MILLIONS OF XIONGMAI VIDEO SURVEILLANCE DEVICES CAN BE HACKED VIA CLOUD FEATURE (XMEYE P2P CLOUD)

Discussion in 'Chit-Chat' started by fenderman, Oct 9, 2018.

Share This Page

  1. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    26,418
    Likes Received:
    6,876
    Here we go again...
    Millions of Xiongmai Video Surveillance Devices Can be Hacked via Cloud Feature (XMEye P2P Cloud) | SEC Consult

    Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server | ICS-CERT

    From Krebs, he points out that they lied about recalling insecure devices last time.
    Naming & Shaming Web Polluters: Xiongmai — Krebs on Security

    Will they fail to respond like last time?
    Xiongmai Technology IP Cameras and DVRs HACKED

    EDIT: Keep in mind that this affects many brands that rebrand Xiongmai including SUNBA, SANNCE, BESDER, Zmodo and others listed in the articles.
     
    Last edited: Oct 10, 2018
    Securame, RyanODan, Mike and 3 others like this.
  2. TonyR

    TonyR Known around here

    Joined:
    Jul 15, 2014
    Messages:
    2,151
    Likes Received:
    1,699
    Location:
    Alabama
    If folks, especially the noobs, forget everything else, they need to remember:
    • NO to P2P
    • NO to uPNP
    • NO to port forwarding
    • NO to wireless
    • YES to VPN

    EDIT: Added "NO to wireless" to correct my oversight. Although not necessarily a network security risk, its use poses a dependability issue and I figured as long as we're offering good advice, especially to noobs, might as well make that advice accurate and valuable.
    Not to mention that @looney2ns just said that exact phase in another thread here, which made me think...no mean feat in itself.
     
    Last edited: Oct 12, 2018
    JDJ, Olddawg, Rob Bond and 9 others like this.
  3. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    26,418
    Likes Received:
    6,876
    looney2ns likes this.
  4. TonyR

    TonyR Known around here

    Joined:
    Jul 15, 2014
    Messages:
    2,151
    Likes Received:
    1,699
    Location:
    Alabama
    Thanks, @fenderman.

    I visited all the links and read 99.9% of the info, fighting off falling asleep in doing so, but am glad I did. I discovered that the little xmEYE model TOP-201 I bought for my bluebird box project is on that list. The tipoff was the appearance and name (HTML's "Title") of the webGUI of the camera (NETSurveillance Web) and the activeX downloaded to view the webGUI (NewActive.exe).

    This camera was first reviewed (AFAIK) on IPCT back in Dec. 2014 here .

    The articles provided images and specific info needed to identify the TOP-201 (at least the one I have) as one of the offenders. As evidenced by the images below, the webGUI looked exactly like the one warned about in the articles, as did the HTML response when I inputted "cam-IP/err.htm"

    XMEYE_WEBgui.jpg


    Results when inputting URL of "camera-IP/err.htm" :

    XMEYE_err-htmi.jpg
     
    Last edited: Oct 11, 2018
    fenderman, looney2ns and gwminor48 like this.
  5. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    26,418
    Likes Received:
    6,876
    An interesting tidbit from the SEC Consult article.
    "Note: The password hash of the “default” user is “OxhlwSG8” (stored in /mtd/Config/Account1). The hash algorithm was reverse engineered before and is implemented on GitHub. Basically, it is a result of MD5(password) and compressed even further. For complex passwords it should be more efficient to find a hash collision than to crack the password. Interestingly, the same hash algorithm is used in products from Dahua Technology. Possibly Xiongmai copied from Dahua or the hash algorithm is part of the Huawei HiSilicon SoC SDK both vendors use?"
     
  6. Securame

    Securame Pulling my weight

    Joined:
    Mar 25, 2014
    Messages:
    436
    Likes Received:
    108
    Location:
    Barcelona, Spain
    That might be a problem when it comes activated as default, as it is the case with Xiongmai units.
     
  7. TonyR

    TonyR Known around here

    Joined:
    Jul 15, 2014
    Messages:
    2,151
    Likes Received:
    1,699
    Location:
    Alabama
    If I could not disabled it, I would not scan the QR code or enter the UID.
    If I could not disable it and the UID was hard-coded, I would not deploy the unit...problem solved....but that's just me.
     
    awsum140 and looney2ns like this.