Home webcams that were hijacked to help knock popular websites offline last week are being recalled in the US.
Chinese electronics firm Hangzhou Xiongmai issued the recall soon after its cameras were identified as aiding the massive web attacks.
They made access to popular websites, such as Reddit, Twitter, Spotify and many other sites, intermittent.
Security experts said easy-to-guess default passwords, used on Xiongmai webcams, aided the hijacking.
The web attack enrolled thousands of devices that make up the internet of things - smart devices used to oversee homes and which can be controlled remotely.
Will we go through this over and over with toasters, refrigerators, and every other connected appliance?
This discussion has been archived.
No new comments can be posted.
Webcams Used to Attack Reddit and Twitter Recalled
|
Log In/Create an Account
| Top
| 25 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 4, Funny) by q.kontinuum on Tuesday October 25 2016, @12:48PM
The risk posed by toasters etc. could have been averted by applying Betteridges law. Too late.
Will we go through this over and over with toasters, refrigerators, and every other connected appliance?
should have been the headline...
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2) by VLM on Tuesday October 25 2016, @01:10PM
Well... OK... other than you got Betteridge backwards, he says the answer is always no but in this case the answer is obviously yes.
You can tell BTW that it was a professional hit. I know goofy as hell non-professional people and if they powned "all the worlds webcams" they would do something hilarious like make every image the camera ever returns be the goatse guy or the lemon party to tubgirl or . Or whatever the top meme is on /pol/ at this instant. Or creepy as hell eye or face staring back at the viewer with "big brother is watching you" maybe add a NSA logo to make it authentic. Or a NASA picture of the surface of the moon or mars, or even funnier a (fake?) pix of the supposed TV stage set for the faked lunar landings. That would be hilarious. Remember that "art project" statue of naked Hillary Clinton? Yeah I ... I ... can't even say it. Viewing that might turn me to stone like medusa. Maybe to keep the meme rollin and not just get the cams replaced immediately that type would add an overlay so every webcam video has pedobear waving on it. Anyway yeah the point is professionals hit stuff that doesn't really matter like twitter but will get coverage so they can blackmail like banks and stuff, whereas non professionals would almost certainly gain access, take a huge bong hit, and travel down an entirely different path.
The idea of some Chinese company getting all its cameras powned and they continue to take pictures but only display the goatse guy is like something I'd read in an 80s cyberpunk novel by Gibson. Either that or a multinational conspiracy to hunt down a guy who stole 4 megs of ram, oh wait that was an actual 80s cyberpunk novel although not a very good one.
Like many Stross readers I immediately freaked out at the news of powned cameras and make sure they were not loaded with project SCORPION STARE. Although goatse or SCORPION STARE I'm not entirely sure which is more psychologically scarring.
(Score: 2) by Phoenix666 on Tuesday October 25 2016, @01:14PM
Wait, Hillary is the goatse guy? My god, that explains so much.
Washington DC delenda est.
(Score: 2) by q.kontinuum on Tuesday October 25 2016, @01:23PM
Well... OK... other than you got Betteridge backwards, he says the answer is always no but in this case the answer is obviously yes.
I didn't have him backward. When the question is
Will we go through this over and over with toasters, refrigerators, and every other connected appliance?
I obviously want the answer to be "No", in order to *not* go through all this again. (Of course I expect we will see the same problems for each and every new IoT device, but that was the slightly neurotic point: By putting the question into the headline, thus invoking Betteridges law, we might have changed it to "No" :-))
I agree that I would probably also have had some more entertaining ideas for the camera, but i.e. if someone is just a convinced privacy-fan, I could also imagine how he would use a classical surveillance device to disrupt a couple of cloud-services.
Cyberpunk: Talking about someone getting in trouble for a RAM module, I just read Neuromancer [wikipedia.org]. Although there the RAM story was only a tiny side-story. I can highly recommend that book.
Registered IRC nick on chat.soylentnews.org: qkontinuum
(Score: 2) by VLM on Tuesday October 25 2016, @01:59PM
Ah I get what you're saying. Although by the strict definition if you want to Betteridge, it should be rephrased to
Do we want to go through this over and over with toasters, refrigerators, and every other connected appliance?
then the Betterridge answer is "no" and pretty much everyone agrees it should be "no"
As for the Neuromancer it was in your face randomly too abstract and too precise, like "ICE programs" come on pull my other leg way too soft sci fi vs the detailed and realistic biochemistry hacking the poor guy went thru. I didn't like the extreme density, it has to be read like 10 times to catch everything and catching everything feels like picking thru a mystery novel. I don't really like mystery novels, which might be part of the problem. I didn't like how the narrative sped up for the hard sci fi and slowed down elsewhere to the point of being noticeable. As if he didn't like the setting so step on the gas.
As a point of comparison "snow crash" was written about a decade later and just smells more realistic despite fundamentally being more ridiculous. Its kind of a science fictional "inspired by Jaynes". Its more of a smooth narrative, no sense of speeding up and slowing down, more of a story teller than a ... whatever neuromancer is.
Maybe "snow crash" is a story told by a story teller and "neuromancer" is a dramatic re-enactment documentary. Or sort of an unrealistic history vs an alternate history.
One thing they both have in common is endless desire to turn into movies that never works out, and either its going to be a long complicated miniseries for both or its going to be hopelessly dumbed down and suck. Given hollywood I suspect the latter. Some books just are not suited to be movies. Maybe snowcrash world would make an interesting and workable anime series, however.
(Score: 2) by dyingtolive on Tuesday October 25 2016, @06:06PM
I'm remaining quietly optimistic about the upcoming Snow Crash movie. I can't picture Neuromancer being anything less than a couple season long series itself. "Extreme density" is a perfect phrase to describe to use for the it, and I say that enjoying detective novels myself.
I agree with the idea of a snow crash anime. It was over-the-top enough that I could see it transitioning well. Maybe done by the guy that did Aeon Flux back in the 90s if he's still around. THAT would be interesting.
Don't blame me, I voted for moose wang!
(Score: 1, Funny) by Anonymous Coward on Tuesday October 25 2016, @04:34PM
No, that wouldn't help. It would just cause one connected appliance to not have any issues, negating the "every" part.
(Score: 2) by SecurityGuy on Tuesday October 25 2016, @01:34PM
I've been seeing this for as long as I've been in IT. Security isn't seen as a requirement when people develop products. When you buy a webcam, does it occur to you to care whether it's secure? Maybe. Does it occur to John Q. Public? Not at all.
(Score: 1, Insightful) by Anonymous Coward on Tuesday October 25 2016, @02:23PM
The product developers and John Q. Public are acting rationally in their best interest. For most people, the expected cost (to them) of an attack involving their webcam is either zero or very close to zero.
So a rational purchaser will not care whether or not the product is secure, and if the "more secure" version means "more expensive", the rational choice is the cheaper one (all else being equal).
Therefore, if increasing security for a product like this adds any production cost whatsoever, the rational choice for a manufacturer is to not do it.
(Score: 2) by LoRdTAW on Tuesday October 25 2016, @04:37PM
If the rational purchaser in your example is John Q Public then the word security does not even enter the conversation. All they want to to watch their home from their smart phone. Everything else is magic as far as they are concerned.
The manufacturer is responsible for security as they should be well aware of John Q Public's grasp of computer security: zero. So I'm chalking this one up as laziness or incompetence.
(Score: 0) by Anonymous Coward on Tuesday October 25 2016, @06:46PM
More appropriately, chalk it up to "tragedy of the commons"
Expecting companies to keep the security of the commons up to your snuff for free? I question your reasoning.
(Score: 0) by Anonymous Coward on Tuesday October 25 2016, @06:42PM
I've been seeing this for as long as I've been in IT. Security isn't seen as a requirement when people develop products. When you buy a webcam, does it occur to you to care whether it's secure? Maybe. Does it occur to John Q. Public? Not at all.
Actually, it does. My question, though, is what can I do about it? There isn't a sticker on the equipment saying how secure or insecure it is, and I'm not spending hours researching online trying to find a proverbial needle in the haystack of marketing information to find out what is secure. That's not counting things which are thought to be secure but later have security holes found in them.
Does anybody have advice? My current policy of "paranoia-based buy nothing" works... but means there are many shiny things I can't get.
(Score: 0) by Anonymous Coward on Tuesday October 25 2016, @09:49PM
Get a decent router, completely block internet access off to these devices. If you need to access them remotely, perhaps VPN in to your local network or access it through a remote connection to a secure computer on your network.
You really can't trust these things to be secure, because your average consumer know nothing about security and they care more that it is easy to use, very few manufacturers are going to care about security especially when the security impacts easy of use.
Something like a home webcam you can build yourself using a Raspberry Pi. It is certain to be more effort than an off-the-shelf solution, but easier to secure, and you'll always be able to update the software that runs on it.
(Score: 2, Insightful) by Anonymous Coward on Tuesday October 25 2016, @01:55PM
Best part about these shitty devices is that the company was surprised the users never bothered to change the default passwords... really? You are an IT company and you are fucking surprised users don't change the default password? Someone needs to take your membership card like right now.
(Score: 2) by Scruffy Beard 2 on Tuesday October 25 2016, @02:16PM
I Was not expecting an IoT company to actually recall their product over lax security.
What is the world coming to when manufacturers start taking responsibility for the security of their products?
Of course, the cynic in me just told me that maybe they just re-branded the relatively common software (firmware) update.
(Score: 0) by Anonymous Coward on Tuesday October 25 2016, @03:23PM
Probably fear of litigation. When articles pop up claiming the internet lost MILLIONS AND MILLIONS in sales because of the attack, lawyers get worried. Of course most likely the sales will materialize later, as people still have need, it just becomes pent up.
(Score: 2) by bob_super on Tuesday October 25 2016, @05:08PM
> lawyers get worried
Rule #1: Lawyers only get worried when a case looks lost and the customer is low on cash.
(Score: 2) by Thexalon on Tuesday October 25 2016, @03:23PM
They aren't taking responsibility for the security of their products, they're blunting the bad PR for the lax security of their products. And then they'll get right back to swearing up and down how secure all their stuff is.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1) by tftp on Wednesday October 26 2016, @07:11AM
They aren't taking responsibility for the security of their products
It is much cheaper to change the name and the logo of the company - from one generic Chinese combination of words to another. It's amazing how many products from China come from no-name, fly-by-night manufacturers. But they are cheap! And that's why they are selling so well.
What does it cost to change the name and the logo? Perhaps, nothing at all, besides a small fee to the artist. Layers upon layers of companies may produce and sell and resell products, and we see the logo only of the last reseller. Those are dime a dozen. As they keep their network of contacts, they can change the company every few months if they have to. In practice, it takes much longer to develop a full-blown PR disaster. They probably have a dozen new companies in the filing cabinet, ready to go on a minute's notice.
Not all Chinese companies are fly-by-night, but many are. It just makes sense. The US market, hungry for cheap glitter, will swallow whatever you throw at it, as long as it is cheap. A new fool is born every millisecond.
(Score: 2) by jmorris on Tuesday October 25 2016, @03:30PM
Read the article. It is just a downloadable update. Still gotta give em props for stepping up and owning the problem, always the right move from a PR standpoint. Amazing so many companies get that wrong.
But as we move down the IoT foodchain we -will- see it, as the devices are built so cheaply they won't be field updatable once they get hacked or the hacks close off the normal update capability. Doubt we will see manufacturers building stuff with failsafe ROM based recovery procedures. Nope, they will buy the SoC vendor promises of the glories of crypto magic, sign the firmware image and assume it will be uncrackable... both from hackers and the rightful owner. Both will prove wrong.
It is almost like we are intentionally building a world that can be destroyed with almost zero effort by any nation state actor. Suspect people took the wrong lesson from the Cold War and MAD. MAD worked in a world where only a handful of large nation states could build a bomb and all were basically sane enough that they understood the pointlessness of actually turning the world into a bad video game or disaster movie. Especially the Commies. They were Evil with the capital E but as Atheists they wanted to rule this world instead of scoring points for the afterlife. Ruling a burned out wasteland didn't turn their crank. But it isn't just nation states that can launch a civilization extinction level event now. A lot of anarchists and even stranger groups can gain the ability to launch network attacks and then there is Islam. One well built Warhol Worm will change everything. And there are a hundred or more organizations/states that could pull one off now and the number will grow until one does it or we get our act together. Place your bets.
(Score: 4, Touché) by bob_super on Tuesday October 25 2016, @05:18PM
> Especially the Commies. They were Evil with the capital E
Yup. Those Evil bastards supported dictators, torture, indefinite imprisonment without trial, foreign wars, massive weapons programs as their infrastructure crumbled, training kids to parade their flag, covert weapons sales to bad actors, spying on everyone, state-sponsored kidnappings at home and abroad, unchecked bureaucracies ... and wrestling control away from their feudal lords.
(Score: 2) by MichaelDavidCrawford on Tuesday October 25 2016, @03:40PM
We use computers inappropriately. As this webcam exploit demonstrates, the cost of device failure is far greater than its benefit to society.
I don't like to fly on modern passenger jets. I am a physicist so it's not that I don't understand how wings generate lift.
No.
I'm afraid of computer programmers.
Yes I Have No Bananas. [gofundme.com]
(Score: 0) by Anonymous Coward on Tuesday October 25 2016, @09:53PM
But there is a lot of redundant safety systems overseen by two highly trained humans. Flying is the safest way to travel, the stats bear this out. You don't have to trust the computer programmers, trust the statistics.
(Score: 1, Funny) by Anonymous Coward on Wednesday October 26 2016, @04:28AM
Well its not like the flight controls share the same wireless network as the in flight entertainment or anything.......
https://www.wired.com/2015/04/hackers-commandeer-new-planes-passenger-wi-fi/ [wired.com]
(Score: 2) by Bot on Tuesday October 25 2016, @04:08PM
Cannot they secure the device remotely by using some other backdoor/flaw?
Account abandoned.