At this point it’s clear that thousands of poorly-secured IoT devices were used in the recent large-scale DDoS attacks against krebsonsecurity.com and OVH. Ongoing analysis points to devices manufactured by a Chinese company called XiongMai Technologies, which makes generic Digital Video Recorder (DVR) and Internet camera devices that are sold to vendors who use them in their own products.
Chinese vendor Dahua sells products that use these vulnerable devices. Dahua products appear several times in the list of affected devices published by Brian Krebs, and Flashpoint Intel also identifies Dahua devices as being involved.
Companies like XiongMai Technologies and Dahua share the blame for flooding the Internet with these easily-co-opted devices. XiongMai Technologies created devices that are inherently insecure and unsuitable for direct connection to the Internet. Dahua either failed to comprehend the danger, or chose to ignore it, producing deeply flawed consumer devices and – as Brian Krebs puts it – dumping toxic waste onto the Internet. These devices are spread around the globe, most to be plugged in and forgotten for years, ready to be abused by whoever can find them. Some of these devices can’t actually be fixed, since their vulnerabilities exist in firmware that can’t be updated.
Dahua’s response to all this isn’t likely to reduce concerns, since it tries to shift the blame onto users who failed to change default passwords, while ignoring the fact that these passwords cannot be changed in some cases.
What can be done about this? Beyond locating and removing the current crop of vulnerable devices – a difficult task in itself – how can we avoid this situation in the future? Preventing poor quality products from entering the market is ultimately the responsibility of governments. Until authorities get involved, this is likely to keep happening. If they fail to act now, the attacks will continue to get worse until commerce is affected, at which point it will no longer be possible for governments to ignore the problem. Bruce Schneier shares this view.
The good news is that the European Union is already taking action. The EU is planning to upgrade its telecommunications laws, which are now expected to include requirements for labeling IoT devices that are secure and approved for Internet connection. This kind of labeling already works well for showing the energy usage of electrical appliances.
Kudos to the European Commission for recognizing that the ongoing flood of crappy IoT devices is a major contributor to Internet-related problems, including the recent, massive DDoS attacks. Let’s hope that other governing bodies wake up soon.