Chinese firm issues US recall after massive cyberattack

A Chinese electronics maker has recalled millions of products sold in the US following a massive cyberattack that briefly blocked access to websites including Twitter and Netflix.
Hangzhou Xiongmai Technology said in a statement that millions of web-connected cameras and digital recorders became compromised because customers failed to change their default passwords.
The hack has heightened long-standing fears among security experts that the rising number of interconnected home gadgets, appliances and even automobiles represents a cybersecurity nightmare. The added convenience of being able to control home electronics via the web also leaves them more vulnerable to malicious intruders, experts say.

Unidentified hackers seized control of gadgets including Xiongmai's on Friday and directed them to launch an attack that temporarily disrupted access to a host of sites, which also included Amazon and Spotify, according to US web security researchers.
The "distributed denial-of-service" attack targeted servers run by Dyn Inc, an internet company located in Manchester, New Hampshire. These types of attacks work by overwhelming targeted computers with junk data so that legitimate traffic can't get through.
"The issue with the consumer-connected device is that there is nearly no firewall between devices and the public internet," said Tracy Tsai, an analyst at Gartner, adding that many consumers leave the default setting on devices for ease of use without knowing the dangers.

Researchers at the New York-based cybersecurity firm Flashpoint said most of the junk traffic heaped on Dyn came from internet-connected cameras and video-recording devices that had components made by Xiongmai. Those components had little security protection, so devices they went into became easy to exploit.

In an acknowledgement of its products' role in the hack, Xiongmai said Monday that it would recall products sold in the US before April 2015 to demonstrate "social responsibility." It said products sold after that date had been patched and no longer constitute a danger.
Liu Yuexin, Xiongmai's marketing director, said in an interview on Tuesday that Xiongmai and other companies across the home surveillance equipment industry were made aware of the vulnerability in April 2015. Liu said Xiongmai moved quickly to plug the gaps and should not be singled out for criticism.

"We don't know why there is a spear squarely pointed at our chest," Liu said.
The company, which also makes dashboard cameras and computer chips, said it would recall more than 4 million web-connected cameras and has offered customers a software security fix.