
Ask HN: Why aren't botnet-fodder vendors' names (XiongMai, Dahua) in the news? - myself248
I had to dig into a few articles to find the names of the devices involved, but they&#x27;re not in the headlines like Samsung has been. And for all the Note fires, Samsung hasn&#x27;t even taken down the internet. (Yet.)
Among all the &quot;it&#x27;s going to get worse before it gets better&quot; talk about IoT and embedded security, where&#x27;s the pressure to get better? I&#x27;m sure a few technical folks who made these devices are ashamed, but they won&#x27;t get additional resources to implement better security or to update old products until the CEOs feel the heat. How can this best be achieved?
======
simmons
I suppose these vendors are not major household names like Samsung, so it
doesn't make as good of a story. I also wonder if perhaps the general public
views attacks as inevitable -- sort of a force of nature -- whereas we view it
as a problem that can be greatly reduced with specific actions.

As a software developer in the consumer electronics industry, I am quite
concerned about these vulnerabilities and the industry's casual acceptance of
them. :(

~~~
myself248
> inevitable -- sort of a force of nature

Yeah, sort of! The attempts are inevitable, but I don't think the
vulnerabilities are.

I've long used the Three Little Pigs story when explaining security: Yes, the
wolf is always there, don't act shocked when you build a house of straw and
suddenly a horrible bad nasty despicable and thoroughly evil (just trying to
feed his family) wolf shows up.

The pig who hauled the brick did more work than the pigs who hauled sticks or
straw, but ended up not getting eaten. Everyone from the breakroom to the
boardroom should understand this analogy. I've found it helpful, anyway.

~~~
totalZero
True, but today's steel is tomorrow's sticks when it comes to vulnerabilities
like this one. Over time, old security protocols are cracked and new
vulnerabilities are found in existing devices.

------
rajangdavis
I work in this industry, but I might have some facts incorrect.

My understanding was that the devices that were hijacked are older (2-3 years
minimum) model NVR's and IP Cameras. The firmware for these devices is built
on top of Busy box. From what I can tell, this firmware comes with telnet
enabled and after many years of exploits, these companies fixed the firmware
and removed the exploit in newer releases (within the last 2 years).

The hijacked devices shared the same characteristics: telnet can be abused and
credentials to log into the device were set to default (admin/admin).

Add in a global registry of these devices (shodan.io) and you can essentially
tap into these devices fairly easily.

Whoever was behind the attacks using this firmware exploit must have a very
intricate understanding of the firmware IMO.

If it was the Chinese gov't, they would be impacting one of the largest
providers of CCTV from China (Dahua). The Chinese gov't favors another company
(Hikvision) who has raised 6 billion dollars to expand in the US; some if this
money came from the Chinese gov't. If China is behind these attacks, it might
be to mess with the US and protect their investment (which sounds like a bit
of a stretch).

Should these companies have their names out in the open? Probably not;
firmware in the last 2 years has removed telnet. You might be able to do some
damage with their HTTP API, but the device has to use default credentials.
Putting their name out might also encourage others to attempt the same type of
attacks.

~~~
geek_slop
I have reviewed the code and indeed, it is fairly well written. Definitely a
professional coder. Not sure if they would have to have a deep understanding
of the firmware though. Busybox is linux based and that's all they needed to
know. I also think the problem would be fairly easy to fix albeit, through
unconventional channels. If it can be hacked, it can be patched and locked
down, probably using the same code that the attacks are based on.

~~~
rajangdavis
Can you share the code? I am curious to see the what kind of attack vectors
were applied.

Having enough product knowledge to be able to exploit the specific firmwares
is what I meant by a deep understanding of the firmware.

My hypothesis is that either the person spent some time working out which
cameras to attack, they had previous experience within the surveillance
industry, or they did research on common network recorder exploits.

------
Cozumel
Pure speculation, but maybe it's actually the Chinese?

We know it's Chinese equipment, we also know that industry there has strong
ties to the Government, see the Huawei investigation as an example (
[https://intelligence.house.gov/sites/intelligence.house.gov/...](https://intelligence.house.gov/sites/intelligence.house.gov/files/documents/Huawei-
ZTE%20Investigative%20Report%20\(FINAL\).pdf) )

Maybe the Chinese Government encouraged their suppliers to pump out unsecured
crap, knowing they'd be in a position to flood the market and take advantage
of it later?

~~~
myself248
The "movie plot" part of my brain loves this theory, but Hanlon's razor
suggests otherwise.

~~~
axonic
For those unfamiliar, a geeky etymology [1] of Hanlon's Razor.

[1]
[https://en.m.wikipedia.org/wiki/Hanlon%27s_razor#Origins_and...](https://en.m.wikipedia.org/wiki/Hanlon%27s_razor#Origins_and_etymology)

------
ryanlol
Why should they be in the news? We're talking about a few hundred thousand
compromised devices at best. Windows malware regularly hits millions.

------
NietTim
You were just one day too early, the names are beginning to drop now

------
meira
Why aren't news in the news? I see no coverage at al

~~~
symlinkk
The attack was on the front page of the NYT website yesterday

here's the article: [http://www.nytimes.com/2016/10/22/business/internet-
problems...](http://www.nytimes.com/2016/10/22/business/internet-problems-
attack.html?ref=technology&_r=0)

