The Internet of Things is a security nightmare, as proven by record 1 terabit per-second attacks last month. Vulnerable cameras and digital video recorders (DVRs) were hacked to create a massive botnet called Mirai, which was turned on targets to fill their web pipes with traffic and knock them offline – classic distributed denial of service (DDoS) attacks.

No single company was deemed responsible for all those vulnerable machines. Indeed, after the source code for their malware was released, investigative reporter Brian Krebs was able to list a host of camera manufacturers whose machines were targeted. Their mistake was one all too common in the IoT world: they used default passwords that were either previously-known or easily-guessable. Mirai would scan the internet for those machines and attempt to break in with those credentials.


But one researcher, Flashpoint’s Zachary Wikholm, today claimed to have found a single Chinese firm, Hangzhou XiongMai Technologies (XM), that shipped flawed code allowing the perpetrators to potentially amass nearly half a million bots for their malicious network. Whilst other manufacturers, like China’s Dahua, saw their kit compromised, Wikholm believes XM tech was compromised far more. “Flashpoint’s analysis on the attack data shows … a very large percentage of these IPs involved in the DDoS attacks were hosting XiongMai Technologies-based products,” he wrote in a blog post today.

XM creates software running on its own and partner manufacturers’ cameras and DVRs, according to Wikholm. He discovered two significant weaknesses in XM software. First, the company had added default passwords for connections over Telnet, accessible to any hacker on the planet. And, said Wikholm, those passwords were widely known and easy to find with some Google searches.

He found an equally astonishing vulnerability on the XM web app for connected cameras. Though the login over XM’s NetSurveillance portal required a username and password, Wikholm discovered it was possible to entirely bypass the process by providing the IP address of a target device and adding “DVR.htm” to the end. That made the request for credentials entirely pointless and allowed anyone with a web connection to take control of the camera. “Any DVR, NVR or camera running the web software ‘uc-httpd’, especially version 1.0.0 is potentially vulnerable. Out of those, any that have the ‘Expires: 0′ field in their server header are vulnerable to both,” Wikholm added.

Those weaknesses made it simple for hackers to build the Mirai botnet – deemed to be responsible for the attacks on gaming company Blizzard, Krebs’s website and French hosting giant OVH.  As many as 515,000 systems across 123 countries contained the XM code with the two vulnerabilities, Wikholm told FORBES. He believes most of those devices are now part of the Mirai botnet, though he cannot offer proof. A previous estimate from a security expert who goes by the name MalwareTech put infections at 120,000. That estimate was based on real-time infections MalwareTech recorded. The botnet is much bigger than that, claimed Flashpoint’s researcher.

As indicated by a query on Internet of Things search engine Shodan, most of them are located in Vietnam, Brazil, Turkey and China. That chimes with data that showed much of the Mirai attack traffic came from those nations, though anti-DDoS vendor Akamai saidWednesday that most traffic came from China, whilst Wikholm found most of the vulnerable XM-based devices were located in Vietnam.

As XM shipped vulnerable kit, a number of the camera manufacturers targeted by Mirai had already taken steps to protect their kit, including enforcement of a strong password. According to Krebs, Samsung and Panasonic had both done just that.

Though enforcing strong passwords would help in most cases, with the XM kit, there is no option to change those credentials as the Telnet login is hardcoded in. That means only a firmware rewrite on the manufacturer side would solve the issue, said Wikholm. A true fix would require not only XM to update its software, but all of its partner manufacturers too. They’d also have to have an over-the-air update capability. Put simply, Wikholm told me, it’d be a huge task to secure these devices and take a serious chunk out of the Mirai botnet.

Neither Dahua nor XM had responded to requests for comment at the time of publication.

Tips and comments are welcome at or for PGP mail. Get me on Twitter @iblametom and for Jabber encrypted chat.