Unfixed Critical Vulnerability In Millions of XiongMai Devices Disclosed

Author: Sean Patton, Published on Oct 10, 2018

XiongMai, one of the biggest OEMs alongside Dahua and Hikvision, has suffered a critical vulnerability impacting millions of their devices.

This comes after XiongMai received universal criticism for the lack of security resulting in the Mirai botnet.

*******, ****** ***** *** *********, *** ********** ******* ***** * firmware *** *** ********* ***************, ******** *** *** **** * months ***** ******, ******* ********** *** ****.

****** **** ****, ** ****** **-******** ******************** **** ******** *************, *** ** ** ** *********** *** *** **** ******* a ****** ***** ****** *** ********.

Default ********* *** ****** ******** ***** ******** *************

*** ********* ********************* * **.* ******** ************ *** ******* *** ****** ** ************* ****** ** *** vulnerable ******* ******* ******* ************* ***********, *** ********** ************ "*******" user *******. **** ***** **** **** ******* ******* *** ******* administrator ********, *** ****** *** ***** ** ******** ******** ***** the "*******" *******.

*** ******* ** *********** ********** ******* ** ***** *** *** devices ****** ******** ********. *** ****** **** ** ******** *** push ********* ******** ******* ******* *** ***** ***** *********.

************, *** ******:

********* *************************()***** ***** *** ******* ****** *** ****** ** ***** *** install *** ********* ********.

**** ********* ****** ** ******** ** ******* ******* **** *** devices’ ***** ******. ****** ** *** ***** ****, **cannot ** ******* *** **** ** ********* *** ******.

*** ********* *** ************* (***-****-*****), **** ******* *********** ************* ****** ***** ** ******* ******* **** ** ******, ******* ********** *** ******* ** ** ********.

Who ** ********

********* ** ***'* **********, **** ************* ******* ******** ** *******, through ********'* ***** ***** *******. ***** ***** ****** ***** ******* to ****** **** **** ****, ******* ** ************ ** *****'* P2P ***** *** *********'* ***-******* ***** ********.

*** ********** **** *** ******* ********, ******* ***** ***** *********.

* ***** **** *** ** **** ** *** ******* ********:

Minimum ****** ** ******* ********** ******

***** ********* *** *** ******** **** ** ******* ********** *************, and **** ******** ****** *** ****** ** *** ****** *********. However, *** ********** ****** ***** ** **** ******* ****** ***** markets.

Botnet ****

**** *****, ** **** **** *****, ***** ********** ******* *** cause ****** ********** ** *** **** ******** ******* ********* ************* *******.

*** ****** **** ***** ******* **** ** *********** *** **** within ******* ** **** ****, ***** *** ****** ** ******* and *** *********** ** ** ****** ***** *** *** ************* being ********* ** *** ******** ** ****.

Extends *** ***** ******

******** *** * ******** ***** ****** ** ************* ******. ********'* response ** ************ **** ******** ** *** ***** *** *** to********** ***** ******. **** ****** *****, * ******* ******** ** ******** ************* *** * **** ***** **** ******** ****** ************ ******** *******.

****, *** ***** **** * ********** ********** ******** ************** **** 2017 ****** ********* ** ***** ****** ********.

Not ****** ** ** **********

***** *** ********* ****** ** **** *** ********** ** ** Government *****, ********** ** ******* ************* ****** **** ****** *** this ** ******** **** ***** *** ************* **** * ***** track ****** **** *****, *** ***** ** *** ********** ** the ***.

Comments (14)

* ******* ********* *** ******** *** ******** ****** ******, ***** not.

** ************* *****. ****** ******* *** *****. -*****

***** *** **** **.

“Not ****** ** ** **********

***** *** ********* ****** ** **** *** ********** ** ** Government *****, ********** ** ******* ************* ****** **** ****** *** this ** ******** **** ***** *** ************* **** * ***** track ****** **** *****, *** ***** ** *** ********** ** the ***.”

———————————————————————————————————-

** ******* ** *** **** ********* ** *** *******, ******* this ** ******** ** ******* * ****** **** ************ *** on ***** ****** **** * *** ** ****** ******* *** companies **** **** ******** ******** ******?

* ***** "******** ** *******" ***** ******* *** *** ********** just *** **** ******* *** *** *** **, *** * quote "***** ********"

** = **** ****** *** ** ******** *****, ********* ** congress

** = **** ****** *** ** ******** *****, ********* ** congress

* **** ****** ** ** ********* **** ** ***. ** ** ****** ***** *** ***** because **** **** ** **** **** ** ** ******** *****. Hikvision *** ***** ** ******* **** **** ***** ***** ***** teams *** *** ********* *******.

*** ** ******* ************* **** **** ***** ******** ******: **** millions ** *******, **** ***** *****, ** ***-******.

*** ** ******* ************* **** **** ***** ******** ******: **** millions ** *******, **** ***** *****, ** ***-******.

*** ** **** **** **** ***** ****** **** * ********** distributor ** **** * ******* ** *** ******* *** ** take *** ** *** ****?

* ***** ** **** ***** *********'* *** *** ******** :)

***********...

****:*****://***.***-*******.***/**/****/****/**/********-**-********-*****-************-*******-***-**-******-***-*****-*******-*****-***-*****/

****: *** ******** **** ** *** “*******” **** ** “********” (stored ** /***/******/********). The hash algorithm was reverse engineered before and is implemented on ******.Basically, ** ** * ****** ** . For complex passwords it should be more efficient to find a hash collision than to crack the password. Interestingly, the same hash algorithm is used in products from Dahua Technology. Possibly ******** ****** **** ***** ** *** **** ********* ** **** ** *** ****** ********* *** *** **** ******* ***?

*** **** *** ******** **** ** ******* *** **** ** Dahua, **** *** **** ** *** ******** **** ** ****** the **** ** ******** (***** **** ****** '/***' ****** '/***') and ****** **** ********.

*********

*)*****://******.***/****/***/****/******/*****-*******-****.**#***

*)*****://******.***/****/***/****/******/*****-********-***.**#***

*** ******** **, *** ****** ***? ** ** ** ****** 'Huawei ********* *** ***' ;-)

******, ***** ***. *** ******* *******, ******* ********* *********** **** no ****. *** * ********** ***** **** *** ******** ******* plaguing **** *****.

***** **** *********** **** *** * ***** **** *****. * years *** ***** *** ****** ******* **** *****’*.

******, **** ******** *** ****** *** :)

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Hikvision Growth Declines Q3 2018 on Oct 22, 2018
Hikvision's growth continues to decline in 2018 going from: Q1 - 33% Q2 - 22% Q3 - 14.6% In this note, we examine Hikvision's newest Q3...
Geutebruck Company Profile on Oct 22, 2018
Geutebrück has been in business for nearly 50 years, but they are not well known within the US surveillance market. In this report, we profile...
Chinese Government Blocks IPVM on Oct 22, 2018
IPVM has been blocked by the Chinese government without any notice or explanation. This means IPVM.com is no longer officially accessible anywhere...
Startup SafePass Profile on Oct 19, 2018
A major problem with visitor management is that the systems mostly require adhesive printed paper labels and paper logs, creating waste and an...
China Is Not A Security Megatrend, Says SIA on Oct 19, 2018
The US Security Industry Association has released its 10 "Security Megatrends" for 2019. SIA declares that these megatrends, such as "Advanced...
Hanwha Dual Imager Dome Camera Tested (PNM-7000VD) on Oct 18, 2018
Hanwha has introduced their first dual-imager model, the PNM-7000VD, a twin 1080p model featuring independently positionable sensors and a snap-in...
Camera Height / Blind Spot Added to IPVM Camera Calculator on Oct 18, 2018
IPVM has added camera height and blind spot estimation to the Camera Calculator. This is especially helpful for those who need to mount cameras up...
Axis Strong US Growth, Flat EMEA - Q3 2018 Financials on Oct 18, 2018
This spring, Axis had its best financials in many years (see Axis Strong Q2 2018 Results). However, over the summer, Axis had many products sold...
Best Alternatives to Banned Dahua and Hikvision on Oct 17, 2018
With the US government ban and a growing number of users banning Dahua and Hikvision, one key question is what to use for low cost? While Dahua and...
Video Quality / Compression Tutorial on Oct 17, 2018
While CODECs, like H.264, H.265, and MJPEG, get a lot of attention, a camera's 'quality' or compression setting has a big impact on overall...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact