The Xiongmai Botnet 'Recall' Will Not Work

By: John Honovich, Published on Oct 25, 2016

The Xiongmai 'recall' has been the topic of global news, following the unprecedented bot net attacks that use their equipment, among others.

However well intentioned this 'recall' may be, it is not going to work. Understanding how Xiongmai and their customer's business model works makes this clear.

Xiongmai No Branded Sales

Xiongmai does not sell under its own brand nor to end users. Because of this, they have no idea what end users actually have their products.

Hidden OEM / Supplier

Xiongmai, even within the video surveillance industry, has near zero brand recognition (until this disaster). Because of this, the companies that Xiongmai sell components / modules to almost never disclose that they use Xiongmai. Indeed, this is a key reason why despite the global coverage, few if any manufacturers have been identified as using Xiongmai.

OEMs / Relabelers No Interest In Disclosing Now

For the recall to work, the companies that buy and use Xiongmai components (OEMs / relabelers) will have to disclose to their customers that they are using Xiongmai. Even under normal circumstances, video surveillance OEMs have legal agreements that prohibit their suppliers, like Xiongmai, from confirming who their OEMs are. These companies/OEMs have zero incentive to do so now as acknowledging it risks massive brand damage and potential litigation. 

No Records of End Users Likely

Indeed, even if Xiongmai's customers were open to a publicly announced recall, most have no idea who are using these products. Registration of products is extremely uncommon within the video surveillance industry, where products are either sold through retail (which does not track end users) or through integrators (who typically do not want their manufacturer partners to know who 'their' customers are).

Realistic About Recall No Impact

Because of all this, we all need to be realistic that a recall is not going to work, even if Xiongmai really wants to try one. Sure, they can recall things in inventory from their partners if those products are vulnerable but there are millions of Xiongmai based devices already deployed (as Xiongmai is a major supplier) and the likelihood that they can recall / remove even a fraction of the infected botnet army is slim to none.

Net / net, to stop these infections, we need to look beyond the potential of a recall.

4 reports cite this report:

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
CES 2018 Show Final Report on Jan 12, 2018
This is IPVM's final edition of our 2018 CES show report. Below are already numerous images and commentary, with more coming tomorrow. CES is...
Mirai-like Botnet Persirai Attacks IP Cameras - Impact Analyzed on Jun 14, 2017
Mirai made headlines in 2016, exploiting weaknesses in cameras, including those from Dahua and XiongMai to create a massive botnet that was used to...
Hackers Battle For 3 Million Strong Mirai Botnet on Nov 28, 2016
Mirai-infected devices have become so large and so prevalent that multiple hackers are now fighting each other to control these devices. This...

Comments (23)

Only IPVM Members may comment. Login or Join.

Agreed. A recall won't work.

This may require a Stuxnet type response. Yes, a deliberate action to render these units useless.

If that seems drastic, I would like to hear what other ideas exist to address the threat of continued DDoS attacks on the internet.

This may require a Stuxnet type response. Yes, a deliberate action to render these units useless.

Its harder than you might think on these devices, since they have read-only filesystems with the passwords hardcoded.

So if you just break it, a default reset puts it back in the game.

That'a the reason that even XiongMai doesn't have a firmware fix for these devices.

The cost of using the "cheapest" product out there means that the entire "internet" economy suffers due to this.

How many more attacks before we wake up to, China doesn't care....

Their economy requires it has to be firing on all 8 cylinders in order to keep 1 Billion people "happy". If it means causing the rest of the world to suffer, they really don't care.

That said, when we "exported" capitalism to China, they put their economy on steroids and like locusts they will swallow anything in sight in order to control that space.

Shutting down the infrastructure without dropping 1 bomb is cheaper and inherently a less risky proposition.

A bigger concern is the integrators who don't care. They are effectively fuel for the fire. This is unlikely to remedy until it becomes too costly to sell these products due to litigation.

Net / net, to stop these infections, we need to look beyond the potential of a recall.

Should Hikvision Hack Its Own DVR's?

Should I Hack 10,000 Dahua Cameras?

Should Axis Hack Axis Public Cameras?

Prediction: XiongMai ends up using this global news coverage to their advantage. They will say repeatedly that

  1. Its not our fault
  2. Even if its our fault, others manufacturers are equally at fault
  3. Even if its our fault, improper installation is equally at fault
  4. Even if its our fault, we fixed it in all our latest products
  5. Its our fault, but we are the only manufacturer to do the right thing and recall our products

A smart reverse reputation play, even if 7 people take them up on the recall.

XiongMai who nobody knew yesterday, gets a instant brand, tarnished a bit for sure, but that fades if you deliver in the meantime.

XiongMai who nobody knew yesterday, gets a instant brand, tarnished a bit for sure

'tarnished a bit' is an understatement. Their brand is destroyed, given the severity of the attacks. I don't think most tech and business people following this will ever trust them. And XiongMai is not some sophisticated marketing machine that can somehow find a way to turn this to their benefit. They are better off just purging the XiongMai brand and going with something else.

In 1982, seven Chicago-area residents died from cyanide-laced Extra-Strength Tylenol. Marketers predicted that the Tylenol brand would never recover from the sabotage.

The following year, Tylenol’s share of the analgesic market climbed 23 percent, and The New York Times wrote, “ It is almost as if nothing ever happened.”

Yes, you're right, Johnson and Johnson doesn't make DVR cards, and had an established brand already and HQ in the U.S. among their other vast differences.

But the point is that memories are short. Maybe another low-cost alternative to the Peoples Republic of Hikvision or the dysfunctional Dahuan Dynasty.

You can certainly argue persuasively that they're done, thats easily done considering the events. But I only made the prediction because of its apparent impossibility.

Firewalls are only way to stop this.

Especially edge firewall at customer premises.

Drop all DNS queries from camera subnet or ip range.

That will break ntp, so ntp server might have to be set by ip address, or set to an internal ntp service.

If you want to connect low cost devices to the internet, they have to be behind a properly configured firewall, otherwise it becomes tragedy of the commons - everyone dumps their junk in the common space.

Hear, hear David.

As long as the devices are not configured properly nor firewalled you will have networks (nutworks) that scream "here, here".

From Shenzhen Daily

A CHINESE electronics maker that has recalled products sold in the United States said Tuesday it did all it could to prevent a massive cyberattack that briefly blocked access to websites including Twitter and Netflix.

Hangzhou Xiongmai Technology has said some of its Web-connected cameras and digital recorders became compromised because customers failed to change their default passwords.

Liu Yuexin, Xiongmai’s marketing director, said that Xiongmai and other companies across the home surveillance equipment industry were made aware of the vulnerability in April 2015. Liu said Xiongmai moved quickly to plug the gaps and should not be singled out for criticism.

“We don’t know why there is a spear squarely pointed at our chest,” Liu said.

The hack has heightened long-standing fears among security experts that the rising number of interconnected home gadgets, appliances and even automobiles represent a cybersecurity nightmare. The convenience of being able to control home electronics via the Web also leaves them more vulnerable to malicious intruders, experts say.

Unidentified hackers seized control of gadgets including Xiongmai’s Friday and directed them to launch an attack that temporarily disrupted access to a host of sites, ranging from Twitter and Netflix to Amazon and Spotify, according to U.S. Web security researchers.

The “distributed denial-of-service” attack targeted servers run by Dyn Inc., an Internet company located in Manchester, New Hampshire. These types of attacks work by overwhelming targeted computers with junk data so that legitimate traffic can’t get through. (SD-Agencies)

The hack has heightened long-standing fears among security experts that the rising number of interconnected home gadgets, appliances and even automobiles represent a cybersecurity nightmare. The convenience of being able to control home electronics via the Web also leaves them more vulnerable to malicious intruders, experts say.

Having worked at a National Laboratory (an environment very concerned with security), I have never understood why one would want to hook something up to the Internet and then be vulnerable to the world's malicious elements.

We don't even do wireless in my house.

Craig

We don't even do wireless in my house.

Not even cell phones?

Now, now, no need for sarcasm... or obvious sanctimonious misinterpretation.

Not sarcastic at all.

I think its a fair question, since smartphones are roving wireless linux computers, no? And they have been known to be hacked every now and again.

OK... sorry. I misinterpreted.

I believe has was referring to wifi.

Maybe he can clarify.

Yes, I agree he most likely was. Still if the phone connects to the internet wirelessly, then it can be snooped on and MITM just the same,no?

No WIFI here. No smart phones, either (who wants to walk around with a computer that has more capability than some supercomputers had not that long ago).

...who wants to walk around with a computer that has more capability than some supercomputers had not that long ago...

Anyone looking for Pokemon. Its the minimum requirement :)

I mean this seriously, without any snark, but the answer to that question seems to literally be a majority of people.

Hmm.. Long thought. 1st- That would depend on where "the middle" is. Wireless, network? Who originated and who is "looking". Cellular is pretty darn good. Wifi is as good as it's implementer.

The original subject was the take over of cameras. If you look at the attack it was based on all the general default passwords of semi capable cute little devices. The point was if you leave a semi controllable (Linux) device on the open net without all the other proper cautions then... we have a DoS device.

Having made many "devices", I don't think we should blame the device, or the devices manufacturer. Rather, the implementers.

Newly added XM branded product in Amazon:

May be the cheapest 1080p ptz(d) out there.

Related Reports

End User Buying Axis At Prices Better Than Axis Gold on Jan 10, 2020
IPVM recently found an integrator contract with an end-user that guaranteed the end user could buy Axis products at a price / discount better than...
Axis Cracks Down On Illicit Channel Sales on Nov 01, 2019
Axis has stepped up efforts to crack down on illicit channel sales according to various industry sources, though, Axis denies this. Online sales...
US Army Base To Buy Banned Honeywell Surveillance on Sep 17, 2019
The U.S. Army's Fort Gordon, home to their Cyber Center of Excellence, has issued a solicitation to purchase Honeywell products that are US...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Hikvision OEM Directory on Aug 13, 2019
The Chinese government-owned and US-government banned Hikvision has become the world's largest video surveillance manufacturer and generally hidden...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and...
Axis Will Not Block Resellers on Jun 10, 2019
While Axis generally has strong favorability amongst integrators, the biggest complaint is their channel model, which results in smaller integrator...
Undercutting Partners, Arbitech Sells Millions In Unauthorized Axis on Mar 29, 2019
One of integrator's top complaints about Axis is poor margins. An enterprising, ethically questionable distributor is solving that. Inside this...

Most Recent Industry Reports

Embedded Logix Thermal Temperature Detection System Examined on Apr 08, 2020
Embedded Logix has been producing thermal temperature measurement systems for industry and fire detection for over 10 years. Now, they are entering...
Micron 1 TB SD Cards Aim To Eliminate NVRs on Apr 08, 2020
Micron has boldly proclaimed their latest 1TB microSD "eliminates the need for network video recorders", targeting the growing market of...
US DoD Declares "Can No Longer Do Business" With Contractors Using Dahua, Hikvision, Huawei on Apr 08, 2020
The US Department of Defense has confirmed to IPVM that they fully support and intend to proceed with the NDAA 'blacklist clause' covering Dahua,...
IPVM's 12th Anniversary - Thank You! on Apr 07, 2020
IPVM is proud to celebrate it's 12 anniversary expanding our commitment to providing the industry independent and objective information on video...
Mobotix Thermal Body Temperature Detection Examined on Apr 07, 2020
Mobotix has jumped into the Coronavirus temperature detection market, but how do they compare to thermal incumbents like FLIR or ICI who have been...
Verkada Coronavirus Response: Free Temp Systems For Government and Health Care on Apr 07, 2020
Verkada has built a reputation on giving away things for free - free Yeti Tumblers, free trial cameras and now free temporary systems for...
Hikvision USA Refuses, Dahua USA Drives Forward With "Coronavirus Cameras" on Apr 07, 2020
Both have been federally banned, both sanctioned for human rights abuses but only one - Dahua - is taking aim at the booming "coronavirus cameras"...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the West in the past few years, China is now saying those vulnerabilities...
USA ICI Elevated Skin Temperature Detectors Examined on Apr 06, 2020
Infrared Cameras, Inc. (ICI) is aiming to help slow the spread of COVID-19 with "pinpoint accurate skin temperature measurement" using their...
Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020
Two trade groups representing government contractors have asked Congress to delay implementation of the NDAA's 'blacklist' clause from this August...