XiongMai Master Password List Emailed By Chinese Spammer

By Brian Karas, Published Dec 05, 2016, 01:36pm EST

XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites.

After pledging to recall cameras after the attack, and then threatening to sue those who criticized them, XiongMai is back.

A Chinese reseller of XiongMai equipment sent us a spam email that contains master passwords for XiongMai devices.

They consider this list a benefit for dealers, enabling faster and easier customer support, while overlooking the security risks it creates.

"Helpful" ********

* ***** ********, **********, ******* **. ****** than ***** *** ****** as *** ** *** business (*** ******* ******), they ******** * "***** Password ****" *** ** (XiongMai) ********:

*** ********* ***** ** a ****** **** *********** ****, ***** *** *** pre-computed ****** ******** *** each *** ** ****.

Super ******** ***** ***** ****

*** "***** ********" ******** local ****** ** *** device **** ****, ********* to **********. *** *********, the ******** *** ** entered ******** *** *** standard **, *** *** cameras ** ********** ******* utility ** ******** ** send *** ********/***** ********. In ****** ****, *** end ****** ** * device **** *** ***** password *******, ******** *** a *** ***** ******** to ** ***.

But ***** *** *** ******

***** ********* *** **** for *** ****** ****** and **** *** ****** on ******* *** ****** specific *********** **** ****** number ** *** *******.

Compared ** ********* ****** *********

********* ******** ********* * ****** password ** **** ****** to * ****** **** a ********* ***** ********, however *** ********* *** also **** ** **** the ****** ****** ** the ******. ** ********* the ****** ****** ** part ** *** *********** there ** ** ****** list ** "****** *********" for *********, ******** *** chances ** **** ********. Hikvision *** **** ***** ****-***** ******** *****, ******** ***** ** enter ******** ********* **** can ****** ** *******/***** a ********* ********.

Vulnerability ********

***** **** ****** **** being **** ** ******** reset *** ***** ********, this ************* ***** ***** up * *********** ************* ** users. ** ******** *** gains ****** ** *** LAN *** ** ******** PC, ****** ******* ******, or ***** ****** ********* to *** ** * reverse ***** *** ****** access ***** ******* ***** passwords ** *** ***** access ** ******* ** recorders, ******* ** *** potential *** ********** ********, or **** ********* ***** in ********* *********.

Sign ** *** ******?

** **** ** *********** that **** ******** ***** to ******* ***** ***********, instead ** *** ******, in ***** *****. **** could ** * **** that **** ***-****** ******* resellers *** ******* ** difficult ** *** *** more *********** ** *******, and *** **** ** resort ** ***** ******* to ******* *** ********. 

Comments (9)

Undisclosed #1

IPVMU Certified | 12/05/16 10:30pm

For DVR's work locally means the LAN, not the just the console?

Avatar

Brian Karas

IPVM | In reply to Undisclosed #1 | 12/05/16 10:40pm

Based on my conversations with them, yes, that is my understanding.

Avatar

Blake Murphy

12/06/16 02:51am

So many dots connected with this article.
I await future "promotional" emails

Undisclosed Integrator #2

12/06/16 03:49am

They'll soon promote Analog HD as being more secure than IP. only 1 password to worrry about!!!!

Undisclosed Manufacturer #3

12/06/16 06:16am

Interesting looking through the passwords... There are a lot of repeated sequences throughout the year at the end of the code. I think their code is pretty weak.

Avatar

Paul Curran

12/06/16 04:00pm

I got the same email. Really odd. Questions..

1). Why would you have this backdoor in 2016?

2). Why would you email it when XiongMai are clearly up for a fight.

Undisclosed #1

IPVMU Certified | In reply to Paul Curran | 12/11/16 12:11am

2). Why would you email it...

They fell for the SMTP honeypot address:

super-hard-coded-credential-sweepstakes@ipvm.com

Undisclosed Distributor #4

12/10/16 10:31pm

Nothing new ,Hikvision's secure code generator based on serial number and date has been on the web for many years! I don't consider it an issue as you need to be on site in order to clear the password.

Just look at your broadband routers, they have a factory reset button , a one-touch wifi connection, one password for all and remote access. I haven't seen much negative publicity on that subject and there are more routers than CCTV system around the world.

Xionmai used to use telnet ( local ) but decided on one password per day just like Dahua did. Dahua has now revised the " one password " facility. Hikvision also used to have Telnet.

Undisclosed Integrator #5

In reply to Undisclosed Distributor #4 | 12/10/16 11:53pm

I think the difference is you can access any device via the daily master password remotely across the lan without physical access. The hikvision system is also insecure as their tool lists the serial across the lan without requiring physical access, I know I have done it in takeovers. However a router reset has to be done via a local button.

If you using the master password list and as the list is short only 365 guesses so local lan malware could easily repeatedly try passwords or even users. Even if the date was wrong on the device it's not going to take long to crack. Agreed there are easier targets but is it confirmed if there is no remote wan access to this issue?

Read this IPVM report for free.

This article is part of IPVM's 6,817 reports, 914 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports