the guys in a garage who
couldn't code.

Sure maybe they could have done a better job, but from the level of
programming we are currently at it is an absolute certainty that this will
happen again whether we like it or not.

~~~
SrslyJosh
> A probably small creative team simply made an error while building a camera
> in good faith that was abused by criminals. Who is the victim here?

Everyone who's been affected by the DDOS. Manufacturers are responsible for
the security of their devices. If you ship something that's vulnerable, it's
you to fix it. If there are damages, those come out of your pocket.

> It's the IETF that needs to step up. Not the guys in a garage who couldn't
> code.

No. If you're a guy in a garage who can't code, you shouldn't be writing code,
let alone shipping devices.

Are you for real, or some kind of astroturf account?

------
martin-adams
I've been concerned about the security of IoT devices for a while as the low
cost devices generally do have security as an after-thought.

However, these being used for a DDoS attack puts a spotlight on the issue.
While I don't know the solution, I feel it will become harder for
manufacturers to shrug this off.

------
dammitcoetzee
So... if a company does all due diligence to perform a recall, but very few
people actually send back their five dollar web camera. Is the company pretty
much off-the-hook then if that customer's kept webcam gets hacked and is used
to brick a nun's IoT pacemaker?

~~~
sirshoelace
I would imagine they are off the hook for liability if they issue a recall,
and I would also imagine there are going to be probably less than 5% of
devices actually returned. How many end users of these products have any idea
that they were part of this attack and how many end users will care enough
about some cheap chinese electronic device to send it back and wait for a
refund/replacement?

------
cdw2
So, do there exist _any_ IP cameras that are simple, secure and don't open a
crazy number of ports for bizarre, unnecessary protocols whilst including a
steaming pile of PHP (or similar) to provide a buggy, over-engineered,
exploit-ridden web interface?

I could do with some for a farm project at the moment, but as far as I can
tell, they're uniformly awful. Are there any that are reflashable with
something more respectable, even?

Ideally what I want is a video stream over TCP with power-over-ethernet
support - and no other services.

------
rjblackman
I'm surprised we haven't seen anything exploiting rompager yet. This is a very
widely used web server in home routers

[https://www.shodan.io/search?query=rompager](https://www.shodan.io/search?query=rompager)
[http://www.pcworld.com/article/2861232/vulnerability-in-
embe...](http://www.pcworld.com/article/2861232/vulnerability-in-embedded-web-
server-exposes-millions-of-routers-to-hacking.html)

------
scottmf
Apple made a good call with its "strict" requirements for HomeKit devices.

[http://www.forbes.com/sites/aarontilley/2015/07/21/whats-
the...](http://www.forbes.com/sites/aarontilley/2015/07/21/whats-the-hold-up-
for-apples-homekit/#39031ee4322b)

~~~
dmritard96
its easy to be secure when virtually nobody has your devices...

~~~
scottmf
I'm not sure what point you're making. Which devices are those?

~~~
dmritard96
my point was simply that homekit has been incredibly slow to gain any adoption
and is pretty limited in terms of who can make things (mfi program), what
hardware needs to be in your product (special auth chips..) etc. As a general
strategy, if your iot strategy requires iot device makers include special
chips and use specific factories, its a rather closed way to approach the
market.

~~~
scottmf
MFi isn't too limited. You must just apply and meet certain standards. The
benefit is you have access to a huge market (iOS users).

What's wrong with this approach? Imagine the PR disaster if this DDoS attack
was caused by HomeKit devices.

As a potential future user of HomeKit it's reassuring to know security is a
real concern here. I'm glad I won't have to probe the device to check it isn't
running a telnet server with no root password, for example.

When we're talking about an internet-connected camera or a front door lock,
yeah I'm going to want high standards for security. If that slows down HK
adoption so be it. If I wanted a convenient-but-insecure lock compatible with
my existing devices _today_ I'd just leave my door unlocked.

~~~
dmritard96
i think this perspective conflates good security and bad security with a
single approach.

"You must just apply and meet certain standards" \- your factory also needs to
apply and meet standards, not just you. we work with a fantastic factory that
builds high quality products (numerous baby and toy products) and is large
(>45K employees). they aren't mfi certification (its not just meeting
standards, its an application process that costs time and money).

The benefit is you have access to a huge market (iOS users). - we already have
access to this market. The main thing is slapping a little homekit badge on
the packaging and slightly tigher integration with siri.

agreed with you that nobody wants to be at fault for taking down the internet
due to bad security on their devices, but its a bit misleading to suggest that
apple's approach is a good way to do it.

whats fundamentally wrong with it is the cost it imposes onto companies making
something compatible with their ecosystem. I don't want to add a few dollars
to my BOM so that I can further help their ecosystem. I also don't like the
closedness but I understand that is apple's general approach. I want to have
open APIs and cloud integrations. Radio/hardware level integrations are fine
but given the giant mess that is IoT radio standards, I would rather just
integrate via https.

For perspective on how this makes it down market:

Lets say I want to make a Thread compatible device and a homekit compatible
device. I have now likely added 4-8USD to my BOM. Typical multipliers from BOM
to retail are 3-5X or more so we could have just added 32 usd to our price. Or
we could have just done a cloud integration and used the wifi or bluetooth
chipset we were going to use anyways...

~~~
scottmf
I agree it's not a complete security solution, but it's certainly a good
baseline if nothing else.

>The main thing is slapping a little homekit badge on the packaging and
slightly tigher integration with siri.

It's integration into the entire HomeKit platform including the new Home app
across multiple devices.

Thanks for the in depth numbers. Personally I'd pay an extra $20 for something
HomeKit compatible, especially if I'm paying $150+ anyway. I've been looking
at some devices lately and haven't even considered anything which doesn't
integrate with HomeKit.

------
dimino
Laws won't fix this, recalls won't fix this, what we need to do is find a
technical solution to the DDoS problem.

You can't un-ring this bell, and it might actually be harmful to try. A free
and open Internet is more important than DDoS attacks.

------
ausjke
It's not webcams technically, they're the ip surveillance cameras which run a
customized linux with some scripts and a RTSP server, and definitely not
designed for public IPs.

------
dmix
If they are connected to the internet, why not push out an update to fix the
default password issue?

A hardware recall seems silly when it's clearly a software issue. Unless they
didn't include any firmware updating system... which is likely the elephant in
the room not being addressed with most insecure IoT devices. Android faced
this problem as well and has recently made progress addressing it. Although a
lot of phone companies get in the way and manufacturers have very short
support lifespans.

~~~
dmritard96
This. We build IoT devices and frankly, we are late shipping while we are
doing heavy duty testing on FOTA. Happy to ship late to avoid being part of a
botnet and to make sure we can improve our products over time. Depending on
the complexity of the product, FOTA can be rather complex and I don't expect
budget device makers that aren't particularly branded to bother.

------
rabboRubble
What a stupid, inaccurate, article title. Shame on the beeb.

Edit: Better? "Webcams used to attack a DNS provider recalled."

------
fryan
Is the denial of service attack on DNS servers still going on? Major sites are
still much slower than last week.

------
cbr
Good for them! A recall is the responsible option at this point, and I hope
other manufacturers do the same.

------
user5994461
How many devices are recalled? What percentage of the DDoS were they
responsible for? Not enough information.

------
lgleason
what about the routers and other cheap devices. This is a drop in the bucket.
Until regulations (and strong enforcement) of devices requiring device
security to sell them in countries like the US, UK, EU etc. happen this will
continue to be a problem.

------
donatj
Does anyone know if Foscam's were affected at all? I unplugged mine to be
safe.

------
harrisonmalone
This is extremely disconcerting

------
ge96
I wonder if when you hit show parent (yesterday) it wouldn't load...

------
jordache
there needs to be a regulation body, similar to NHTSA that regulates security
of digital products.

~~~
greggman
Becareful what you ask for. How is any software nowadays different?

If I setup a raspberry pi with camera and there are exploitable bugs in the
software is the creator of the software liable? Does every piece of software
open source and closed source need to be approved by a regulation body before
your allowed to run it? Distribute it? Put it on GitHub?

There's nothing unique about IoT devices. They're just computers. If you
regulate one you arguably have to regulate the other

~~~
jordache
I'm not saying iOT devices specifically. We can define the regulation
threshold at mass consumer digital and connected products.

Yes, digital/software is inherently less tangible and trickier to regulate
than a physical product sold at smaller volumes, but we need to start
somewhere. Poorly made digital+connected products distributed in large volumes
can have tremendous impact to the world population.

------
Thaxll
A recall where you could just upgrade the firmware?

~~~
detaro
Can you still do so reliably on a compromised device?

~~~
sp332
Yes. The Mirai software runs in memory. You can clear the infection just by
rebooting the device. But if it's connected to the internet, it will be
reinfected again within minutes, unless you change the admin password.

~~~
joosters
You mean, one of the known botnets runs only in memory.

We've no idea if there are others out there who attack these devices and
subvert the firmware too.

~~~
sp332
Sure, and even if there isn't one today, it's probably just a matter of time
before nastier stuff gets out there.

------
cabalamat
We need a new acronym: IoCT = the Internet of Crap Things.

~~~
rakoo
I much prefer InternetOfShit
([https://twitter.com/internetofshit](https://twitter.com/internetofshit))

------
dghughes
I'm designing a weapon on mass disruption IoT confetti. Bow to my demands or I
will send you an exploding yey tasteful confetti card with 50,000 confetti all
trying to access your wifi network.

------
Lagged2Death
_Webcams used to attack Reddit and Twitter recalled_

I think it's kind of troubling that "the vast variety of information services
that comprise the internet" apparently means "Reddit, Twitter, and Facebook"
to laymen now.

~~~
jdc0589
the title was just a really terrible summation of the attack. TONS of websites
were affected. Some huge like reddit and twitter, and some tiny ones.

------
cwilkes
> "Security issues are a problem facing all mankind," it said. "Since industry
> giants have experienced them, Xiongmai is not afraid to experience them
> once, too."

The courage to try something new. Oh wait it isn't new, this is being a
copycat.

~~~
codazoda
It's probably just bad English but it really sounds like, "everyone gets
hacked, we don't care".

~~~
Scirra_Tom
The company issued the recall, it could be hugely expensive for them and is
the right thing to do. Looks like they do care to me!

------
dalore
> If your webcam is hijacked you have effectively let an intruder enter your
> home

Except it's not. They can't touch me, hurt me physically, take things away.
All they can do is see me.

So what they see some guy in front of a computer. I'm more worried about the
hacks that can take over my keyboard, and can access financial data. But even
then it's the banks problem and insurance that will take care of it.

~~~
geofft
If they can see some guy in front of a computer, can't they see some guy in
front of a computer typing a password into a financial website?

------
arzeth
So there must be a law:

1\. Any device with internet access must be able to automatically update all
its software.

2\. Because a manufacturer can either go out of business (some devices are
used for >10 years) or not care about its users, all its software must be open
source. A code, which needs to be secret, can be stored on a hardware level.

3\. But if a software is open source, it doesn't mean there would be people
who'll fix the bugs, therefore there should be the list of OSes approved (by a
regulator and EFF?) to be used on IoT-devices. The development of these OSes
should be public (on GitHub, etc.). By having ~10 different OSes instead of a
million, solving bugs would be possible and much easier.

4\. By having such list of approved OSes, we also solve the problem of having
a vulnerabilities in the updating process, e.g. missing signatures, using
RSA-1024 or even RSA-512 for signatures.

5\. By having such list of approved OSes, it'll be easy to maintain the live
kernel patching service (in the future it'll be hard to imagine an OS without
it).

6\. By having such list of approved OSes, community would quickly fix the
problem of using default passwords.

Without such law, expect 10 Tbit/s attacks in a year, and >500 Tbit/s attack
in 2022 (if popularity of IoT would increase as fast as mobile phones did).

