Chinese CCTV maker owns up to security flaws behind Friday's DynDNS attack

Hangzhou Xiongmai Technology admits culpability, but claims post-September 2015 devices should be secure

A China-based CCTV system manufacturer, Hangzhou Xiongmai Technology Company, has admitted that many of its products are insecure and form part of the Mirai botnet that took the Dyn DNS server on Friday, taking down several high-profile websites and services in the process.

The Mirai botnet comprises Internet of Things (IoT) devices that have been compromised by the Mirai malware, which exploits devices running old and insecure versions of the Linux operating system.

In particular, Mirai is believed to have infected hundreds of thousands of digital video recorders (DVRs) that are hooked up to CCTV systems, which are exposed to the internet so that their users can remotely keep tabs on their security systems.

But in an email to Bloomberg, the company admitted that some of its products had been compromised and used in the attack. However, it added, products made by the company since September 2015 ought to be more secure.

"Mirai is a huge disaster for the Internet of Things. Xiongmai have to admit that our products also suffered from hacker's break-in and illegal use," the company admitted in its email to Bloomberg. The company added, though, that it upgraded the firmware used in the devices that it makes a year ago, and has recalled a number of the older products.

It urged users to update the firmware and change the default user names and passwords. However, because companies like Xiongmai make CCTV systems for a variety of brands, users probably won't know whether their device was made by Xiongmai.

Security blogger Brian Krebs, however, has been keeping track of the IoT devices that have been found to be insecure since his own website was knocked offline in September.

The Mirai source code was published on hacker forums earlier this month to enable anyone to crack the (non-existent) security of the DVR systems, as well as being adapted for use in other malware projects.

Krebbs' investigative work has indicated that the Mirai source code was the work of a DDoS-for-hire service, which would appear to run its own domain registration service.

The malware scans the internet continuously for IoT devices running the old and unpatched Linux operating system, before running a table of common default user names and passwords in order to log-in to the devices. The devices remain uninfected by the malware until rebooted and, if the password is not changed immediately, will infect the device within minutes.

The infected IoT devices will connect to a command and control server, enabling the hackers to use them for their own ends, whether that is conducting DDoS attacks or mining for bitcoin.

Security software company Bullguard has put together a service that can scan a home network against the Shodan database of open IoT ports.