XiongMai Master Password List Emailed By Chinese Spammer

Author: Brian Karas, Published on Dec 05, 2016

XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites.

After pledging to recall cameras after the attack, and then threatening to sue those who criticized them, XiongMai is back.

A Chinese reseller of XiongMai equipment sent us a spam email that contains master passwords for XiongMai devices.

They consider this list a benefit for dealers, enabling faster and easier customer support, while overlooking the security risks it creates.

******** ******* ** ************* ****** ** ***** ******* ***** ******* botnet ******* ** ***** ******** *****.

***** ******** ** ****** ******* ***** *** ******, *** *************** ** *** ***** *** ********** ****, ******** ** ****.

* ******* ******** ** ******** ********* **** ** * **** email **** ******** ****** ********* *** ******** *******.

**** ******** **** **** * ******* *** *******, ******** ****** and ****** ******** *******, ***** *********** *** ******** ***** ** creates.

[***************]

"Helpful" ********

* ***** ********,**********, ******* **. ****** **** ***** *** ****** ** *** to *** ******** (*** ******* ******), **** ******** * "***** Password ****" *** ** (********) ********:

*** ********* ***** ** * ****** **** *********** ****, ***** *** *** ***-******** ****** ******** *** **** *** of ****.

Super ******** ***** ***** ****

*** "***** ********" ******** ***** ****** ** *** ****** **** used, ********* ** **********. *** *********, *** ******** *** ** entered ******** *** *** ******** **, *** *** ******* ** additional ******* ******* ** ******** ** **** *** ********/***** ********. In ****** ****, *** *** ****** ** * ****** **** the ***** ******** *******, ******** *** * *** ***** ******** to ** ***.

But ***** *** *** ******

***** ********* *** **** *** *** ****** ****** *** **** not ****** ** ******* *** ****** ******** *********** **** ****** number ** *** *******.

Compared ** ********* ****** *********

********* ******** ********* * ****** ******** ** **** ****** ** a ****** **** * ********* ***** ********, ******* *** ********* you **** **** ** **** *** ****** ****** ** *** device. ** ********* *** ****** ****** ** **** ** *** calculation ***** ** ** ****** **** ** "****** *********" *** Hikvision, ******** *** ******* ** **** ********. ********* *** **** added *****-***** ******** *****, ******** ***** ** ***** ******** ********* **** *** ****** to *******/***** * ********* ********.

Vulnerability ********

***** **** ****** **** ***** **** ** ******** ***** *** admin ********, **** ************* ***** ***** ** * *********** ************* to *****. ** ******** *** ***** ****** ** *** *** via ** ******** **, ****** ******* ******, ** ***** ****** comprised ** *** ** * ******* ***** *** ****** ****** could ******* ***** ********* ** *** ***** ****** ** ******* or *********, ******* ** *** ********* *** ********** ********, ** just ********* ***** ** ********* *********.

Sign ** *** ******?

** **** ** *********** **** **** ******** ***** ** ******* their ***********, ******* ** *** ******, ** ***** *****. **** could ** * **** **** **** ***-****** ******* ********* *** finding ** ********* ** *** *** **** *********** ** *******, and *** **** ** ****** ** ***** ******* ** ******* new ********.

Comments (9)

Undisclosed #1

12/05/16 07:00pm

For DVR's work locally means the LAN, not the just the console?

Avatar

Brian Karas

IPVM | In reply to Undisclosed #1 | 12/05/16 07:10pm

Based on my conversations with them, yes, that is my understanding.

Avatar

Blake Murphy

12/05/16 11:21pm

So many dots connected with this article.
I await future "promotional" emails

Undisclosed Integrator #2

12/06/16 12:19am

They'll soon promote Analog HD as being more secure than IP. only 1 password to worrry about!!!!

Undisclosed Manufacturer #3

12/06/16 02:46am

Interesting looking through the passwords... There are a lot of repeated sequences throughout the year at the end of the code. I think their code is pretty weak.

Avatar

Paul Curran

12/06/16 12:30pm

I got the same email. Really odd. Questions..

1). Why would you have this backdoor in 2016?

2). Why would you email it when XiongMai are clearly up for a fight.

Undisclosed #1

In reply to Paul Curran | 12/10/16 08:41pm

2). Why would you email it...

They fell for the SMTP honeypot address:

super-hard-coded-credential-sweepstakes@ipvm.com

Undisclosed Distributor #4

12/10/16 07:01pm

Nothing new ,Hikvision's secure code generator based on serial number and date has been on the web for many years! I don't consider it an issue as you need to be on site in order to clear the password.

Just look at your broadband routers, they have a factory reset button , a one-touch wifi connection, one password for all and remote access. I haven't seen much negative publicity on that subject and there are more routers than CCTV system around the world.

Xionmai used to use telnet ( local ) but decided on one password per day just like Dahua did. Dahua has now revised the " one password " facility. Hikvision also used to have Telnet.

Undisclosed Integrator #5

In reply to Undisclosed Distributor #4 | 12/10/16 08:23pm

I think the difference is you can access any device via the daily master password remotely across the lan without physical access. The hikvision system is also insecure as their tool lists the serial across the lan without requiring physical access, I know I have done it in takeovers. However a router reset has to be done via a local button.

If you using the master password list and as the list is short only 365 guesses so local lan malware could easily repeatedly try passwords or even users. Even if the date was wrong on the device it's not going to take long to crack. Agreed there are easier targets but is it confirmed if there is no remote wan access to this issue?

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

19 Facial Recognition Providers Profiled on Apr 23, 2019
IPVM interviewed 19 facial recognition providers at ISC West to understand their claimed accuracy, success and positioning. 9 from China, where...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Hikvision Admits USA Sales Falling on Apr 22, 2019
Hikvision, in a new Chinese financial filing, has admitted that its USA sales are now falling. Less than a year after the US government passed a...
Spring 2019 IP Networking Course- Register Now on Apr 04, 2019
Register now for the Spring 2019 IP Networking course here. Just $299 for the course. This is the only networking course designed specifically...
Hikvision Conducts Military Training For New Employees on Apr 04, 2019
Hikvision's new employees recently completed a boot camp where they wore Chinese army uniforms and were trained by former army personnel, as shown...
How China's Pay By Facial Recognition Works on Apr 02, 2019
Many social media posts have variously celebrated or warned about the growing use of facial recognition for payments in China. An example of one...
Avigilon USA Factory Visit Report on Apr 01, 2019
In a building that looks more like corporate offices than a 'factory' and just down the road from suburban housing developments is Avigilon's USA...
Dahua Favorability Results 2019 on Apr 01, 2019
Dahua favorability declined, in IPVM's 2019 integrator favorability series, driven by their backdoors, resulting in mass hacking and US government...
Goldman and Fidelity Funds Sell Off Hikvision, Dahua Stock Over Xinjiang on Mar 29, 2019
Major US funds run by financial giants such as Fidelity and Goldman Sachs have sold their equity stakes in Hikvision and Dahua "as scrutiny...
9 UK MPs Call Out Hikvision Over Human Rights Violations on Mar 26, 2019
A group of nine MPs in the UK has released a letter calling out Hikvision for its surveillance deals in Xinjiang and Tibet, alleging Hikvision...

Most Recent Industry Reports

Verkada Salesman: IPVM "Stuck In A The Stone Age" on Apr 25, 2019
Verkada is 'tackling dinosaurs' and battling those, like IPVM, who are 'stuck in a the stone age'. Verkada's recent sales recruiting promotion...
The HIVIDEO $31 Face Detection DVR Tested on Apr 25, 2019
Face detection in a $31 DVR? That is what "HIVIDEO" (not to be confused with Hikvision, even if the company intends to do that) was promoting at...
Amazon Marketing Pro Installs of Amazon Security Systems on Apr 25, 2019
Is Amazon a threat to conventional providers like ADT, Vivint and Brinks Home Security? Many say no. Now, Amazon is advertising free in-home...
Ex-Integrator Now Growth Strategist Interviewed on Apr 24, 2019
For more than a decade, Scot MacTaggart was a security integrator (at PA-based PSX). In late 2018, he left the industry. He is now a Growth...
19 Facial Recognition Providers Profiled on Apr 23, 2019
IPVM interviewed 19 facial recognition providers at ISC West to understand their claimed accuracy, success and positioning. 9 from China, where...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Hikvision Admits USA Sales Falling on Apr 22, 2019
Hikvision, in a new Chinese financial filing, has admitted that its USA sales are now falling. Less than a year after the US government passed a...
Speco Ultra Intensifier Tested on Apr 22, 2019
While ISC West 2019 named Speco's Ultra Intensifier the best new "Video Surveillance Cameras IP", IPVM testing shows the camera suffers from...
Arecont Favorability Results 2019 on Apr 22, 2019
Arecont's net negativity remained the same in IPVM's 2019 integrator study, though integrator's feeling became relatively more neutral compared to...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact