Over Nine Million Cameras and DVRs Open To APTs, Botnet Herders, and Voyeurs

Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. From a report: All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own. All of these devices are vulnerable to easy hacks, researchers say. The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud." The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time. SEC Consult researchers say that these XMEye cloud accounts have not been sufficiently protected. For starters, an attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs). Second, all new XMEye accounts use a default admin username of "admin" with no password.

Sigh, China again

Can't we occasionally be disappointed by another country?

Re:Sigh, China again

[ASDFnz]

Well done.

I cannot tell if your serious or not.

Re:Sigh, China again

[rogoshen1]

it's a sino-the-times. =/

Blocked at router

On, the router, any new device has NO internet connectivity.

That is what VPNs are for. Something I can control.

Nothing IoT needs to actually connect to the internet directly.

Re:Blocked at router

[BitterOak]

Bad news. Your router was made in China and rebranded!

Re:Blocked at router

Thought of that. Wiped the firmware, now runs linux.

Wanna see hot nekkid women

does ms mash have one of these?

Exhibitionist

[Oswald+McWeany]

As an exhibitionist I regularly dance naked in front of my internet connected cameras. Unfortunately mine aren't on the list provided by ZDNet.

Re:Exhibitionist

[Lab+Rat+Jason]

I know right? I constantly hope someone cares enough... to be watching... please?

admin user no password

[olsmeister]

These are going to be illegal to sell in California. Ha!

Re:admin user no password

I bet Jerry Brown thought he was signing legislature regarding the Pony Express.

Re: admin user no password

I know you're being facetious, but does the law just ban these passwordless logins on the devices themselves, or as is the case here: does it also ban devices that connect to a cloud service without a password?

Re:admin user no password

[Jane+Q.+Public]

Tips on getting a home "security" camera, or other networked devices:

(1) If you don't know how to set it up yourself, either learn, or get a "supervised" home security system. With all the security holes that entails. Don't try to DIY-it with cheap Chinese stuff.

(2) If you DO know how to set these things up yourself, then:

(a) Make sure it will operate over the local network without a remote internet connection.

(b) If registration of the device over the internet is mandatory, be suspicious. Those in (a) require remote access by the company to work. Not all do. But some registered with a company but don't "require" internet access will "call home" anyway if connected.

(c) Make sure it will work with generic cam software (such as ONFIV), not just the company's own.

(d) Set it up on your home network, establish username/password, then set your router to port forward (via a DIFFERENT remote port) to your camera IP/port, set your "generic" software to access the camera just like from home, but using external IP and external port.

(e) Enjoy

Re:admin user no password

[Jane+Q.+Public]

BIG HINT: This means things like NEST, Alexa, Smart Things, etc. all of which are controlled remotely by someone else are not valid choices. Siri is maybe not as bad but still questionable.

Wait for local language processing to arrive. It will within about two years. If you insisted on getting that other thing earlier, then switch.

Reveals fundamental issue

[SuperKendall]

Unfortunately mine aren't on the list provided by ZDNet.

So if can can summarize what you are saying here, the fundamental flaw revealed is that there's no submission page to get added your own cameras added to the list.

Scare words, scary scary scare words

But where's the content?

Re:Scare words, scary scary scare words

[XXongo]

But where's the content?

The content is on the internet, account name "admin," no password.

Re:Scare words, scary scary scare words

[grep+-v+'.*'+*]

account name "admin," no password.

I know some admins like that.

"What's THAT?" they say. That's a computer.
"But where the monitor?" It doesn't have one.
"(smugly) Then it's not a computer, is it?

A friend of mine has a picture of a guy praying: Lord, please grant me the ability to stab people over UDP. It's this, but improved. I think he was doing port knocking with attitude.

cool! set it up!

and pop some corn!

DIY cams are much more secure

Because the underlying OSes wouldn't contain Chinese bugs!!!

Re: DIY cams are much more secure

Ah, but what if it was a DIY cam made by a Chinese person?

Mind. Blown.

come on slashdot!

[RhettLivingston]

Links to 9 million streams or it didn't happen!

That list of 'company names'

Is laughable. None of them sound like anything I would want.

Old news

By Catalin Cimpanu for Zero Day | October 9, 2018 -- 15:35 GMT (08:35 PDT)

If only the editors had been looking at the webcam in Catalin Cimpanu's office as he was writing this article, Slashdot might've posted this when it was fresh.

Sigh.

Someone tell the feds

I bet at least one is a parent's security camera in their teen's bedroom with the kid [censored]ing his girlfriend for all to see. Feds love busting k1dd13 p0rn makers even if the people aren't aware that they are making it.

Networking 101

I had these cameras before and the easiest fix was to set the "call home" address in the DNS to 127.0.0.1, or set a bad default gateway on the cameras themselves. The issue is with folks being able to break into the camera via the cloud app so stop the camera from talking to the cloudapp and you stop them from getting to the camera. I know it's not an idea situation if you only have one or two and want to be able to remote monitor but if you have dozens installed then you're not accessing the cameras individually anyway, you're going through some DVR interface which has a single entrance point which should be easier to secure. The other reason this was/is rampant was that many admins weren't changing the default userid and the password (if they set one at all) was very simple. It's just like any other device on the network, if it's exposed to the outside or has the capability to be, then it needs to be properly secured.

Secret second account?

[martinX]

FTA"there is also a second hidden account with the username and password combo of default/tluafed". That sounds very deliberate.

Lets welcome more camera devices

[AHuxley]

from big ad brands into more rooms.
We can trust the big ad brands.

FTC should step in

[schwit1]

The FTC should ask the largest retailers to remove these devices from their stores as an internet health hazard.

What I did ...

[CaptainDork]

... to test my WiFi connections per the article:
I run Who's On My Wifi. copied the IP column into Excel.
Where cell A1 is 192.168.000.001 cell B1 is ="start http://"&A1&"/err.htm"
For row 2 & 3:
192.168.000.002 ="start http://"&A2&"/err.htm"
192.168.000.004 ="start http://"&A3&"/err.htm"
etc ...
Then I copied the contents of column B into Notepad and saved as a .bat file to the Desktop:
--
start http://192.168.000.019/err.htm
start http://192.168.000.001/err.htm
start http://192.168.000.002/err.htm

exit
--
I executed the .bat file and it opened 37 instances of Firefox.
The only two hits I got were for my R7000 Netgear Router login page (none of the usernames/passwords in TFA worked because I had changed them) and an error page on my Brother printer (did not look like error in TFA).
The other pages found nothing.

Re:What I did ...

You've got heart kid, but seriously run a decent OS. At least lookup nmap or something.

Re:What I did ...

[CaptainDork]

What OS do you recommend?

We have a few of those out there

There are quite a few of these out there, but nobody seems to have used them for a while.

We have 6 jobs with them installed that we're now revisiting and offering to upgrade the DVR.

The other issue is that since everyone rebrands, nobody ever has upgraded firmware for them