China-based Hangzhou Xiongmai Technology Co. Ltd. said today it will recall some of its products sold in the United States after researchers identified components as being targeted in Friday’s massive distributed denial of service attack.

During the attack, hackers used a wide variety of Internet of Things devices across the world — including devices such as Internet-connected cameras, digital recorders and routers — in order to pummel industry domain name service Dyn DNS Company with an overwhelming amount of traffic. When Dyn went offline, it caused outages for popular websites such as Twitter, PayPal and Reddit.

Xiongmai Technology builds electronic components for surveillance cameras and today announced that it would recall some of its U.S.-sold products in order to strengthen password management.

Many Internet-connected devices used in these massive attacks are often taken over by hackers due to poor security — in most cases because users fail to change the default password.

Researchers at Flashpoint identified that Friday’s massive attack was led primarily by digital video recorders (DVRs) and IP cameras, specifically identifying Xiongmai’s components used in the afflicted devices. The Mirai botnet, a coordinated number of compromised computers and devices, used in the attack against Dyn was also identified as the same botnet used to hit security researcher Krebs on Security with a record 620 Gbps DDoS last month.

“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” said Allison Nixon, director of research at Flashpoint.

These attacks have continued to expand year-over-year with increased numbers and sophistication as hackers continue to employ stronger attacks along with longer attack times.

Attackers have also begun targeting Internet critical infrastructure more often in ways that effect widespread outages. Dyn DNS is a managed service used by a large number of consumer-oriented websites and mobile applications including PayPal, Twitter, Amazon, Spotify and Netflix.

Earlier this year, over Labor Day weekend, attackers targeted managed server hosting provider Linode LLC, which hosts over 500,000 websites and several JavaScript libraries used for mobile and web user interfaces. That outage intermittently took a multitude of websites and mobile apps offline.

In its statement, Xiongmai noted that it is not alone in being targeted: “Security issues are a problem facing all mankind,” the company said. “Since industry giants have experienced them, Xiongmai is not afraid to experience them once, too.”

The company also added that reports that its products made up the bulk of the attack were false. Even if Xiongmai products were a small part of the attacks, however, it would lighten the impact of future attacks for the company to better secure them.

Featured image credit: [ henning ] 2006-09-12 Orange County security via photopin (license)