Last week, Dyn, a DNS provider in the United States, came under attack from a massive botnet powered by the internet of things (IoT). It knocked all sorts of services, including Spotify, Netflix, Airbnb and more, offline. The attack was a version of the Mirai botnet that we reported on earlier this month and was unprecedented in size. Now webcams that may have been part of the botnet are being recalled. Unfortunately, that won’t really help.
According to Reuters, more than 10,000 webcams have been recalled by Hangzhou Xiongmai Technology Co, which sells connected surveillance cameras that were specifically used by the botnet.
While the company probably won’t admit it, the only way the botnet was able to take over devices is if they were wildly insecure in the first place, with little to no security or hard-coded default usernames and passwords. The cameras were built in 2014, Reuters said.
Xiongmai explained that it thinks personal surveillance cameras, rather than those sold to enterprise customers, were the most at risk. It is not planning to recall enterprise cameras since it suspects those are behind higher security enterprise networks.
“The reason why there has been such a massive attack in the U.S. and (one) is not likely going to be in China is that most of our products in China are industrial devices used within a closed intranet only,” Xiongmai marketing director Liu Yuexin told Reuters.
A recall won’t stop this IoT botnet
It’s unclear how true that statement actually is, though. In fact, experts who spoke with TechnoBuffalo earlier this month suggested that enterprise cameras can be more at risk since corporations don’t always have plans in place to fold them into their existing security infrastructure. Conversely, cameras at home in private residences can sometimes, though not often, be safer since they sit behind routers.
This is certainly a topic that will continue to make headlines. It’s now our job to call on manufacturers and, indeed, the government, to create regulations for stricter security in connected devices. Unfortunately, millions of insecure products are still on the market. A recall of 10,000 will hardly make a difference, even if it’s a step in the right direction.