In-brief: An article in Quartz finds a common theme in stories about the massive denial of service attacks from IoT botnets and exploding hover boards: a sketchy global supply chain.
The online publication Quartz has an interesting article that delves into the bigger story behind the Mirai botnet and the recent distributed denial of service attacks against Dyn, Krebs on Security and other sites. The message? As we noted here at The Security Ledger: it’s the supply chain, stupid! Quartz finds a common thread in stories about the massive DDoS attacks from compromised cameras and stories about combustible hover boards sold to U.S. consumers.
From the article:
The DDoS attack on Dyn might not appear to have much in common with the string of hoverboard explosions that occurred last year. But the incidents are actually quite similar. Just as hoverboard manufacturers cut costs by using cheap lithium-ion batteries prone to overheating, Xiongmai and its ilk cut costs by overlooking software features that could have prevented malware from infecting its devices.
The fly-by-night emergence of China’s hoverboard manufacturers and American importers made it difficult to pinpoint a single group of faulty boards, leading to a blanket crackddown on all of them. Likewise, the fragmented nature of the security camera industry makes it difficult to identify which specific devices are vulnerable to an attack. At any point in time, one security camera brand might stuff one device with a Xiongmai module, and stuff another, identical device with a module made by a Xiongmai competitor.
Unlike hoverboards, though, there’s already some sort of internet-connected camera in millions of homes and businesses around the world. This is why Xiongmai’s “recall” of over 10,000 of its units will have little impact. There are likely many more cameras with Xiongmai components operating in households right now, although neither Xiongmai nor its partners has publicly stated which brands and devices are vulnerable. (Krebs made a list of the susceptible devices, but it’s neither confirmed nor complete.)Says Karas: “A user who wants to do the right thing cannot just look at their camera and say, ‘Oh, this says Brand Z on the box, so I’m not affected.’ Nobody really truly knows how far and wide the vulnerable devices are spread.”