MILLIONS OF XIONGMAI VIDEO SURVEILLANCE DEVICES CAN BE HACKED VIA CLOUD FEATURE (XMEYE P2P CLOUD)

fenderman · Oct 9, 2018

Here we go again...
Millions of Xiongmai Video Surveillance Devices Can be Hacked via Cloud Feature (XMEye P2P Cloud) | SEC Consult

Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server | ICS-CERT

From Krebs, he points out that they lied about recalling insecure devices last time.
Naming & Shaming Web Polluters: Xiongmai — Krebs on Security

Will they fail to respond like last time?
Xiongmai Technology IP Cameras and DVRs HACKED

EDIT: Keep in mind that this affects many brands that rebrand Xiongmai including SUNBA, SANNCE, BESDER, Zmodo and others listed in the articles.

TonyR · Oct 9, 2018

If folks, especially the noobs, forget everything else, they need to remember:

NO to P2P
NO to uPNP
NO to port forwarding
NO to wireless
YES to VPN

EDIT: Added "NO to wireless" to correct my oversight. Although not necessarily a network security risk, its use poses a dependability issue and I figured as long as we're offering good advice, especially to noobs, might as well make that advice accurate and valuable.
Not to mention that @looney2ns just said that exact phase in another thread here, which made me think...no mean feat in itself.

fenderman · Oct 10, 2018

As expected no announcement by Xiongmai. Nothing from rebranders like Sunba. Although its funny to note that sunba has an announcement claiming that someone is counterfeiting their cameras Counterfeit Warning:Woaser Direct - Sunba Technology Co., Ltd -

TonyR · Oct 11, 2018

Thanks, @fenderman.

I visited all the links and read 99.9% of the info, fighting off falling asleep in doing so, but am glad I did. I discovered that the little xmEYE model TOP-201 I bought for my bluebird box project is on that list. The tipoff was the appearance and name (HTML's "Title") of the webGUI of the camera (NETSurveillance Web) and the activeX downloaded to view the webGUI (NewActive.exe).

This camera was first reviewed (AFAIK) on IPCT back in Dec. 2014 here .

The articles provided images and specific info needed to identify the TOP-201 (at least the one I have) as one of the offenders. As evidenced by the images below, the webGUI looked exactly like the one warned about in the articles, as did the HTML response when I inputted "cam-IP/err.htm"

Results when inputting URL of "camera-IP/err.htm" :

fenderman · Oct 11, 2018

An interesting tidbit from the SEC Consult article.
"Note: The password hash of the “default” user is “OxhlwSG8” (stored in /mtd/Config/Account1). The hash algorithm was reverse engineered before and is implemented on GitHub. Basically, it is a result of MD5(password) and compressed even further. For complex passwords it should be more efficient to find a hash collision than to crack the password. Interestingly, the same hash algorithm is used in products from Dahua Technology. Possibly Xiongmai copied from Dahua or the hash algorithm is part of the Huawei HiSilicon SoC SDK both vendors use?"

Securame · Oct 15, 2018

TonyR said:
If folks, especially the noobs, forget everything else, they need to remember:

NO to P2P

That might be a problem when it comes activated as default, as it is the case with Xiongmai units.

TonyR · Oct 15, 2018

Securame said:
That might be a problem when it comes activated as default, as it is the case with Xiongmai units.

If I could not disabled it, I would not scan the QR code or enter the UID.
If I could not disable it and the UID was hard-coded, I would not deploy the unit...problem solved....but that's just me.

Search

Search

MILLIONS OF XIONGMAI VIDEO SURVEILLANCE DEVICES CAN BE HACKED VIA CLOUD FEATURE (XMEYE P2P CLOUD)

fenderman

TonyR

fenderman

TonyR

fenderman

Securame

Pulling my weight

TonyR