SEC Consult researchers have issued a warning about a handful of critical vulnerabilities they discovered in video surveillance equipment by Chinese manufacturer Hangzhou Xiongmai Technology.
The company only acts as original equipment manufacturer: the IP surveillance cameras, digital video recorders and network video recorders are sold around the world under over a 100 different brands,
The discovered vulnerabilities include a default admin password (i.e., no password, and no requirement to set one in the initial setup phase), insecure default credentials for a hardcoded “default” account, multiple unencrypted communication channels, and a failure to check the integrity of firmware updates, which are not signed.
The IDs that allow users to connect to the company’s “XMEye P2P Cloud” and interact with their devices are easily derived from the MAC address of the device, the researchers added, and the connection to the cloud server provider (which is enabled by default) is not encrypted. There is also no information on who runs those servers and where they are located.
And finally, to top it all, they found that the P2P Cloud feature bypasses firewalls and allows remote connections into private networks.
