Chinese factories are churning out hackable hardware, and no one is doing a thing to stop them.

In the aftermath of the attack, one company in particular has been implicated: Hangzhou Xiongmai Technologies. According to security researchers, the Chinese company built hardware and software for internet-connected security cameras that was insecure. Then hackers deployed a malicious strain of malware known as Mirai into the devices, and used them to direct huge amounts of internet traffic to Dyn, a Domain Name System (DNS) provider that often serves as a virtual “first stop” for computers connecting to sites on the internet.

 Popular websites including Twitter, Spotify, Netflix, and PayPal were knocked out by the Distributed Denial of Service (DDoS) attack…

As manufacturing supply chains have grown more fragmented globally, and electronics products have become commodities, security and safety standards haven’t caught up…

 What is Xiongmai Technologies?

Analysts say Hangzhou Xiongmai Technologies is one of the industry leaders in making and selling IP (Internet Protocol) camera modules. Still, there’s scant public information about the company…

The current CEO is also head of Hangzhou Jufeng Technologies, which also specializes in smart cameras. Jufeng also owns a a stake in Hangzhou Trade, and Chen Jinsheng is listed as a “supervisor.” All five companies are registered to the same address.

In what now seems like foreshadowing, the company attracted controversy earlier this year when Chen Jinsheng proudly touted in a public speech (link in Chinese) the company’s relentless pursuit of cost-cutting in order to drive sales of low-end products…

 … a 15-year cybersecurity industry veteran, on WeChat this June. He said that cost-cutting companies were “blood-sucking insects” killing China’s security industry, by driving prices down so low that it threatened to destroy it entirely…

While many internet-of-things (IoT) companies fail to secure their products properly, Xiongmai’s approach is particularly egregious, said Brian Karas, who follows the video surveillance industry at research firm IVPM. “In the current age of IoT devices, this is not just leaving your front door unlocked, it is like leaving it open for anyone to walk through,” he told Quartz.

These mostly Chinese manufacturers face fierce competition from their peers, each gunning to sell modules to the myriad of security camera companies—which now include legacy hardware firms like Honeywell, budding startups like Nest, and a plethora of unknown brands. Even among consumer-facing brands, the industry is heavily fragmented…

 Consumers, meanwhile, don’t buy cameras because they’re secure, they buy them for special features like waterproofing, sharp image resolution, or a Minion-shaped casing…

Consumers also bear some responsibility for enabling the Mirai attacks. Research showspeople repeatedly resist picking strong passwords for their devices. Rather than taking 10 seconds to choose a strong one with dollar signs and a mixture of uppercase and lowercase letters, they lazily resort to guessable ones like “password” and “123456.”

…security of IoT devices will be more challenging, as there are no US government regulators or independent agencies directly responsible for it. The CPSC told Quartz it cannot issue recalls of Xiongmai or other vulnerable cameras because the malfunction “seems to be related to an invasion of privacy,” and that’s not what it regulates. The CSPC will only intervene “when there is a risk of physical harm to consumers because of a defect with the product.” The US’s main consumer regulator doesn’t look at privacy. 

For most consumers, the DDoS attack on Dyn marked a minor inconvenience—Spotify or Twitter remained inaccessible for a few hours, but no greater harm was caused. But the same tactics used to slow internet access across the US could also be used to steal someone’s credit card information or email login credentials, spy on their home, or much worse in the near future.

Source: A collision of Chinese manufacturing, globalization, and consumer ignorance could ruin the internet