For DVR's work locally means the LAN, not the just the console?
XiongMai Master Password List Emailed By Chinese Spammer
Published Dec 05, 2016 18:36 PM
XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites.
After pledging to recall cameras after the attack, and then threatening to sue those who criticized them, XiongMai is back.
A Chinese reseller of XiongMai equipment sent us a spam email that contains master passwords for XiongMai devices.
They consider this list a benefit for dealers, enabling faster and easier customer support, while overlooking the security risks it creates.
"Helpful" ********
* ***** ********, **********, ******* **. ****** **** ***** low ****** ** *** ** *** business (*** ******* ******), **** ******** a "***** ******** ****" *** ** (XiongMai) ********:
*** ********* ***** ** * ****** from *********** ****, ***** *** *** ***-******** ****** password *** **** *** ** ****.
Super ******** ***** ***** ****
*** "***** ********" ******** ***** ****** to *** ****** **** ****, ********* to **********. *** *********, *** ******** can ** ******* ******** *** *** standard **, *** *** ******* ** additional ******* ******* ** ******** ** send *** ********/***** ********. ** ****** case, *** *** ****** ** * device **** *** ***** ******** *******, allowing *** * *** ***** ******** to ** ***.
But ***** *** *** ******
***** ********* *** **** *** *** device ****** *** **** *** ****** on ******* *** ****** ******** *********** like ****** ****** ** *** *******.
Compared ** ********* ****** *********
********* ******** ********* * ****** ******** ** gain ****** ** * ****** **** a ********* ***** ********, ******* *** Hikvision *** **** **** ** **** the ****** ****** ** *** ******. By ********* *** ****** ****** ** part ** *** *********** ***** ** no ****** **** ** "****** *********" for *********, ******** *** ******* ** easy ********. ********* *** **** ***** a ****-***** ******** *****, ******** ***** ** ***** ******** questions **** *** ****** ** *******/***** a ********* ********.
Vulnerability ********
***** **** ****** **** ***** **** to ******** ***** *** ***** ********, this ************* ***** ***** ** * significant vulnerability ** *****. ** ******** *** gains ****** ** *** *** *** an ******** **, ****** ******* ******, or ***** ****** ********* ** *** as * ******* ***** *** ****** access ***** ******* ***** ********* ** get ***** ****** ** ******* ** recorders, ******* ** *** ********* *** additional ********, ** **** ********* ***** in ********* *********.
Sign ** *** ******?
** **** ** *********** **** **** reseller ***** ** ******* ***** ***********, instead ** *** ******, ** ***** email. **** ***** ** * **** that **** ***-****** ******* ********* *** finding ** ********* ** *** *** more *********** ** *******, *** *** have ** ****** ** ***** ******* to ******* *** ********.
Comments (9)
U
Undisclosed #1
Dec 05, 2016Brian Karas
Dec 05, 2016
Blake Murphy
Dec 05, 2016So many dots connected with this article.
I await future "promotional" emails
UI
Undisclosed Integrator #2
Dec 06, 2016They'll soon promote Analog HD as being more secure than IP. only 1 password to worrry about!!!!
UM
Undisclosed Manufacturer #3
Dec 06, 2016Interesting looking through the passwords... There are a lot of repeated sequences throughout the year at the end of the code. I think their code is pretty weak.
Paul Curran
Dec 06, 2016I got the same email. Really odd. Questions..
1). Why would you have this backdoor in 2016?
2). Why would you email it when XiongMai are clearly up for a fight.
U
Undisclosed #1
Dec 10, 20162). Why would you email it...
They fell for the SMTP honeypot address:
super-hard-coded-credential-sweepstakes@ipvm.com
UD
Undisclosed Distributor #4
Dec 10, 2016Nothing new ,Hikvision's secure code generator based on serial number and date has been on the web for many years! I don't consider it an issue as you need to be on site in order to clear the password.
Just look at your broadband routers, they have a factory reset button , a one-touch wifi connection, one password for all and remote access. I haven't seen much negative publicity on that subject and there are more routers than CCTV system around the world.
Xionmai used to use telnet ( local ) but decided on one password per day just like Dahua did. Dahua has now revised the " one password " facility. Hikvision also used to have Telnet.
UI
Undisclosed Integrator #5
Dec 10, 2016I think the difference is you can access any device via the daily master password remotely across the lan without physical access. The hikvision system is also insecure as their tool lists the serial across the lan without requiring physical access, I know I have done it in takeovers. However a router reset has to be done via a local button.
If you using the master password list and as the list is short only 365 guesses so local lan malware could easily repeatedly try passwords or even users. Even if the date was wrong on the device it's not going to take long to crack. Agreed there are easier targets but is it confirmed if there is no remote wan access to this issue?