Device manufacturers should be held accountable for their devices’ behaviors out in the wild. Without clear accountability, we’re going to continue shipping easy-to-use yet wildly vulnerable devices. Examples of manufacturer requirements should include:
- An end to common default passwords. It’s more work, but every device should start with a different administrative password and require that it be set to an even more secure one when first used in the wild. It sounds obvious, but today you can control a huge number of home devices via a simple search for “default password.”
- Impactful alerts for vulnerabilities. These devices will certainly use software that has vulnerabilities, but how does a consumer know these problems are found? Anyone out there constantly hitting refresh on the manufacturer’s device support page to find out? I didn’t think so. Manufacturers must be responsible for getting alerts to their buyers similar to how car makers handle priority vehicle safety recalls. And if the warnings are not heeded within a set amount of time, the device should be disabled.
- Self-patching software. Even the lowest-cost camera, Wi-Fi access point or DVR must ship with self-patching software. We can’t have vulnerability-laden devices all over the place just waiting for the bad guys to take them over. And it’s not the owners’ faults — the patching experience for these devices is often miserable, assuming that you even knew it was needed. It’s time to require that these devices meet a minimum standard around simple and automatic patching.
- Information sharing. It’s both good and bad news that so many internet-connected devices have so much software in common. It’s bad in that a zero-day exploit can instantly put myriad devices at risk. It’s good in that we can more proactively monitor and protect them using common processes and coordinated patches. Device manufacturers should be required to share findings regarding vulnerabilities and attacks with their peers. Done properly, it can help other manufacturers protect their products and give the cyber security industry a head start in preventing any resulting attacks.
“The components that XiongMai makes are sold downstream to vendors who then use it in their own products.”
Why is their no list of who those DownStream vendors are? So we can remove those devices, because according to them
“The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”
My worry is the fact that names have not been released is this weakness is farther reaching then we even know.