XiongMai Master Password List Emailed By Chinese Spammer

Published Dec 05, 2016 18:36 PM

XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites.

After pledging to recall cameras after the attack, and then threatening to sue those who criticized them, XiongMai is back.

A Chinese reseller of XiongMai equipment sent us a spam email that contains master passwords for XiongMai devices.

They consider this list a benefit for dealers, enabling faster and easier customer support, while overlooking the security risks it creates.

"Helpful" ********

* ***** ********, **********, ******* **. ****** **** ***** low ****** ** *** ** *** business (*** ******* ******), **** ******** a "***** ******** ****" *** ** (XiongMai) ********:

*** ********* ***** ** * ****** from *********** ****, ***** *** *** ***-******** ****** password *** **** *** ** ****.

Super ******** ***** ***** ****

*** "***** ********" ******** ***** ****** to *** ****** **** ****, ********* to **********. *** *********, *** ******** can ** ******* ******** *** *** standard **, *** *** ******* ** additional ******* ******* ** ******** ** send *** ********/***** ********. ** ****** case, *** *** ****** ** * device **** *** ***** ******** *******, allowing *** * *** ***** ******** to ** ***.

But ***** *** *** ******

***** ********* *** **** *** *** device ****** *** **** *** ****** on ******* *** ****** ******** *********** like ****** ****** ** *** *******.

Compared ** ********* ****** *********

********* ******** ********* * ****** ******** ** gain ****** ** * ****** **** a ********* ***** ********, ******* *** Hikvision *** **** **** ** **** the ****** ****** ** *** ******. By ********* *** ****** ****** ** part ** *** *********** ***** ** no ****** **** ** "****** *********" for *********, ******** *** ******* ** easy ********. ********* *** **** ***** ****-***** ******** *****, ******** ***** ** ***** ******** questions **** *** ****** ** *******/***** a ********* ********.

Vulnerability ********

***** **** ****** **** ***** **** to ******** ***** *** ***** ********, this ************* ***** ***** ** * significant vulnerability ** *****. ** ******** *** gains ****** ** *** *** *** an ******** **, ****** ******* ******, or ***** ****** ********* ** *** as * ******* ***** *** ****** access ***** ******* ***** ********* ** get ***** ****** ** ******* ** recorders, ******* ** *** ********* *** additional ********, ** **** ********* ***** in ********* *********.

Sign ** *** ******?

** **** ** *********** **** **** reseller ***** ** ******* ***** ***********, instead ** *** ******, ** ***** email. **** ***** ** * **** that **** ***-****** ******* ********* *** finding ** ********* ** *** *** more *********** ** *******, *** *** have ** ****** ** ***** ******* to ******* *** ********. 

Comments (9)
U
Undisclosed #1
Dec 05, 2016
IPVMU Certified

For DVR's work locally means the LAN, not the just the console?

Avatar
Brian Karas
Dec 05, 2016
IPVM

Based on my conversations with them, yes, that is my understanding.

Avatar
Blake Murphy
Dec 05, 2016

So many dots connected with this article.
I await future "promotional" emails

UI
Undisclosed Integrator #2
Dec 06, 2016

They'll soon promote Analog HD as being more secure than IP. only 1 password to worrry about!!!!

(2)
UM
Undisclosed Manufacturer #3
Dec 06, 2016

Interesting looking through the passwords... There are a lot of repeated sequences throughout the year at the end of the code. I think their code is pretty weak.

(1)
Avatar
Paul Curran
Dec 06, 2016

I got the same email. Really odd. Questions..

1). Why would you have this backdoor in 2016?

2). Why would you email it when XiongMai are clearly up for a fight.

(2)
U
Undisclosed #1
Dec 10, 2016
IPVMU Certified

2). Why would you email it...

They fell for the SMTP honeypot address:

super-hard-coded-credential-sweepstakes@ipvm.com

UD
Undisclosed Distributor #4
Dec 10, 2016

Nothing new ,Hikvision's secure code generator based on serial number and date has been on the web for many years! I don't consider it an issue as you need to be on site in order to clear the password.

Just look at your broadband routers, they have a factory reset button , a one-touch wifi connection, one password for all and remote access. I haven't seen much negative publicity on that subject and there are more routers than CCTV system around the world.

Xionmai used to use telnet ( local ) but decided on one password per day just like Dahua did. Dahua has now revised the " one password " facility. Hikvision also used to have Telnet.

(1)
UI
Undisclosed Integrator #5
Dec 10, 2016

I think the difference is you can access any device via the daily master password remotely across the lan without physical access. The hikvision system is also insecure as their tool lists the serial across the lan without requiring physical access, I know I have done it in takeovers. However a router reset has to be done via a local button.

If you using the master password list and as the list is short only 365 guesses so local lan malware could easily repeatedly try passwords or even users. Even if the date was wrong on the device it's not going to take long to crack. Agreed there are easier targets but is it confirmed if there is no remote wan access to this issue?