Don't all rush out at once, but there are a million devices ripe to be the next big botnet A wormable vulnerability involving an estimated one million digital video recorders (DVR) is at risk of creating a Mirai-style botnet, security researchers warn. UK-based security consultancy Pen Test Partners said that the issue stems from a zero-day (unpatched) flaw in networking software from Chinese manufacturer XiongMai …
This means I can get back into the Chinese NVR I recently purchased but forgot the temporary password to.
I wasn't concerned as the Chinese cameras I bought have a simple hack posted on youtube to get past the password prompt so this was just time.
Some vendors seem to improve the firmware a little but most of these things are just flashing "Hack Here" signs and people go putting them on the internet, bless.
Is this news any more? People purchasing technology/devices have a budget, they'll buy what they can afford. They'll also configure it/secure it/expect it to perform in line with their knowledge of the market/devices abilities.
How to move forward? Does it require government intervention to specify a level of software design? If so then people will just buy else where because it'll be cheaper and have a 'tested secure' forged badge on it. Is more education/training needed at school level for users to understand about privacy and control? That in turn would lead to more questions/considerations when making a purchase.
My opinion is that the recent development of technology and its relative cost (cheapening by the day making it more accessible) will plateau out and other considerations (design/function/security) will become more prevalent.
The world is changing, people who exploit are the ones who ensure they keep up with technology. Everyone else gets caught up in the next best thing which isn't, as most of us know, actually that great. I estimate a few years for this type of vulnerability to reduce, by then something else will have come along
Isn't this old, recycled news? Flashpoint published this last October. "Pen Test Partners" is a bit late in the game. IPVM titled their take on it "Move Over Dahua, Xiongmai Is The Real Botnet King"
I don't find the original article on Flashpoint anymore ( was titled "when-vulnerabilities-travel-downstream" ) but you can find plenty of places that quote it, just do a google search with one of the quotes "countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai"
Fiction has been warning about robotic device hijacking for several decades now, including in Anime films like Ghost in the Shell (1995) and Paprika (2006), and StuxNet happened too!
What happens if this hijacking is driven by a hard to stop bot-net, possibly jumping between different makes/types of insecure devices/software, and targeting potentially deadly robotic devices like an asserted imminent flood of connected assisted/self-drive cars? Panic!
I can see crisis regulation happening if manufacturers don't lock-down/support devices properly soon, including possible forced scrapping of non-fixable/unsupported connected devices/software, and not even allowing connectivity in some classes/types of device.
r-type decadence like promiscuity and lax security later cause significant costs, as we now see with human demographic decay, cultural decay, and alien refuse invasion in developed countries; similar principles apply to connected computing devices, especially those designed by r-types!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
