XiongMai Master Password List Emailed By Chinese Spammer

By Brian Karas, Published Dec 05, 2016, 01:36pm EST (Info+)

XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites.

After pledging to recall cameras after the attack, and then threatening to sue those who criticized them, XiongMai is back.

A Chinese reseller of XiongMai equipment sent us a spam email that contains master passwords for XiongMai devices.

They consider this list a benefit for dealers, enabling faster and easier customer support, while overlooking the security risks it creates.

"Helpful" ********

* ***** ********, **********, ******* **. ****** **** ***** low ****** ** *** ** *** business (*** ******* ******), **** ******** a "***** ******** ****" *** ** (XiongMai) ********:

*** ********* ***** ** * ****** from *********** ****, ***** *** *** ***-******** ****** password *** **** *** ** ****.

Super ******** ***** ***** ****

*** "***** ********" ******** ***** ****** to *** ****** **** ****, ********* to **********. *** *********, *** ******** can ** ******* ******** *** *** standard **, *** *** ******* ** additional ******* ******* ** ******** ** send *** ********/***** ********. ** ****** case, *** *** ****** ** * device **** *** ***** ******** *******, allowing *** * *** ***** ******** to ** ***.

But ***** *** *** ******

***** ********* *** **** *** *** device ****** *** **** *** ****** on ******* *** ****** ******** *********** like ****** ****** ** *** *******.

Compared ** ********* ****** *********

********* ******** ********* * ****** ******** ** gain ****** ** * ****** **** a ********* ***** ********, ******* *** Hikvision *** **** **** ** **** the ****** ****** ** *** ******. By ********* *** ****** ****** ** part ** *** *********** ***** ** no ****** **** ** "****** *********" for *********, ******** *** ******* ** easy ********. ********* *** **** ***** ****-***** ******** *****, ******** ***** ** ***** ******** questions **** *** ****** ** *******/***** a ********* ********.

Vulnerability ********

***** **** ****** **** ***** **** to ******** ***** *** ***** ********, this ************* ***** ***** ** * significant vulnerability ** *****. ** ******** *** gains ****** ** *** *** *** an ******** **, ****** ******* ******, or ***** ****** ********* ** *** as * ******* ***** *** ****** access ***** ******* ***** ********* ** get ***** ****** ** ******* ** recorders, ******* ** *** ********* *** additional ********, ** **** ********* ***** in ********* *********.

Sign ** *** ******?

** **** ** *********** **** **** reseller ***** ** ******* ***** ***********, instead ** *** ******, ** ***** email. **** ***** ** * **** that **** ***-****** ******* ********* *** finding ** ********* ** *** *** more *********** ** *******, *** *** have ** ****** ** ***** ******* to ******* *** ********. 

Comments (9)

Undisclosed #1

IPVMU Certified | 12/05/16 07:00pm

For DVR's work locally means the LAN, not the just the console?

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Brian Karas

IPVM | In reply to Undisclosed #1 | 12/05/16 07:10pm

Based on my conversations with them, yes, that is my understanding.

Agree
Disagree
Informative
Unhelpful
Funny
Avatar

Blake Murphy

12/05/16 11:21pm

So many dots connected with this article.
I await future "promotional" emails

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #2

12/06/16 12:19am

They'll soon promote Analog HD as being more secure than IP. only 1 password to worrry about!!!!

Agree: 2
Disagree
Informative
Unhelpful
Funny

Undisclosed Manufacturer #3

12/06/16 02:46am

Interesting looking through the passwords... There are a lot of repeated sequences throughout the year at the end of the code. I think their code is pretty weak.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Avatar

Paul Curran

12/06/16 12:30pm

I got the same email. Really odd. Questions..

1). Why would you have this backdoor in 2016?

2). Why would you email it when XiongMai are clearly up for a fight.

Agree: 2
Disagree
Informative
Unhelpful
Funny

Undisclosed #1

IPVMU Certified | In reply to Paul Curran | 12/10/16 08:41pm

2). Why would you email it...

They fell for the SMTP honeypot address:

super-hard-coded-credential-sweepstakes@ipvm.com

Agree
Disagree
Informative
Unhelpful
Funny

Undisclosed Distributor #4

12/10/16 07:01pm

Nothing new ,Hikvision's secure code generator based on serial number and date has been on the web for many years! I don't consider it an issue as you need to be on site in order to clear the password.

Just look at your broadband routers, they have a factory reset button , a one-touch wifi connection, one password for all and remote access. I haven't seen much negative publicity on that subject and there are more routers than CCTV system around the world.

Xionmai used to use telnet ( local ) but decided on one password per day just like Dahua did. Dahua has now revised the " one password " facility. Hikvision also used to have Telnet.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Undisclosed Integrator #5

In reply to Undisclosed Distributor #4 | 12/10/16 08:23pm

I think the difference is you can access any device via the daily master password remotely across the lan without physical access. The hikvision system is also insecure as their tool lists the serial across the lan without requiring physical access, I know I have done it in takeovers. However a router reset has to be done via a local button.

If you using the master password list and as the list is short only 365 guesses so local lan malware could easily repeatedly try passwords or even users. Even if the date was wrong on the device it's not going to take long to crack. Agreed there are easier targets but is it confirmed if there is no remote wan access to this issue?

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports