XiongMai Master Password List Emailed By Chinese Spammer

By: Brian Karas, Published on Dec 05, 2016

XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites.

After pledging to recall cameras after the attack, and then threatening to sue those who criticized them, XiongMai is back.

A Chinese reseller of XiongMai equipment sent us a spam email that contains master passwords for XiongMai devices.

They consider this list a benefit for dealers, enabling faster and easier customer support, while overlooking the security risks it creates.

******** ******* ** ************* uproar ** ***** ******* drove ******* ****** ******* of ***** ******** *****.

***** ******** ** ****** ******* after *** ******, *** then*********** ** *** ***** who ********** ****, ******** ** ****.

* ******* ******** ** XiongMai ********* **** ** * spam email **** ******** ****** passwords *** ******** *******.

**** ******** **** **** a ******* *** *******, enabling ****** *** ****** customer *******, ***** *********** the ******** ***** ** creates.

[***************]

"Helpful" ********

* ***** ********, **********, ******* **. ****** than ***** *** ****** as *** ** *** business (*** ******* ******), they ******** * "***** Password ****" *** ** (XiongMai) ********:

*** ********* ***** ** a ****** **** *********** ****, ***** *** *** pre-computed ****** ******** *** each *** ** ****.

Super ******** ***** ***** ****

*** "***** ********" ******** local ****** ** *** device **** ****, ********* to **********. *** *********, the ******** *** ** entered ******** *** *** standard **, *** *** cameras ** ********** ******* utility ** ******** ** send *** ********/***** ********. In ****** ****, *** end ****** ** * device **** *** ***** password *******, ******** *** a *** ***** ******** to ** ***.

But ***** *** *** ******

***** ********* *** **** for *** ****** ****** and **** *** ****** on ******* *** ****** specific *********** **** ****** number ** *** *******.

Compared ** ********* ****** *********

********* ******** ********* * ****** password ** **** ****** to * ****** **** a ********* ***** ********, however *** ********* *** also **** ** **** the ****** ****** ** the ******. ** ********* the ****** ****** ** part ** *** *********** there ** ** ****** list ** "****** *********" for *********, ******** *** chances ** **** ********. Hikvision *** **** ***** ****-***** ******** *****, ******** ***** ** enter ******** ********* **** can ****** ** *******/***** a ********* ********.

Vulnerability ********

***** **** ****** **** being **** ** ******** reset *** ***** ********, this ************* ***** ***** up * *********** ************* ** users. ** ******** *** gains ****** ** *** LAN *** ** ******** PC, ****** ******* ******, or ***** ****** ********* to *** ** * reverse ***** *** ****** access ***** ******* ***** passwords ** *** ***** access ** ******* ** recorders, ******* ** *** potential *** ********** ********, or **** ********* ***** in ********* *********.

Sign ** *** ******?

** **** ** *********** that **** ******** ***** to ******* ***** ***********, instead ** *** ******, in ***** *****. **** could ** * **** that **** ***-****** ******* resellers *** ******* ** difficult ** *** *** more *********** ** *******, and *** **** ** resort ** ***** ******* to ******* *** ********. 

Comments (9)

Undisclosed #1

12/05/16 07:00pm

For DVR's work locally means the LAN, not the just the console?

Avatar

Brian Karas

IPVM | In reply to Undisclosed #1 | 12/05/16 07:10pm

Based on my conversations with them, yes, that is my understanding.

Avatar

Blake Murphy

12/05/16 11:21pm

So many dots connected with this article.
I await future "promotional" emails

Undisclosed Integrator #2

12/06/16 12:19am

They'll soon promote Analog HD as being more secure than IP. only 1 password to worrry about!!!!

Undisclosed Manufacturer #3

12/06/16 02:46am

Interesting looking through the passwords... There are a lot of repeated sequences throughout the year at the end of the code. I think their code is pretty weak.

Avatar

Paul Curran

12/06/16 12:30pm

I got the same email. Really odd. Questions..

1). Why would you have this backdoor in 2016?

2). Why would you email it when XiongMai are clearly up for a fight.

Undisclosed #1

In reply to Paul Curran | 12/10/16 08:41pm

2). Why would you email it...

They fell for the SMTP honeypot address:

super-hard-coded-credential-sweepstakes@ipvm.com

Undisclosed Distributor #4

12/10/16 07:01pm

Nothing new ,Hikvision's secure code generator based on serial number and date has been on the web for many years! I don't consider it an issue as you need to be on site in order to clear the password.

Just look at your broadband routers, they have a factory reset button , a one-touch wifi connection, one password for all and remote access. I haven't seen much negative publicity on that subject and there are more routers than CCTV system around the world.

Xionmai used to use telnet ( local ) but decided on one password per day just like Dahua did. Dahua has now revised the " one password " facility. Hikvision also used to have Telnet.

Undisclosed Integrator #5

In reply to Undisclosed Distributor #4 | 12/10/16 08:23pm

I think the difference is you can access any device via the daily master password remotely across the lan without physical access. The hikvision system is also insecure as their tool lists the serial across the lan without requiring physical access, I know I have done it in takeovers. However a router reset has to be done via a local button.

If you using the master password list and as the list is short only 365 guesses so local lan malware could easily repeatedly try passwords or even users. Even if the date was wrong on the device it's not going to take long to crack. Agreed there are easier targets but is it confirmed if there is no remote wan access to this issue?

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Uniview Beats Intel In Trademark Lawsuit on Aug 19, 2019
Uniview has won a long-running trademark lawsuit brought by Intel, with Beijing's highest court reversing an earlier Intel win, centered on...
Biometrics Usage Statistics 2019 on Aug 13, 2019
Biometrics are commonly used in phones, but how frequently are they used for access? 150+ integrators told us how often they use biometrics,...
US Government Ban of Dahua, Hikvision, Huawei Takes Effect Now on Aug 13, 2019
The 'prohibition on use or procurement' of Dahua, Hikvision and Huawei products and 'essential components' take effect today, August 13, 2019, one...
Hikvision Global News Reports Directory on Aug 11, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Stanley Makes "Multi-Million Dollar Investment" Into Banned Hikvision Products on Aug 09, 2019
Just days from the US government ban going into effect, US mega-corporation Stanley has dramatically increased its imports of banned Hikvision...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Indonesia Security Association Chairman Interview on Aug 01, 2019
Indonesia is a huge country with a population close to the US and a fast-growing economy. Its security industry is also growing rapidly but faces...
Hikvision Cameras Covering Concentration Camps on Jul 29, 2019
Hikvision cameras monitoring a concentration camp were shown in a recent BBC investigation: The video excerpt shows the Hikvision cameras and...
Australia Security Full Show Report on Jul 25, 2019
IPVM went to Australia attending the 3 days of the Australia Security Exhibition: This was held at the ICC Sydney, as shown below: In this...
History of Video Surveillance on Jul 19, 2019
The video surveillance market has changed significantly since 2000, going from VCRs to ab emerging AI cloud era.  The goal of this history is to...

Most Recent Industry Reports

Dahua 4K Camera Shootout on Aug 20, 2019
Dahua's new Pro Series 4K N85CL5Z claims to "deliver superior images in all lighting and environmental conditions", but how does this compare to...
ZK Teco Atlas Access Control Tested on Aug 20, 2019
Who needs access specialists? China-based ZKTeco claims its newest access panel 'makes it very easy for anyone to learn and install access control...
Uniview Beats Intel In Trademark Lawsuit on Aug 19, 2019
Uniview has won a long-running trademark lawsuit brought by Intel, with Beijing's highest court reversing an earlier Intel win, centered on...
Verkada People And Face Analytics Tested on Aug 16, 2019
This week, Verkada released "People Analytics", including face analytics that they describe is a "game-changing feature" that "pushes the...
Dahua OEM Directory 2019 on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Installation Course - Register Now on Aug 15, 2019
Register Now for the September 2019 Video Surveillance Install Course. This is a unique installation course in a market where little practical...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
Hikvision Scrutinized In The Netherlands on Aug 15, 2019
Hikvision is facing unprecedented scrutiny in the Netherlands, at the same time the US government ban has taken effect. This week, a Dutch...
Axis 4K Camera Shootout 2019 on Aug 14, 2019
Axis' 4K Q3518-LVE claims the "best video quality possible", with Lightfinder super low light performance, Axis' high end Forensic WDR, and...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact