back to article Don't all rush out at once, but there are a million devices ripe to be the next big botnet

A wormable vulnerability involving an estimated one million digital video recorders (DVR) is at risk of creating a Mirai-style botnet, security researchers warn. UK-based security consultancy Pen Test Partners said that the issue stems from a zero-day (unpatched) flaw in networking software from Chinese manufacturer XiongMai …

  1. Christopher Reeve's Horse Silver badge

    Slow performance

    So maybe this is why my Freeview box feels so under-powered that it often struggles to bring up the TV guide, perhaps it's busy doing someone else's malignant bidding - using higher user privileges than I've obviously got too!

    1. Paul Crawford Silver badge

      Re: Slow performance

      No, that is just shit software.

      Like my VM Tivo box that takes longer to come out of hibernation than the old CRT television takes to be up and displaying a picture from cold.

    2. The Man Who Fell To Earth Silver badge

      Re: Slow performance

      I just want names. Saying there's a million DVRs is useless.

  2. Anonymous Coward
    Anonymous Coward


    This means I can get back into the Chinese NVR I recently purchased but forgot the temporary password to.

    I wasn't concerned as the Chinese cameras I bought have a simple hack posted on youtube to get past the password prompt so this was just time.

    Some vendors seem to improve the firmware a little but most of these things are just flashing "Hack Here" signs and people go putting them on the internet, bless.

  3. Paul Crawford Silver badge

    Better use?

    Shame that malware writers would not use such vulnerable boxes for something usefully illegal such as Pirate Bay proxies...

  4. wyatt

    Is this news any more? People purchasing technology/devices have a budget, they'll buy what they can afford. They'll also configure it/secure it/expect it to perform in line with their knowledge of the market/devices abilities.

    How to move forward? Does it require government intervention to specify a level of software design? If so then people will just buy else where because it'll be cheaper and have a 'tested secure' forged badge on it. Is more education/training needed at school level for users to understand about privacy and control? That in turn would lead to more questions/considerations when making a purchase.

    My opinion is that the recent development of technology and its relative cost (cheapening by the day making it more accessible) will plateau out and other considerations (design/function/security) will become more prevalent.

    The world is changing, people who exploit are the ones who ensure they keep up with technology. Everyone else gets caught up in the next best thing which isn't, as most of us know, actually that great. I estimate a few years for this type of vulnerability to reduce, by then something else will have come along

  5. Doctor Syntax Silver badge

    Probably safe

    Why bother writing code when there are enough devices out there with duff passwords?

  6. John Smith 19 Gold badge

    "There are more than 50 different brands of DVR that use this software,"

    I did not know there that many brands of DVR out there.

    Although I suspected many of them were s**t.

    Now I know I'm right.

    1. Korev Silver badge

      Re: "There are more than 50 different brands of DVR that use this software,"

      There are probably many "own brands" included in that figure, Wikipedia suggests that the UK's Dixons have five alone.

      1. Anonymous Coward
        Anonymous Coward

        Re: "There are more than 50 different brands of DVR that use this software,"

        Yes, its' Dixons/Argos/Tescos and the like putting 3 "brands" out, that are just the same things, different badge, different price. What a rip off!

  7. Donn Bly


    Isn't this old, recycled news? Flashpoint published this last October. "Pen Test Partners" is a bit late in the game. IPVM titled their take on it "Move Over Dahua, Xiongmai Is The Real Botnet King"

    I don't find the original article on Flashpoint anymore ( was titled "when-vulnerabilities-travel-downstream" ) but you can find plenty of places that quote it, just do a google search with one of the quotes "countless DVR manufacturers buy parts preloaded with Linux and rudimentary management software from a company called XiongMai"

  8. Anonymous Coward
    Anonymous Coward

    Only a Million?

    Now that is surprising.

  9. David Roberts

    Open ports?

    Presumably the ones being counted all have open ports listening to the Internet?

    Just wondering why.

    Are these all surveillance camera systems set up for remote access? As others have said a list of devices would be helpful.

  10. Infernoz Bronze badge

    What happens when robotic devices get hijacked via these botnets?!

    Fiction has been warning about robotic device hijacking for several decades now, including in Anime films like Ghost in the Shell (1995) and Paprika (2006), and StuxNet happened too!

    What happens if this hijacking is driven by a hard to stop bot-net, possibly jumping between different makes/types of insecure devices/software, and targeting potentially deadly robotic devices like an asserted imminent flood of connected assisted/self-drive cars? Panic!

    I can see crisis regulation happening if manufacturers don't lock-down/support devices properly soon, including possible forced scrapping of non-fixable/unsupported connected devices/software, and not even allowing connectivity in some classes/types of device.

    r-type decadence like promiscuity and lax security later cause significant costs, as we now see with human demographic decay, cultural decay, and alien refuse invasion in developed countries; similar principles apply to connected computing devices, especially those designed by r-types!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020