A Chinese electronics maker has issued a recall for millions of products sold in the U.S. following a massive cyberattack that briefly blocked access to websites including Twitter and Netflix for many U.S. users, but has lashed out at critics who blamed its devices.
Hangzhou Xiongmai Technology said in a statement that customers failing to change their default passwords resulted in millions of web-connected cameras and digital recorders becoming compromised.
The hack has heightened long-standing fears among security experts that the rising number of connected home gadgets, appliances or even automobiles represents a cybersecurity nightmare. The added convenience of being able to control home electronics via the web also leaves them more vulnerable to malicious intruders, experts say.
Unidentified hackers seized control of gadgets including Xiongmai’s on Friday and directed them to launch an attack that temporarily disrupted access to a host of sites, which also included Amazon and Spotify, according to U.S. web security researchers.
The “distributed denial-of-service” attack targeted servers run by Dyn Inc., an internet company in Manchester, New Hampshire. These types of attacks work by overwhelming targeted computers with junk traffic, so legitimate traffic can’t get through.
In an acknowledgement of its products’ role in the hack, Xiongmai said Monday that it would recall products sold in the U.S. before April 2015 to demonstrate “social responsibility,” but added that its devices did not make up the majority of those used in the attack.
Researchers at the New York-based cybersecurity firm Flashpoint said most of the junk traffic heaped on Dyn came from internet-connected cameras and video-recording devices that had components made by Xiongmai. Those components had little security protection, so devices they went into became easy to exploit.
The company, which also makes dashboard cameras and computer chips, said it would recall more than 4 million web-connected cameras and has offered customers a software security fix. But it downplayed its culpability, saying that as even the world’s largest technology companies experience security lapses, “we are not afraid to also experience it once.”
Xiongmai also slammed “completely untrue, malicious and defamatory” reports about its products and appended a letter from its lawyers threatening litigation.