Despite threatening many media outlets and experts with legal action for tarnishing its brand regarding last week’s massive DDoS attack, Chinese electronics firm XiongMai Technologies (XM) said on Monday that it will issue a recall of “millions of devices” that use its technology. The company also admitted that its products “suffered” due to hackers gaining access and using them illegally.
What is strange is that, according to the company, firmware was released in September 2015 to fix any security vulnerabilities. Products that shipped after that date should, by default, not be vulnerable to attacks, yet XiongMai was listed as one of the vendors whose products were used in Friday’s attack.
“Since [September 2015], XM has set the device default Telnet off to avoid the hackers to connect,” the company said. “In other words, this problem is absent at the moment for our devices after Sep 2015, as hackers cannot use the Telnet to access our devices.”
The company added that its products now require end-users to set the username and password when they first power up the device. This prevents hackers from using generalized usernames and passwords like “admin/admin” or “admin/password” that is typically set as default by the manufacturer when a device ships.
Last week’s attack brought down many popular services on the internet in the United States including Twitter, Spotify, Reddit, Amazon, and numerous others. This was accomplished by a large distributed denial of service (DDoS) attack, which essentially floods a website’s host with so much junk data that it is either inaccessible, or is knocked offline entirely. Friday’s attack targeted a major DNS host called Dyn, firing at the company from “tens of millions of IP addresses” simultaneously.
The attack was carried out by gaining access to a massive number of internet-connected devices that use the default username and passwords assigned by the manufacturers. Part of the attack used Marai, an open source malware that scans the internet for these unprotected devices, infects them, and then opens the door for the hacker to use the device for sending a flood of junk data to a target.
Many of the devices used in the DDoS attack, which hit Dyn in at least three waves, led back to XiongMai. The company manufactures and sells a wide variety of circuit boards for DVRs as well as camera modules for webcams. While the company provided firmware to fix the former security issue in 2015, older products shipped with XiongMai’s electronics may not have the update.
A recent report revealed many infected devices linking back to XiongMai still had the default login credentials of “xc3511/xc3511.” To make matters worse, even though device owners could change the username and password through a web-based administration panel, that combo is hardcoded in the device’s firmware. Unfortunately, the tools needed to disable this default combo are not available.