Unfixed Critical Vulnerability In Millions of XiongMai Devices Disclosed

By Sean Patton, Published Oct 10, 2018, 12:22pm EDT

XiongMai, one of the biggest OEMs alongside Dahua and Hikvision, has suffered a critical vulnerability impacting millions of their devices.

This comes after XiongMai received universal criticism for the lack of security resulting in the Mirai botnet.

*******, ****** ***** *** Hikvision, *** ********** ******* issue * ******** *** for ********* ***************, ******** has *** **** * months ***** ******, ******* increasing *** ****.

****** **** ****, ** review EU-based*** ********** ********** **** ******** *************, *** ** ** so *********** *** *** this ******* * ****** track ****** *** ********.

Default ********* *** ****** ******** ***** ******** *************

*** ********* ********************* * **.* ******** score******* *** ******* *** result ** ************* ****** to *** ********** ******* through ******* ************* ***********, and ********** ************ "*******" user *******. **** ***** that **** ******* ******* the ******* ************* ********, the ****** *** ***** be ******** ******** ***** the "*******" *******.

*** ******* ** *********** vulnerable ******* ** ***** and *** ******* ****** unsigned ********. *** ****** that ** ******** *** push ********* ******** ******* through *** ***** ***** interface. 

************, *** ******:

********* *** **********************() ***** ***** *** ******* causes *** ****** ** fetch *** ******* *** malicious ********.

**** ********* ****** ** attacker ** ******* ******* onto *** *******’ ***** memory. ****** ** *** Mirai ****, ** cannot ** ******* *** **** ** ********* *** ******.

*** ********* *** ************* (***-****-*****), **** ******* *********** and********** ****** ***** ** concept ******* **** ** GitHub, ******* ********** *** chances ** ** ********.

Who ** ********

********* ** ***'* **********, this ************* ******* ******** of *******, ******* ********'* XMEye ***** *******. ***** Cloud ****** ***** ******* to ****** **** **** NVRs, ******* ** ************ to *****'* *** ***** and *********'* ***-******* ***** services.

*** ********** **** *** vendors ********, ******* ***** label *********.

* ***** **** *** of **** ** *** vendors ********:

Minimum ****** ** ******* ********** ******

***** ********* *** *** commonly **** ** ******* commercial *************, *** **** directly ****** *** ****** of *** ****** *********. However, *** ********** ****** could ** **** ******* within ***** *******.

Botnet ****

**** *****, ** **** with *****, ***** ********** devices *** ***** ****** disruption ** *** **** specific ******* ********* ************* *******.

*** ****** **** ***** devices **** ** *********** and **** ****** ******* is **** ****, ***** the ****** ** ******* and *** *********** ** an ****** ***** *** the ************* ***** ********* on *** ******** ** them.

Extends *** ***** ******

******** *** * ******** track ****** ** ************* issues. ********'* ******** ** publications **** ******** ** the ***** *** *** to********** ***** ******. **** ****** *****, a ******* ******** ** XiongMai ************* *** * **** email **** ******** ****** passwords*** ******** *******.

****, *** ***** **** 2 ********** ********** ******** vulnerabilites **** **** ****** unpatched ** ***** ****** firmware.

Not ****** ** ** **********

***** *** ********* ****** by **** *** ********** to ** ********** *****, proponents ** ******* ************* banned **** ****** *** this ** ******** **** there *** ************* **** a ***** ***** ****** than *****, *** ***** of *** ********** ** the ***.

 

Comments (14)

I thought Hikvision had cornered the bathroom camera market, guess not.

Agree
Disagree
Informative
Unhelpful: 3
Funny: 7

Agree
Disagree
Informative
Unhelpful
Funny: 7

No vulnerability found. Robust feature set found. -China

Agree: 1
Disagree
Informative
Unhelpful
Funny: 5

Night owl uses XM.

Agree
Disagree
Informative
Unhelpful
Funny

“Not Banned By US Government

While the companies affect by this are irrelevant to US Government sales, proponents of Chinese manufacturers banned will surely use this as evidence that there are manufacturers with a worse track record than Hikua, and proof of the unfairness of the ban.”

———————————————————————————————————-

In regards to the last paragraph in the article, wouldnt this be evidence to support a larger more encompassing ban on China rather than a way to garner support for companies that were arguably unfairly banned? 

Agree: 4
Disagree: 1
Informative
Unhelpful
Funny

i guess "millions of devices" didnt qualify for the rightfully just and well thought out ban due to, and I quote "Cyber Security" 

XM = Good Enough for US Military Bases, According to congress

Agree: 1
Disagree: 2
Informative
Unhelpful: 2
Funny

XM = Good Enough for US Military Bases, According to congress

I know you aim to be clever but this is not. XM is simply under the radar because they have no real path to US military bases. Hikvision and Dahua do because they have large local sales teams and big marketing budgets.

Agree
Disagree: 1
Informative
Unhelpful
Funny

Tip to Chinese Manufacturers with poor cyber security record: Sell millions of devices, stay under radar, be non-banned.

Agree: 2
Disagree: 1
Informative
Unhelpful: 2
Funny: 1

Tip to Chinese Manufacturers with poor cyber security record: Sell millions of devices, stay under radar, be non-banned.

Why do that when they could simply find a midwestern distributor to slap a sticker on the outside and to take all of the heat?

Agree: 2
Disagree: 1
Informative
Unhelpful: 1
Funny: 1

I think we just found Honeywell's new OEM provider :)

Agree
Disagree
Informative
Unhelpful
Funny: 1

Interesting...

From: https://www.sec-consult.com/en/blog/2018/10/millions-of-xiongmai-video-surveillance-devices-can-be-hacked-via-cloud-feature-xmeye-p2p-cloud/

Note: The password hash of the “default” user is “OxhlwSG8” (stored in /mtd/Config/Account1). The hash algorithm was reverse engineered before and is implemented on GitHub. Basically, it is a result of MD5(password) and compressed even further. For complex passwords it should be more efficient to find a hash collision than to crack the password. Interestingly, the same hash algorithm is used in products from Dahua Technology. Possibly Xiongmai copied from Dahua or the hash algorithm is part of the Huawei HiSilicon SoC SDK both vendors use?

Not only the password hash is exactly the same as Dahua, even the path to the password file is almost the same as reported (maybe they forget '/mnt' before '/mtd') and indeed same filename.

Reference

1) https://github.com/mcw0/PoC/blob/master/dahua-telnetd-json.py#L29

2) https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py#L25

 

The question is, who copied who? Or is it really 'Huawei HiSilicon SoC SDK' ;-)

 

Agree
Disagree
Informative: 3
Unhelpful
Funny

Bashis, thank you. You provide factual, thought provoking information with no bias. Its a refreshing break from the tiresome sarcasm plaguing this topic. 

Agree: 2
Disagree
Informative
Unhelpful
Funny

Their base development team was a split from Dahua. 8 years ago their GUI looked exactly like Dahua’s.

Agree
Disagree
Informative: 2
Unhelpful
Funny

Thanks, that explains who copied who :)

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,904 reports, 921 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports