"The conversation with them over the past months has shown that security is just not a priority to them at all," SEC Consult researchers said.īased on scans performed by researchers, there are at least nine million Xiongmai-based devices sitting around on the Internet.īecause none of these devices feature the Xiongmai name or logo, device owners who'd like to take this equipment offline will have a hard time determining if they use one of these vulnerable devices.
The company says that despite engaging with both the US and China CERT teams in alerting Xiongmai, the company did not patch the flaws they reported back in March this year. SEC Consult didn't have much luck when they reported the flaws they found. For example, half of the devices that were part of the massive Mirai-based DDoS attack on managed DNS provider Dyn, which took out around a quarter of the Internet, were Xiongmai devices.Īt the time, Xiongmai came under heavy criticism and promised to recall all vulnerable devices.īut SEC Consult claim in a report published today that the Chinese company hasn't invested in security since patching the vulnerabilities exploited by the Mirai malware in late 2016.Įver since then, at least four vulnerabilities, some at least one year old, were left unpatched, researchers said. Xiongmai devices have been abused in the past by IoT botnets, and especially by botnets built with the Mirai malware. Last but not least, all these Xiongmai devices are also the perfect cannon fodder for IoT botnet herders, who can now mass-scan the XMEye P2P Cloud for accounts with default creds and hijack devices with malicious firmware. Cyber-espionage groups, also known as advanced persistent threats (APTs) have been increasingly leveraging routers for their attacks, with the most recent being the VPNFilter botnet, set up by Russia's APT28 group. In some cases, some cameras have a two-way audio intercom, so it's even possible that an attacker may be able to interact with victims as well.įurthermore, all these devices can be hacked by cyber-espionage groups and be used as entry points inside the networks of targeted organizations, or to relay traffic as part of a technique known as UPnProxy. Researchers argue the vulnerabilities they found can be easily used by voyeurs to take over camera feeds and watch victims in their homes. TechRepublic: The 6 reasons why we've failed to stop botnets Researchers say Xiongmai devices firmware updates are not signed, and an attacker can easily impersonate the XMEye cloud and deliver a malicious firmware version that contains malware.
Third, users aren't prompted to change this default password during the account setup process.įourth, even if the user has changed the XMEye admin account password, there is also a second hidden account with the username and password combo of default/tluafed.įifth, access to this account allows an attacker to trigger a firmware update. Second, all new XMEye accounts use a default admin username of "admin" with no password. For starters, an attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs). SEC Consult researchers say that these XMEye cloud accounts have not been sufficiently protected. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time. The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account.
The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud." Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own.ĬNET: California governor signs country's first IoT security lawĪll of these devices are vulnerable to easy hacks, researchers say. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou.īut end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today.Īll vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd.