How Your DVR Was Hacked To Take Down The Internet


Recently, a person or persons launched an attack on the Internet Domain Name Services (DNS) causing major disruption to businesses in the US. Surprisingly (to some), this attack used the Mirai malware package to exploit the inherently insecure IoT devices in many homes and businesses around the world. Worse yet, he hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.

According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.

“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.

“At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack.”

Many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.

“The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”

Flashpoint’s researchers said they scanned the Internet on Oct. 6 for systems that showed signs of running the vulnerable hardware, and found more than 515,000 of them were vulnerable to the flaws they discovered.

The knowledge that many IoT devices are effectively unsecurable leaves system integrators with only one viable solution; implementing VLAN separation with a Unified Threat Management (UTM) device. A UTM has an intrustion detection/intrusion prevention system (IDS/IPS) actively inspecting all network traffic passing in and out of the network and passing between the VLANs, actively blocking malware and virus based attacks. Threat profiles are updated regularly to protect the network and its users from emerging threats as they develop.


The FIREFX Network Guardian is a Router/UTM platform designed specifically used in the CEDIA marketplace as a primary network router. Complete with a pre-configured VPN server and MAC/PC client, pre-configured VLAN separation, and an IDS/IPS system that automatically updates threat profiles twice daily. Available in both desktop and rackmount form factors, the Network Guardian is well suited for home. SOHO, and small to mid-sized business applications.

See the Network Guardian here