I thought Hikvision had cornered the bathroom camera market, guess not.
Unfixed Critical Vulnerability In Millions of XiongMai Devices Disclosed
XiongMai, one of the biggest OEMs alongside Dahua and Hikvision, has suffered a critical vulnerability impacting millions of their devices.
This comes after XiongMai received universal criticism for the lack of security resulting in the Mirai botnet.
*******, ****** ***** *** *********, *** relatively ******* ***** * ******** *** for ********* ***************, ******** *** *** with * ****** ***** ******, ******* increasing *** ****.
****** **** ****, ** ****** **-******** ********** ********** **** ******** *************, *** ** ** ** *********** and *** **** ******* * ****** track ****** *** ********.
Default ********* *** ****** ******** ***** ******** *************
*** ********* ********************* * **.* ******** ************ *** ******* *** ****** ** administrator ****** ** *** ********** ******* through ******* ************* ***********, *** ********** undocumented "*******" **** *******. **** ***** that **** ******* ******* *** ******* administrator ********, *** ****** *** ***** be ******** ******** ***** *** "*******" account.
*** ******* ** *********** ********** ******* is ***** *** *** ******* ****** unsigned ********. *** ****** **** ** attacker *** **** ********* ******** ******* through *** ***** ***** *********.
************, *** ******:
********* ***
**********************()
***** ***** *** ******* ****** *** device ** ***** *** ******* *** malicious ********.**** ********* ****** ** ******** ** persist ******* **** *** *******’ ***** memory. ****** ** *** ***** ****, it cannot ** ******* *** **** ** ********* *** ******.
*** ********* *** ************* (***-****-*****), **** ******* *********** ************* ****** ***** ** ******* ******* code ** ******, ******* ********** *** ******* ** is ********.
Who ** ********
********* ** ***'* **********, **** ************* impacts ******** ** *******, ******* ********'* XMEye ***** *******. ***** ***** ****** video ******* ** ****** **** **** NVRs, ******* ** ************ ** *****'* P2P ***** *** *********'* ***-******* ***** services.
*** ********** **** *** ******* ********, smaller ***** ***** *********.
* ***** **** *** ** **** of *** ******* ********:
Minimum ****** ** ******* ********** ******
***** ********* *** *** ******** **** in ******* ********** *************, *** **** directly ****** *** ****** ** *** budget *********. *******, *** ********** ****** could ** **** ******* ****** ***** markets.
Botnet ****
**** *****, ** **** **** *****, these ********** ******* *** ***** ****** disruption ** *** **** ******** ******* but****** ************* *******.
*** ****** **** ***** ******* **** be *********** *** **** ****** ******* is **** ****, ***** *** ****** of ******* *** *** *********** ** an ****** ***** *** *** ************* being ********* ** *** ******** ** them.
Extends *** ***** ******
******** *** * ******** ***** ****** of ************* ******. ********'* ******** ** publications **** ******** ** *** ***** bug *** ************ ***** ******. **** ****** *****, * ******* reseller ** ******** ************* *** * **** ***** **** contains ****** ************ ******** *******.
****, *** ***** **** * ********** identified ******** ************** **** **** ****** unpatched ** ***** ****** ********.
Not ****** ** ** **********
***** *** ********* ****** ** **** are ********** ** ** ********** *****, proponents ** ******* ************* ****** **** surely *** **** ** ******** **** there *** ************* **** * ***** track ****** **** *****, *** ***** of *** ********** ** *** ***.
No vulnerability found. Robust feature set found. -China
Night owl uses XM.
“Not Banned By US Government
While the companies affect by this are irrelevant to US Government sales, proponents of Chinese manufacturers banned will surely use this as evidence that there are manufacturers with a worse track record than Hikua, and proof of the unfairness of the ban.”
———————————————————————————————————-
In regards to the last paragraph in the article, wouldnt this be evidence to support a larger more encompassing ban on China rather than a way to garner support for companies that were arguably unfairly banned?
i guess "millions of devices" didnt qualify for the rightfully just and well thought out ban due to, and I quote "Cyber Security"
XM = Good Enough for US Military Bases, According to congress
XM = Good Enough for US Military Bases, According to congress
I know you aim to be clever but this is not. XM is simply under the radar because they have no real path to US military bases. Hikvision and Dahua do because they have large local sales teams and big marketing budgets.
Tip to Chinese Manufacturers with poor cyber security record: Sell millions of devices, stay under radar, be non-banned.
Tip to Chinese Manufacturers with poor cyber security record: Sell millions of devices, stay under radar, be non-banned.
Why do that when they could simply find a midwestern distributor to slap a sticker on the outside and to take all of the heat?
Interesting...
Note: The password hash of the “default” user is “OxhlwSG8” (stored in /mtd/Config/Account1). The hash algorithm was reverse engineered before and is implemented on GitHub. Basically, it is a result of
MD5(password)
and compressed even further. For complex passwords it should be more efficient to find a hash collision than to crack the password. Interestingly, the same hash algorithm is used in products from Dahua Technology. Possibly Xiongmai copied from Dahua or the hash algorithm is part of the Huawei HiSilicon SoC SDK both vendors use?
Not only the password hash is exactly the same as Dahua, even the path to the password file is almost the same as reported (maybe they forget '/mnt' before '/mtd') and indeed same filename.
Reference
1) https://github.com/mcw0/PoC/blob/master/dahua-telnetd-json.py#L29
2) https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py#L25
The question is, who copied who? Or is it really 'Huawei HiSilicon SoC SDK' ;-)
Bashis, thank you. You provide factual, thought provoking information with no bias. Its a refreshing break from the tiresome sarcasm plaguing this topic.
Their base development team was a split from Dahua. 8 years ago their GUI looked exactly like Dahua’s.