SEC Consult researchers have issued a warning about a handful of critical vulnerabilities they discovered in video surveillance equipment by Chinese manufacturer Hangzhou Xiongmai Technology.
About the vulnerabilities
The discovered vulnerabilities include a default admin password (i.e., no password, and no requirement to set one in the initial setup phase), insecure default credentials for a hardcoded “default” account, multiple unencrypted communication channels, and a failure to check the integrity of firmware updates, which are not signed.
The IDs that allow users to connect to the company’s “XMEye P2P Cloud” and interact with their devices are easily derived from the MAC address of the device, the researchers added, and the connection to the cloud server provider (which is enabled by default) is not encrypted. There is also no information on who runs those servers and where they are located.
And finally, to top it all, they found that the P2P Cloud feature bypasses firewalls and allows remote connections into private networks.
Xiongmai-manufactured devices were among those that were conscripted into Mirai IoT botnets in 2016, as they offered high-privileged shell access over TCP ports 23 and 9527 using hard-coded credentials.
Xiongmai eventually fixed those vulnerabilities, the researchers say, but they have yet to do so with this latest batch, despite them sharing the information with the company back in March 2018.
With these vulnerabilities unpatched, attackers could find and target exposed devices to perform a wide variety of attacks.
They can spy on users of Xiongmai surveillance products, even listen in on conversations and interact with victims when the devices have a two-way audio intercom. They can “zombify” the devices and make them part of botnets. They can deliver malicious firmware to them. They can gain an initial foothold into a targeted local network.
What to do?
How do you even know if you use a Xiongmai device?
The company only acts as original equipment manufacturer: the IP surveillance cameras, digital video recorders and network video recorders are sold around the world under over a 100 different brands, including: 9Trading, Abowone, AHWVSE, ANRAN, ASECAM, Autoeye, AZISHN, A-ZONE, BESDER/BESDERSEC, BESSKY, Bestmo, BFMore, BOAVISION, BULWARK, CANAVIS, CWH, DAGRO, datocctv, DEFEWAY, digoo, DiySecurityCameraWorld, DONPHIA, ENKLOV, ESAMACT, ESCAM, EVTEVISION, Fayele, FLOUREON , Funi, GADINAN, GARUNK, HAMROL, HAMROLTE, Highfly, Hiseeu, HISVISION, HMQC, IHOMEGUARD, ISSEUSEE, iTooner, JENNOV, Jooan, Jshida, JUESENWDM, JUFENG, JZTEK, KERUI, KKMOON, KONLEN, Kopda, Lenyes, LESHP, LEVCOECAM, LINGSEE, LOOSAFE, MIEBUL, MISECU, Nextrend, OEM, OLOEY, OUERTECH, QNTSQ, SACAM, SANNCE, SANSCO, SecTec, Shell film, Sifvision / sifsecurityvision, smar, SMTSEC, SSICON, SUNBA, Sunivision, Susikum, TECBOX, Techage, Techege, TianAnXun, TMEZON, TVPSii, Unique Vision, unitoptek, USAFEQLO, VOLDRELI, Westmile, Westshine, Wistino, Witrue, WNK Security Technology, WOFEA, WOSHIJIA, WUSONLUSAN, XIAO MA, XinAnX, xloongx, YiiSPO, YUCHENG, YUNSYE, zclever, zilnk, ZJUXIN, zmodo, and ZRHUNTER.
SEC Consult has described a few ways users can tell if they use Xiongmai-made devices. Those who do are advised to stop using them.
“The company has a bad security track record including its role in Mirai and various other IoT botnets. There are vulnerabilities that have been published in 2017, which are still not fixed in the most recent firmware version. This includes a directory traversal vulnerability and various buffer overflow vulnerabilities (CVE-2017-16725, CVE-2018-10088, complete exploit chain available),” they pointed out.
“There are no workarounds available as the devices are connected via the cloud, the usual recommendations changing default passwords, strict firewalling and network segmentation unfortunately do not mitigate the whole range of discovered issues.”
The researchers estimate that there are some 9 million Xiongmai devices in use.
UPDATE: December 23, 2020
Hangzhou Xiongmai Information Technology alerted us that the issues reported in this article have been fixed in the latest firmware.