Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over Nine Million Cameras and DVRs Open To APTs, Botnet Herders, and Voyeurs (zdnet.com)

Posted by msmash on from the privacy-woes dept.

Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. From a report: All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own. All of these devices are vulnerable to easy hacks, researchers say. The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud." The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time. SEC Consult researchers say that these XMEye cloud accounts have not been sufficiently protected. For starters, an attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs). Second, all new XMEye accounts use a default admin username of "admin" with no password.

18 of 34 comments (clear)

  1. Exhibitionist by Oswald+McWeany · · Score: 2, Funny

    As an exhibitionist I regularly dance naked in front of my internet connected cameras. Unfortunately mine aren't on the list provided by ZDNet.

    --
    "That's the way to do it" - Punch
    1. Re:Exhibitionist by Lab+Rat+Jason · · Score: 1

      I know right? I constantly hope someone cares enough... to be watching... please?

      --
      Which has more power: the hammer, or the anvil?
  2. admin user no password by olsmeister · · Score: 1

    These are going to be illegal to sell in California. Ha!

    1. Re:admin user no password by Jane+Q.+Public · · Score: 3, Informative

      Tips on getting a home "security" camera, or other networked devices:

      (1) If you don't know how to set it up yourself, either learn, or get a "supervised" home security system. With all the security holes that entails. Don't try to DIY-it with cheap Chinese stuff.

      (2) If you DO know how to set these things up yourself, then:

      (a) Make sure it will operate over the local network without a remote internet connection.

      (b) If registration of the device over the internet is mandatory, be suspicious. Those in (a) require remote access by the company to work. Not all do. But some registered with a company but don't "require" internet access will "call home" anyway if connected.

      (c) Make sure it will work with generic cam software (such as ONFIV), not just the company's own.

      (d) Set it up on your home network, establish username/password, then set your router to port forward (via a DIFFERENT remote port) to your camera IP/port, set your "generic" software to access the camera just like from home, but using external IP and external port.

      (e) Enjoy

    2. Re:admin user no password by Jane+Q.+Public · · Score: 1

      BIG HINT: This means things like NEST, Alexa, Smart Things, etc. all of which are controlled remotely by someone else are not valid choices. Siri is maybe not as bad but still questionable.

      Wait for local language processing to arrive. It will within about two years. If you insisted on getting that other thing earlier, then switch.

  3. Reveals fundamental issue by SuperKendall · · Score: 1

    Unfortunately mine aren't on the list provided by ZDNet.

    So if can can summarize what you are saying here, the fundamental flaw revealed is that there's no submission page to get added your own cameras added to the list.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  4. Scare words, scary scary scare words by Anonymous Coward · · Score: 1

    But where's the content?

    1. Re:Scare words, scary scary scare words by XXongo · · Score: 1

      But where's the content?

      The content is on the internet, account name "admin," no password.

    2. Re:Scare words, scary scary scare words by grep+-v+'.*'+* · · Score: 1

      account name "admin," no password.

      I know some admins like that.

      "What's THAT?" they say. That's a computer.
      "But where the monitor?" It doesn't have one.
      "(smugly) Then it's not a computer, is it?

      A friend of mine has a picture of a guy praying: Lord, please grant me the ability to stab people over UDP. It's this, but improved. I think he was doing port knocking with attitude.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  5. come on slashdot! by RhettLivingston · · Score: 4, Funny

    Links to 9 million streams or it didn't happen!

  6. Re:Sigh, China again by ASDFnz · · Score: 1

    Well done.

    I cannot tell if your serious or not.

  7. Re:Blocked at router by BitterOak · · Score: 1

    Bad news. Your router was made in China and rebranded!

    --
    If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
  8. Secret second account? by martinX · · Score: 1

    FTA"there is also a second hidden account with the username and password combo of default/tluafed". That sounds very deliberate.

    --
    When they came for the communists, I said "He's next door. Take him away. Goddam commies."
  9. Lets welcome more camera devices by AHuxley · · Score: 2

    from big ad brands into more rooms.
    We can trust the big ad brands.

    --
    Domestic spying is now "Benign Information Gathering"
  10. FTC should step in by schwit1 · · Score: 1

    The FTC should ask the largest retailers to remove these devices from their stores as an internet health hazard.

  11. What I did ... by CaptainDork · · Score: 1

    ... to test my WiFi connections per the article:
    I run Who's On My Wifi. copied the IP column into Excel.
    Where cell A1 is 192.168.000.001 cell B1 is ="start http://"&A1&"/err.htm"
    For row 2 & 3:
    192.168.000.002 ="start http://"&A2&"/err.htm"
    192.168.000.004 ="start http://"&A3&"/err.htm"
    etc ...
    Then I copied the contents of column B into Notepad and saved as a .bat file to the Desktop:
    --
    start http://192.168.000.019/err.htm
    start http://192.168.000.001/err.htm
    start http://192.168.000.002/err.htm

    exit
    --
    I executed the .bat file and it opened 37 instances of Firefox.
    The only two hits I got were for my R7000 Netgear Router login page (none of the usernames/passwords in TFA worked because I had changed them) and an error page on my Brother printer (did not look like error in TFA).
    The other pages found nothing.

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:What I did ... by CaptainDork · · Score: 1

      What OS do you recommend?

      --
      It little behooves the best of us to comment on the rest of us.
  12. Re:Sigh, China again by rogoshen1 · · Score: 2

    it's a sino-the-times. =/