XiongMai Master Password List Emailed By Chinese Spammer

By: Brian Karas, Published on Dec 05, 2016

XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites.

After pledging to recall cameras after the attack, and then threatening to sue those who criticized them, XiongMai is back.

A Chinese reseller of XiongMai equipment sent us a spam email that contains master passwords for XiongMai devices.

They consider this list a benefit for dealers, enabling faster and easier customer support, while overlooking the security risks it creates.

******** ******* ** ************* uproar ** ***** ******* drove ******* ****** ******* of ***** ******** *****.

***** ******** ** ****** ******* after *** ******, *** then*********** ** *** ***** who ********** ****, ******** ** ****.

* ******* ******** ** XiongMai ********* **** ** * spam email **** ******** ****** passwords *** ******** *******.

**** ******** **** **** a ******* *** *******, enabling ****** *** ****** customer *******, ***** *********** the ******** ***** ** creates.

[***************]

"Helpful" ********

* ***** ********, **********, ******* **. ****** than ***** *** ****** as *** ** *** business (*** ******* ******), they ******** * "***** Password ****" *** ** (XiongMai) ********:

*** ********* ***** ** a ****** **** *********** ****, ***** *** *** pre-computed ****** ******** *** each *** ** ****.

Super ******** ***** ***** ****

*** "***** ********" ******** local ****** ** *** device **** ****, ********* to **********. *** *********, the ******** *** ** entered ******** *** *** standard **, *** *** cameras ** ********** ******* utility ** ******** ** send *** ********/***** ********. In ****** ****, *** end ****** ** * device **** *** ***** password *******, ******** *** a *** ***** ******** to ** ***.

But ***** *** *** ******

***** ********* *** **** for *** ****** ****** and **** *** ****** on ******* *** ****** specific *********** **** ****** number ** *** *******.

Compared ** ********* ****** *********

********* ******** ********* * ****** password ** **** ****** to * ****** **** a ********* ***** ********, however *** ********* *** also **** ** **** the ****** ****** ** the ******. ** ********* the ****** ****** ** part ** *** *********** there ** ** ****** list ** "****** *********" for *********, ******** *** chances ** **** ********. Hikvision *** **** ***** ****-***** ******** *****, ******** ***** ** enter ******** ********* **** can ****** ** *******/***** a ********* ********.

Vulnerability ********

***** **** ****** **** being **** ** ******** reset *** ***** ********, this ************* ***** ***** up * *********** ************* ** users. ** ******** *** gains ****** ** *** LAN *** ** ******** PC, ****** ******* ******, or ***** ****** ********* to *** ** * reverse ***** *** ****** access ***** ******* ***** passwords ** *** ***** access ** ******* ** recorders, ******* ** *** potential *** ********** ********, or **** ********* ***** in ********* *********.

Sign ** *** ******?

** **** ** *********** that **** ******** ***** to ******* ***** ***********, instead ** *** ******, in ***** *****. **** could ** * **** that **** ***-****** ******* resellers *** ******* ** difficult ** *** *** more *********** ** *******, and *** **** ** resort ** ***** ******* to ******* *** ********. 

Comments (9)

Undisclosed #1

12/05/16 07:00pm

For DVR's work locally means the LAN, not the just the console?

Avatar

Brian Karas

IPVM | In reply to Undisclosed #1 | 12/05/16 07:10pm

Based on my conversations with them, yes, that is my understanding.

Avatar

Blake Murphy

12/05/16 11:21pm

So many dots connected with this article.
I await future "promotional" emails

Undisclosed Integrator #2

12/06/16 12:19am

They'll soon promote Analog HD as being more secure than IP. only 1 password to worrry about!!!!

Undisclosed Manufacturer #3

12/06/16 02:46am

Interesting looking through the passwords... There are a lot of repeated sequences throughout the year at the end of the code. I think their code is pretty weak.

Avatar

Paul Curran

12/06/16 12:30pm

I got the same email. Really odd. Questions..

1). Why would you have this backdoor in 2016?

2). Why would you email it when XiongMai are clearly up for a fight.

Undisclosed #1

In reply to Paul Curran | 12/10/16 08:41pm

2). Why would you email it...

They fell for the SMTP honeypot address:

super-hard-coded-credential-sweepstakes@ipvm.com

Undisclosed Distributor #4

12/10/16 07:01pm

Nothing new ,Hikvision's secure code generator based on serial number and date has been on the web for many years! I don't consider it an issue as you need to be on site in order to clear the password.

Just look at your broadband routers, they have a factory reset button , a one-touch wifi connection, one password for all and remote access. I haven't seen much negative publicity on that subject and there are more routers than CCTV system around the world.

Xionmai used to use telnet ( local ) but decided on one password per day just like Dahua did. Dahua has now revised the " one password " facility. Hikvision also used to have Telnet.

Undisclosed Integrator #5

In reply to Undisclosed Distributor #4 | 12/10/16 08:23pm

I think the difference is you can access any device via the daily master password remotely across the lan without physical access. The hikvision system is also insecure as their tool lists the serial across the lan without requiring physical access, I know I have done it in takeovers. However a router reset has to be done via a local button.

If you using the master password list and as the list is short only 365 guesses so local lan malware could easily repeatedly try passwords or even users. Even if the date was wrong on the device it's not going to take long to crack. Agreed there are easier targets but is it confirmed if there is no remote wan access to this issue?

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
3 Weeks Later, Honeywell Still Cannot Say Whether They Are Vulnerable To Dahua Wiretapping [Now Admits] on Aug 27, 2019
The Dahua wiretapping vulnerability and Dahua's decision to delay disclosing it until IPVM inquired underscored problems with cybersecurity and...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...

Most Recent Industry Reports

Wyze Raises $10 Million And Seeks Services Expansion on May 27, 2020
Wyze has raised $10 million, the company's first disclosed raise since the $20 million announced at the beginning of 2019. Inside this note,...
Startup Videoloft Presents Cloud Storage on May 27, 2020
Videoloft presented offsite cloud storage at the May 2020 IPVM Startups show. A 30-minute video from Videoloft including IPVM...
Directory of 250+ Fever Camera News Reports Globally on May 27, 2020
This global directory tracks 250+ articles about thermal cameras used to detect fevers in response to the coronavirus pandemic. Articles are...
Integrators Rising Against Coronavirus on May 27, 2020
IPVM integrator statistics make it clear - Coronavirus's impact on business is lessening and many are anticipating even better news in weeks...
Netposa Stock Surges 46% After US Human Rights Abuse Sanctions on May 27, 2020
Last Friday, the US government announced it would sanction PRC video management provider NetPosa for being "complicit in human rights violations...
LILIN Presents NDAA-Compliant P2 Cameras on May 26, 2020
Merit LILIN presented its NDAA-compliant P2 camera series at the April 2020 IPVM New Products show. Inside this report: A 30-minute video...
ZKTeco Body Temperature and Mask Detection Reader Tested on May 26, 2020
While dedicated fever cameras emerged first, now tablet/kiosk fever detectors are ramping up. China's ZKTeco has been aggressively promoting such...
IDIS Presents 12MP IR Panoramic Fisheye on May 26, 2020
IDIS presented its 12MP IR panoramic fisheye camera at the April 2020 IPVM New Products show. Inside this report: A 30-minute video from...
FDA Defines Correct Operation of "Fever Cameras" on May 26, 2020
The US FDA has now defined the correct operation of "Thermal Imaging Systems", colloquially known as "fever cameras". Many in video...
OnSSI Founders Return, Start Corsight on May 25, 2020
The OnSSI founders are back, less than 2 years after selling OnSSI to Qognify, they have returned to Corsight, a spin-out of an Israeli AI...