A year ago, Chinese white-label CCTV/DVR vendor Xiongmai announced a recall and security update for its devices, whose weak security meant that they had been conscripted into a massive, unstoppable botnet.
A year later, Xiongmai’s promises have been broken: the company has invested precious little resource into keeping its security current, and as a result the cameras and recorders it sells are routinely compromised by voyeurs (who use them to spy on their owners), criminals (who use them to case businesses and plan crimes) and cybercriminals (who take over the devices and use them to run bot attacks of various kinds, from denial-of-service to simply disguising the location of another attack by using a hacked device as a proxy).
To complicate the matter, Xiongmai is a white-label vendor whose products are sold under hundreds of brand-names, making it nearly impossible to tell whether you are about to buy (or already own) one of their defective products. It may not matter: Xionmai’s major competitor, TVT, is another white label CCTV/DVR giant, and its products are incredibly insecure and it, too has failed to take action to fix things.
The exploits used to take over these devices are not supervillainry: thanks to weak default passwords, deliberate backdoors, and bad design decisions (like not forcing a password change during setup), they are taken over in their thousands by clumsy, amateurish exploits.
The latest Xiongmai vulnerability advisory comes from SEC Consult (who previously revealed similar defects in Shenzhen Gwelltimes Technology Co., Ltd’s constellation of white-label internet of shit gadgets): they explored vulnerabilities in Xiongmai’s cloud management system, called the “XMEye P2P Cloud.”
Logins for this system are easily guessed because they are derived from Xiongmai products’ sequential MAC addresses; the passwords use weak default usernames (“admin” and no password!), and every device has a second, hidden backdoor account whose login/pass is “default/tluafed.”
Once an attacker gains access to a device, they have the ability to flash its firmware, and because Xiongmai doesn’t practice firmware signing, an attacker can load anything onto its products.
Xiongmai, like its competitors, was unresponsive to reports and warnings from SEC Consult, ignoring their communications and stonewalling, prompting SEC to finally publish a report so that Xiongmai customers could have a chance of knowing whether their products were defective. There are 9,000,000+ Xiongmai devices in use, all white-labeled to appear to come from other companies.
The most reliable way to determine if you own a Xiongmai product is to see if its control systems mention “XMEye.” But even if you ditch your Xiongmai product, it’s clear that the whole industry is a cesspool of flaming garbage devices, and there’s probably not an alternative you can trust.
SEC Consult says it was able to track down more than a hundred other vendors that bought Xiongmai white-label devices and put their logo on top. The list includes names such as: 9Trading, Abowone, AHWVSE, ANRAN, ASECAM, Autoeye, AZISHN, A-ZONE, BESDER/BESDERSEC, BESSKY, Bestmo, BFMore, BOAVISION, BULWARK, CANAVIS, CWH, DAGRO, datocctv, DEFEWAY, digoo, DiySecurityCameraWorld, DONPHIA, ENKLOV, ESAMACT, ESCAM, EVTEVISION, Fayele, FLOUREON , Funi, GADINAN, GARUNK, HAMROL, HAMROLTE, Highfly, Hiseeu, HISVISION, HMQC, IHOMEGUARD, ISSEUSEE, iTooner, JENNOV, Jooan, Jshida, JUESENWDM, JUFENG, JZTEK, KERUI, KKMOON, KONLEN, Kopda, Lenyes, LESHP, LEVCOECAM, LINGSEE, LOOSAFE, MIEBUL, MISECU, Nextrend, OEM, OLOEY, OUERTECH, QNTSQ, SACAM, SANNCE, SANSCO, SecTec, Shell film, Sifvision / sifsecurityvision, smar, SMTSEC, SSICON, SUNBA, Sunivision, Susikum, TECBOX, Techage, Techege, TianAnXun, TMEZON, TVPSii, Unique Vision, unitoptek, USAFEQLO, VOLDRELI, Westmile, Westshine, Wistino, Witrue, WNK Security Technology, WOFEA, WOSHIJIA, WUSONLUSAN, XIAO MA, XinAnX, xloongx, YiiSPO, YUCHENG, YUNSYE, zclever, zilnk, ZJUXIN, zmodo, and ZRHUNTER.
Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs [Catalin Cimpanu/Zdnet]
(Image: Cryteria, CC-BY)