9 million Xiongmai cameras, DVRs wide open to attack

SEC Consult researchers have issued a warning about a handful of critical vulnerabilities they discovered in video surveillance equipment by Chinese manufacturer Hangzhou Xiongmai Technology. Source: Help Net Security

The discovered vulnerabilities include a default admin password (i.e., no password, and no requirement to set one in the initial setup phase), insecure default credentials for a hardcoded “default” account, multiple unencrypted communication channels, and a failure to check the integrity of firmware updates, which are not signed.

The IDs that allow users to connect to the company’s “XMEye P2P Cloud” and interact with their devices are easily derived from the MAC address of the device, the researchers added, and the connection to the cloud server provider (which is enabled by default) is not encrypted. There is also no information on who runs those servers and where they are located.

And finally, to top it all, they found that the P2P Cloud feature bypasses firewalls and allows remote connections into private networks.

Xiongmai-manufactured devices were among those that were conscripted into Mirai IoT botnets in 2016, as they offered high-privileged shell access over TCP ports 23 and 9527 using hard-coded credentials.