On Oct. 23, one of the largest coordinated cyber attacks in history took down several major internet sites in the United States and Europe.
In the aftermath of the attack, one company in particular has been implicated: Hangzhou Xiongmai Technologies. According to security researchers, the Chinese company built hardware and software for internet-connected security cameras that was insecure. Then hackers deployed a malicious strain of malware known as Mirai into the devices, and used them to direct huge amounts of internet traffic to Dyn, a Domain Name System (DNS) provider that often serves as a virtual “first stop” for computers connecting to sites on the internet.
Popular websites including Twitter, Spotify, Netflix, and PayPal were knocked out by the Distributed Denial of Service (DDoS) attack, which unleashes so much traffic to a targeted website or service provider that it can no longer function.
Xiongmai’s negligence is without question, analysts say, but it is just part a larger problem in the global hardware industry. In fact, the same system that brought exploding hoverboards into consumers’ homes last Christmas is responsible for unleashing hundreds of thousands of vulnerable cameras into American households—and probably millions of other equally vulnerable internet-connected devices.
As manufacturing supply chains have grown more fragmented globally, and electronics products have become commodities, security and safety standards haven’t caught up. While this particular attack knocked out popular websites, consumers’ personal information, from credit card details to the footage shot in their homes, is equally at risk. As hospitals, airplanes, and cars add internet-connected devices, it’s not just privacy that’s in danger—people’s lives will be too.
What is Xiongmai Technologies?
Analysts say Hangzhou Xiongmai Technologies is one of the industry leaders in making and selling IP (Internet Protocol) camera modules. Still, there’s scant public information about the company (it is not publicly traded), beyond its own website and a few public government records (link in Chinese, registration required).
Xiongmai was founded in 2009 in Hangzhou, a central Chinese city best known for being the home of online e-commerce giant Alibaba, with capital of 60 million yuan ($8.8 million). The company says it now employs over 2,000, including 300 researchers. Its current CEO, Chen Xiao’e, replaced former CEO Chen Jingsheng on Aug. 30, and the two men have several overlapping business ties. The company did not reply to repeated requests for an interview.
Like many Chinese entrepreneurs, Chen Jinsheng has several businesses. He is connected to two companies with Xiongmai in the name (roughly, it means “a big leap”): a property management and “waste removal” company, and an investment fund, both of which were founded in July. The camera company’s current CEO, Chen Xiao’e, is also the CEO and chairman of the property firm, and Chen Jingsheng holds a stake in it.
The current CEO is also head of Hangzhou Jufeng Technologies, which also specializes in smart cameras. Jufeng also owns a a stake in Hangzhou Trade, and Chen Jinsheng is listed as a “supervisor.” All five companies are registered to the same address.
Hangzhou Xiongmai Technologies makes a number of internet-connected cameras and accompanying accessories under its own brand, often labeled “XM,” as well as camera components that it sells to “value-added resellers.” These middleman resellers—which can be household brands, or budding startups—package the components in a nice casing, put their name on the box, and then sell them through retailers like Walmart or Amazon.
In what now seems like foreshadowing, the company attracted controversy earlier this year when Chen Jinsheng proudly touted in a public speech (link in Chinese) the company’s relentless pursuit of cost-cutting in order to drive sales of low-end products. He was harshly criticized by peers for scrimping on research and development in order to cut costs.
“Xiongmai is not far from a disaster, so if you are Xiongmai’s customer today, tomorrow, when it seeks crazy market growth, it could be your nightmare,” wrote “Lao Wang” (link in Chinese), who identified himself as a 15-year cybersecurity industry veteran, on WeChat this June. He said that cost-cutting companies were “blood-sucking insects” killing China’s security industry, by driving prices down so low that it threatened to destroy it entirely. Chen Jinsheng stepped down soon after that speech.
How did this attack happen?
Hackers launched the DDoS attack by running Mirai, a strain of malware that identifies internet-connected devices with weak username and password settings—like “username” for username and “password” for password. It then took control of these devices and directed dummy traffic towards Dyn.
Xiongmai was one of several hardware companies vulnerable to the attack because of the default login usernames and passwords its components shipped with. Making matters worse, according to research firm Flashpoint, the devices Xiongmai shipped also supported Telnet, an antiquated, unencrypted service that allows remote computers to log in to them. The login credentials for Telnet, Flashpoint discovered, couldn’t be changed on Xiongmai devices—even if the password to the consumer-facing web administration login was changed. This made these devices especially susceptible to security breaches. Many device makers phased out Telnet in the late 1990s, because of its vulnerabilities.
While many internet-of-things (IoT) companies fail to secure their products properly, Xiongmai’s approach is particularly egregious, said Brian Karas, who follows the video surveillance industry at research firm IPVM. “In the current age of IoT devices, this is not just leaving your front door unlocked, it is like leaving it open for anyone to walk through,” he told Quartz.
After security researchers implicated Xiongmai in the attack, the company admitted its problems. “Security issues are a problem facing all mankind. Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too,” the company wrote in a Chinese-language statement, before announcing a “recall” of 10,000 devices.
Why no one cares about security
While Xiongmai bears some responsibility for enabling the attacks, it’s one of dozens of camera makers that made similar mistakes. The roots of the security problem lie in the structure of the security camera industry, and the consumer electronics industry at large.
Components suppliers like Xiongmai are paid to make and deliver a certain amount of hardware for a set price, which usually gets rebranded under another company’s name. The rebranding company does the marketing to consumers, bears any responsibility for faulty products, and makes the profits from then on. Since Xiongmai makes no money once products leave the warehouse, it’s not incentivized to care that much about how well they’re made, beyond what the branding company asks for, said Bryce Boland, Asia Pacific CTO at network security firm FireEye.
These mostly Chinese manufacturers face fierce competition from their peers, each gunning to sell modules to the myriad of security camera companies—which now include legacy hardware firms like Honeywell, budding startups like Nest, and a plethora of unknown brands. Even among consumer-facing brands, the industry is heavily fragmented, data from research firm IHS suggests—the market leader for security cameras, Hikvision, represents only 17% of the total market.
Consumers, meanwhile, don’t buy cameras because they’re secure, they buy them for special features like waterproofing, sharp image resolution, or a Minion-shaped casing. Manufacturers like Xiongmai could fix the security issues, said Boland, but instead “spend as little money as possible on security, in order to make as much margin as possible.”
Consumers also bear some responsibility for enabling the Mirai attacks. Research shows people repeatedly resist picking strong passwords for their devices. Rather than taking 10 seconds to choose a strong one with dollar signs and a mixture of uppercase and lowercase letters, they lazily resort to guessable ones like “password” and “123456.”
“The solution to eliminating and preventing infections from this malware isn’t super difficult,” Brian Krebs, an independent security journalist, wrote on his blog. “Mirai is loaded into memory, which means it gets wiped once the infected device is disconnected from its power source,” and changing the default password protects the device from being rapidly reinfected when it is turned back on.
More widespread than hoverboards
The DDoS attack on Dyn might not appear to have much in common with the string of hoverboard explosions that occurred last year. But the incidents are actually quite similar.
Just as hoverboard manufacturers cut costs by using cheap lithium-ion batteries prone to overheating, Xiongmai and its ilk cut costs by overlooking software features that could have prevented malware from infecting its devices.
The fly-by-night emergence of China’s hoverboard manufacturers and American importers made it difficult to pinpoint a single group of faulty boards, leading to a blanket crackddown on all of them. Likewise, the fragmented nature of the security camera industry makes it difficult to identify which specific devices are vulnerable to an attack. At any point in time, one security camera brand might stuff one device with a Xiongmai module, and stuff another, identical device with a module made by a Xiongmai competitor.
Unlike hoverboards, though, there’s already some sort of internet-connected camera in millions of homes and businesses around the world.
This is why Xiongmai’s “recall” of over 10,000 of its units will have little impact. There are likely many more cameras with Xiongmai components operating in households right now, although neither Xiongmai nor its partners has publicly stated which brands and devices are vulnerable. (Krebs made a list of the susceptible devices, but it’s neither confirmed nor complete.)
Says Karas: “A user who wants to do the right thing cannot just look at their camera and say, ‘Oh, this says Brand Z on the box, so I’m not affected.’ Nobody really truly knows how far and wide the vulnerable devices are spread.”
The public risks are real
Generating public awareness about the dangers of hoverboards was easy. Pictures of burnt-down houses flooded local media throughout November and December 2015, prompting retailers to pull the item from shelves at the urging of the US Consumer Product Safety Commission (CPSC).
But the security of IoT devices will be more challenging, as there are no US government regulators or independent agencies directly responsible for it. The CPSC told Quartz it cannot issue recalls of Xiongmai or other vulnerable cameras because the malfunction “seems to be related to an invasion of privacy,” and that’s not what it regulates. The CSPC will only intervene “when there is a risk of physical harm to consumers because of a defect with the product.”
The US Department of Homeland Security convened after the attacks with 18 “major communication service providers” to discuss how to better secure IoT devices. But it’s not clear which specific agency will ultimately oversee such digital security.
For most consumers, the DDoS attack on Dyn marked a minor inconvenience—Spotify or Twitter remained inaccessible for a few hours, but no greater harm was caused. But the same tactics used to slow internet access across the US could also be used to steal someone’s credit card information or email login credentials, spy on their home, or much worse in the near future.
“This becomes a big issue when devices are being embedded in major industrial control systems, in defense systems, in hospitals, in devices that fly around in the air,” says Boland. “The implications for security are far more significant than just a massive DDoS on the internet. And we need to address these risks now.”