MILLIONS OF XIONGMAI VIDEO SURVEILLANCE DEVICES CAN BE HACKED VIA CLOUD FEATURE (XMEYE P2P CLOUD)

fenderman

Staff member
Joined
Mar 9, 2014
Messages
34,419
Reaction score
14,773
Here we go again...
Millions of Xiongmai Video Surveillance Devices Can be Hacked via Cloud Feature (XMEye P2P Cloud) | SEC Consult

Hangzhou Xiongmai Technology Co., Ltd XMeye P2P Cloud Server | ICS-CERT

From Krebs, he points out that they lied about recalling insecure devices last time.
Naming & Shaming Web Polluters: Xiongmai — Krebs on Security

Will they fail to respond like last time?
Xiongmai Technology IP Cameras and DVRs HACKED

EDIT: Keep in mind that this affects many brands that rebrand Xiongmai including SUNBA, SANNCE, BESDER, Zmodo and others listed in the articles.
 
Last edited:

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
7,029
Reaction score
9,715
Location
Alabama
If folks, especially the noobs, forget everything else, they need to remember:
  • NO to P2P
  • NO to uPNP
  • NO to port forwarding
  • NO to wireless
  • YES to VPN

EDIT: Added "NO to wireless" to correct my oversight. Although not necessarily a network security risk, its use poses a dependability issue and I figured as long as we're offering good advice, especially to noobs, might as well make that advice accurate and valuable.
Not to mention that @looney2ns just said that exact phase in another thread here, which made me think...no mean feat in itself.
 
Last edited:

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
7,029
Reaction score
9,715
Location
Alabama
Thanks, @fenderman.

I visited all the links and read 99.9% of the info, fighting off falling asleep in doing so, but am glad I did. I discovered that the little xmEYE model TOP-201 I bought for my bluebird box project is on that list. The tipoff was the appearance and name (HTML's "Title") of the webGUI of the camera (NETSurveillance Web) and the activeX downloaded to view the webGUI (NewActive.exe).

This camera was first reviewed (AFAIK) on IPCT back in Dec. 2014 here .

The articles provided images and specific info needed to identify the TOP-201 (at least the one I have) as one of the offenders. As evidenced by the images below, the webGUI looked exactly like the one warned about in the articles, as did the HTML response when I inputted "cam-IP/err.htm"

XMEYE_WEBgui.jpg


Results when inputting URL of "camera-IP/err.htm" :

XMEYE_err-htmi.jpg
 
Last edited:

fenderman

Staff member
Joined
Mar 9, 2014
Messages
34,419
Reaction score
14,773
An interesting tidbit from the SEC Consult article.
"Note: The password hash of the “default” user is “OxhlwSG8” (stored in /mtd/Config/Account1). The hash algorithm was reverse engineered before and is implemented on GitHub. Basically, it is a result of MD5(password) and compressed even further. For complex passwords it should be more efficient to find a hash collision than to crack the password. Interestingly, the same hash algorithm is used in products from Dahua Technology. Possibly Xiongmai copied from Dahua or the hash algorithm is part of the Huawei HiSilicon SoC SDK both vendors use?"
 

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
7,029
Reaction score
9,715
Location
Alabama
That might be a problem when it comes activated as default, as it is the case with Xiongmai units.
If I could not disabled it, I would not scan the QR code or enter the UID.
If I could not disable it and the UID was hard-coded, I would not deploy the unit...problem solved....but that's just me.
 
Top