The Xiongmai Botnet 'Recall' Will Not WorkBy: John Honovich, Published on Oct 25, 2016
The Xiongmai 'recall' has been the topic of global news, following the unprecedented bot net attacks that use their equipment, among others.
However well intentioned this 'recall' may be, it is not going to work. Understanding how Xiongmai and their customer's business model works makes this clear.
Xiongmai No Branded Sales
Xiongmai does not sell under its own brand nor to end users. Because of this, they have no idea what end users actually have their products.
Hidden OEM / Supplier
Xiongmai, even within the video surveillance industry, has near zero brand recognition (until this disaster). Because of this, the companies that Xiongmai sell components / modules to almost never disclose that they use Xiongmai. Indeed, this is a key reason why despite the global coverage, few if any manufacturers have been identified as using Xiongmai.
OEMs / Relabelers No Interest In Disclosing Now
For the recall to work, the companies that buy and use Xiongmai components (OEMs / relabelers) will have to disclose to their customers that they are using Xiongmai. Even under normal circumstances, video surveillance OEMs have legal agreements that prohibit their suppliers, like Xiongmai, from confirming who their OEMs are. These companies/OEMs have zero incentive to do so now as acknowledging it risks massive brand damage and potential litigation.
No Records of End Users Likely
Indeed, even if Xiongmai's customers were open to a publicly announced recall, most have no idea who are using these products. Registration of products is extremely uncommon within the video surveillance industry, where products are either sold through retail (which does not track end users) or through integrators (who typically do not want their manufacturer partners to know who 'their' customers are).
Realistic About Recall No Impact
Because of all this, we all need to be realistic that a recall is not going to work, even if Xiongmai really wants to try one. Sure, they can recall things in inventory from their partners if those products are vulnerable but there are millions of Xiongmai based devices already deployed (as Xiongmai is a major supplier) and the likelihood that they can recall / remove even a fraction of the infected botnet army is slim to none.
Net / net, to stop these infections, we need to look beyond the potential of a recall.