Skip to main content

After Friday’s attack, XiongMai recalls millions of devices that use its tech

xiongmai technologies recall devices friday ddos attack ddosattack
Image used with permission by copyright holder
Despite threatening many media outlets and experts with legal action for tarnishing its brand regarding last week’s massive DDoS attack, Chinese electronics firm XiongMai Technologies (XM) said on Monday that it will issue a recall of “millions of devices” that use its technology. The company also admitted that its products “suffered” due to hackers gaining access and using them illegally.

What is strange is that, according to the company, firmware was released in September 2015 to fix any security vulnerabilities. Products that shipped after that date should, by default, not be vulnerable to attacks, yet XiongMai was listed as one of the vendors whose products were used in Friday’s attack.

“Since [September 2015], XM has set the device default Telnet off to avoid the hackers to connect,” the company said. “In other words, this problem is absent at the moment for our devices after Sep 2015, as hackers cannot use the Telnet to access our devices.”

The company added that its products now require end-users to set the username and password when they first power up the device. This prevents hackers from using generalized usernames and passwords like “admin/admin” or “admin/password” that is typically set as default by the manufacturer when a device ships.

Last week’s attack brought down many popular services on the internet in the United States including Twitter, Spotify, Reddit, Amazon, and numerous others. This was accomplished by a large distributed denial of service (DDoS) attack, which essentially floods a website’s host with so much junk data that it is either inaccessible, or is knocked offline entirely. Friday’s attack targeted a major DNS host called Dyn, firing at the company from “tens of millions of IP addresses” simultaneously.

The attack was carried out by gaining access to a massive number of internet-connected devices that use the default username and passwords assigned by the manufacturers. Part of the attack used Marai, an open source malware that scans the internet for these unprotected devices, infects them, and then opens the door for the hacker to use the device for sending a flood of junk data to a target.

Many of the devices used in the DDoS attack, which hit Dyn in at least three waves, led back to XiongMai. The company manufactures and sells a wide variety of circuit boards for DVRs as well as camera modules for webcams. While the company provided firmware to fix the former security issue in 2015, older products shipped with XiongMai’s electronics may not have the update.

A recent report revealed many infected devices linking back to XiongMai still had the default login credentials of “xc3511/xc3511.” To make matters worse, even though device owners could change the username and password through a web-based administration panel, that combo is hardcoded in the device’s firmware. Unfortunately, the tools needed to disable this default combo are not available.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Tesla recalls nearly a half a million vehicles over safety issues
The front of a Tesla Model 3.

Tesla is recalling nearly half a million Model 3 and Model S vehicles in the U.S. over safety issues related to the rearview camera and the trunk.

Specifically, 356,309 Tesla Model 3 electric cars (model years 2017 through 2020/production dates July 15, 2017 through September 30, 2020) have been recalled over a problem with the trunk harness coaxial cable that could wear away and cut the feed from the rearview camera to the center display.

Read more
Ubisoft takes Rainbow Six: Siege DDoS attack providers to court
Tom Clancy's Rainbow 6: Siege

Ubisoft filed a lawsuit against the owners of SNG.ONE, a website that allegedly provides distributed denial-of-service (DDoS) attacks against Tom Clancy's Rainbow Six: Siege.

To address frequent DDoS attacks against Rainbow Six: Siege, which causes multiplayer matches to lag and servers to crash by overloading them with too much information, Ubisoft implemented a plan against them in September 2019. The frequency of the DDoS attacks plunged by 93% afterward, according to Ubisoft, and it is now looking to take another major step in securing a victory against the disruptive practice.

Read more
Authorities arrest suspect behind World of Warcraft Classic DDoS attacks
world of warcraft classic ddos attacker arrested orc

The suspect behind the distributed denial of service attacks against World of Warcraft Classic earlier this month has been tracked down and arrested, following Blizzard's commitment to ensure a smooth experience for players.

The DDoS attacks that hit World of Warcraft Classic started on September 7. As players started complaining of server issues, a person who goes by UkDrillas on Twitter took credit for the attacks, tweeting out warnings 30 minutes before each wave. Logging into most of the game's servers during that time was nearly impossible, while those who were able to connect were eventually kicked from the game.

Read more