The Mirai botnet that infected major internet sites on Oct. 21 has already hit the stock of companies focused on the internet of things (IoT), like General Electric Company (NYSE:GE) and Intel Corporation (NASDAQ:INTC).
Investors in this case made a mistake.
GE shares fell hard on Oct. 21, when word of the attack got out — but they quickly recovered, because its focus is on the industrial market, where security is not an afterthought. INTC was down 7% across five trading sessions — but based on poor earnings.
No, it is firms using cheap consumer devices in their IoT equipment whom investors should have concern about.
The problem was traced to a Chinese sub-assembly maker, Hangzhou Xiongmai, which hard-wired an easy-to-guess password into internet-linked camera systems sold until September, 2015. Malware called Mirai, since published, could infect such devices and, upon a central command, launched a distributed denial of service (DDOS) attack against major websites on the east and west coasts.
The attack was later called a probe, or warning, by security experts.
Will Price, a cryptographer who founded home automation developer Simple Control and, before that, Pretty Good Privacy, an early mail encryption software producer, insisted to industry magazine CEpro that the internet of things is not to blame for the botnet, and resetting factory passwords to something unique for each network will solve the problem for most users.
A Slow Response
Hangzhou Xiongmai issued a recall on some of its products on Oct. 23 and urged customers to change default passwords. A statement emailed to reporters called the attack “a disaster” for the internet of things.
Brian Krebs of KrebsOnSecurity, reporting on both the recall and the Chinese government’s threats against outlets that get the story wrong, noted that the botnet looked for Xiongmai equipment with the username of root and the password xc3511, embedded in digital video records and IP camera boards.
He published a list of potential victims, consisting mainly of Chinese, Taiwanese and Japanese companies. Only devices connected to the wider Internet could have been made part of the botnet. Most of the connections use the machine-to-machine protocol Telnet.
Intel writes on one of its security sites that the botnet is an example of what happens when security problems migrate downstream into consumer markets. Manufacturers can prevent problems before they hit Original Equipment Manufacturers (OEMs).
So which OEMs got hit?
Who Got Hit
Xerox networked printers may be vulnerable, and Xerox recently issued a blog post about changing system administrator user names and passwords.
“Xerox strongly advises the changing of this password,” from default settings “as soon as possible,” the blog post reads. Xerox includes a short video on changing passwords for the Xerox WorkCentre 7500. But an earlier post on changing passwords, from 2012, has 35 responses, many expressing confusion over firmware updates and accessing these functions on various machines.
Since the start of October Xerox shares are down almost 5%, and the company is in the process of spinning-off its business document services business as Conduent.
Ubiquiti may have used Hangzhou Xiongmai chip sets in its AirOS Router, which appears on the Krebs list. The router appears to be vulnerable through its setup routine.
A user guide for Version 5.6 of the AirOS software shows the company recently expanded the length of passwords beyond 8 characters and urged administrators to change their logins through a system accounts screen.
Since the problem was identified, the company has issued no press releases about the AirOS. Ubiquiti confirmed in May that some of its outdated products were impacted by another attack, and recommended then that “firewall filtering” be used to prevent intrusions.
UBNT shares are up 66% so far this year, and were recently upgraded to market perform by JMP Securities. The company is due to report earnings on Nov. 3.
The Mirai problem is in the process of being solved, and the process through which it happened can also be fixed. But it will take time to reassure the market about the internet of things, and that process has barely begun.
Dana Blankenhorn is a financial journalist and author of the science fiction story Into the Cloud. Write him at firstname.lastname@example.org or follow him on Twitter at @danablankenhorn. As of this writing, he did not hold a position in any of the aforementioned securities. As of this writing, he was long INTC and GE.