cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Champion

Millions of Xiongmai video surveillance devices can be hacked via cloud feature (xmeye p2p cloud)

SEC Consult researchers have issued a warning about a handful of critical vulnerabilities they discovered in video surveillance equipment by Chinese manufacturer Hangzhou Xiongmai Technology.

 

The company only acts as original equipment manufacturer: the IP surveillance cameras, digital video recorders and network video recorders are sold around the world under over a 100 different brands,

 

The discovered vulnerabilities include a default admin password (i.e., no password, and no requirement to set one in the initial setup phase), insecure default credentials for a hardcoded “default” account, multiple unencrypted communication channels, and a failure to check the integrity of firmware updates, which are not signed.

 

The IDs that allow users to connect to the company’s “XMEye P2P Cloud” and interact with their devices are easily derived from the MAC address of the device, the researchers added, and the connection to the cloud server provider (which is enabled by default) is not encrypted. There is also no information on who runs those servers and where they are located.

 

And finally, to top it all, they found that the P2P Cloud feature bypasses firewalls and allows remote connections into private networks.

 

2 Replies
Community Champion

Re: Millions of Xiongmai video surveillance devices can be hacked via cloud feature (xmeye p2p cloud

KrebsOnSecurity just posted an excellent commentary with additional details on this mess in the blog article

 

Naming & Shaming Web Polluters: Xiongmai

 

 

Dr. D. Cragin Shelton, CISSP
Dr.Cragin@iCloud.com
https://CraginS.blogspot.com/
My Community Profile
My LinkedIn Profile
Community Champion

Re: Millions of Xiongmai video surveillance devices can be hacked via cloud feature (xmeye p2p cloud

Great timing, about the produce a presentation on IoT devices - a great example indeed.

 

Many thanks

 

Caute_cautim