Or should I say 'XiongMirai'?
But Samsung has a system in place to manage / push updates? What does Xiongmai or any traditional video surveillance manufacturer have?
Take Axis, even if Axis wanted to, how could they 'force' a software update on their cameras to fix the critical security vulnerability?
You're just not going to rest until somebody tells you to hack 10,000 cameras in the name of justice.
If XiongMai was serious about their recall, they could make their devices all give on screen warnings to the owners and also contact/return info, using the same techniques scripts used in the botnet conscription phase.
I don't agree. XiongMai is a component supplier, they sold components which then became part of another product/brand. Offering a recall is the right approach, at least theoretically, they recognize they provided defecting parts and are providing recourse for those affected. Altering components post-sale may affect the end-customers in unanticipated ways and violate agreements they had with their direct customers.
Samsung most likely had some kind of click-wrap agreement the owners of the phones agreed to that gives the company the right to send software updates that alter the phone. Unless XiongMai/their suppliers had users agree to something similar there could be legal issues around this (however unlikely).
Overall, not a sound idea for the company to do this.
The difference is that phone are highly regulated in the US by the fact and also have a carrier involved. The carrier controls software updates and firmware and has agreements in place. Without the carrier, the phone is an iPod of sorts.
An ip camera doesn't rely on a carrier or other outside service and usually doesn't have a self update mechanism that is constantly checked.
I don't believe into "forced updates" by the manufacture, however, if you want to mitigate / get rid of these kind of threats, there is needed something "look outside of the box" - if that should be to release a worm who patching/upgrading or even set a random password to "protect" default login/password boxes. (show the new password on the cam feed for instance).
I really do believe something "look outside of the box" is needed, legal or not legal - but for a good cause (Robin Hood thing).
Article on the ethics and legality of 'hacking back' hacked devices.
Security researcher creates an anti-worm-worm: