Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over Nine Million Cameras and DVRs Open To APTs, Botnet Herders, and Voyeurs (zdnet.com)

Posted by msmash on from the privacy-woes dept.

Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. From a report: All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own. All of these devices are vulnerable to easy hacks, researchers say. The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud." The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time. SEC Consult researchers say that these XMEye cloud accounts have not been sufficiently protected. For starters, an attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs). Second, all new XMEye accounts use a default admin username of "admin" with no password.

5 of 34 comments (clear)

  1. Exhibitionist by Oswald+McWeany · · Score: 2, Funny

    As an exhibitionist I regularly dance naked in front of my internet connected cameras. Unfortunately mine aren't on the list provided by ZDNet.

    --
    "That's the way to do it" - Punch
  2. come on slashdot! by RhettLivingston · · Score: 4, Funny

    Links to 9 million streams or it didn't happen!

  3. Lets welcome more camera devices by AHuxley · · Score: 2

    from big ad brands into more rooms.
    We can trust the big ad brands.

    --
    Domestic spying is now "Benign Information Gathering"
  4. Re:Sigh, China again by rogoshen1 · · Score: 2

    it's a sino-the-times. =/

  5. Re:admin user no password by Jane+Q.+Public · · Score: 3, Informative

    Tips on getting a home "security" camera, or other networked devices:

    (1) If you don't know how to set it up yourself, either learn, or get a "supervised" home security system. With all the security holes that entails. Don't try to DIY-it with cheap Chinese stuff.

    (2) If you DO know how to set these things up yourself, then:

    (a) Make sure it will operate over the local network without a remote internet connection.

    (b) If registration of the device over the internet is mandatory, be suspicious. Those in (a) require remote access by the company to work. Not all do. But some registered with a company but don't "require" internet access will "call home" anyway if connected.

    (c) Make sure it will work with generic cam software (such as ONFIV), not just the company's own.

    (d) Set it up on your home network, establish username/password, then set your router to port forward (via a DIFFERENT remote port) to your camera IP/port, set your "generic" software to access the camera just like from home, but using external IP and external port.

    (e) Enjoy