XiongMai Master Password List Emailed By Chinese Spammer

By Brian Karas, Published on Dec 05, 2016

XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites.

After pledging to recall cameras after the attack, and then threatening to sue those who criticized them, XiongMai is back.

A Chinese reseller of XiongMai equipment sent us a spam email that contains master passwords for XiongMai devices.

They consider this list a benefit for dealers, enabling faster and easier customer support, while overlooking the security risks it creates.

"Helpful" ********

* ***** ********, **********, ******* **. ****** than ***** *** ****** as *** ** *** business (*** ******* ******), they ******** * "***** Password ****" *** ** (XiongMai) ********:

*** ********* ***** ** a ****** **** *********** ****, ***** *** *** pre-computed ****** ******** *** each *** ** ****.

Super ******** ***** ***** ****

*** "***** ********" ******** local ****** ** *** device **** ****, ********* to **********. *** *********, the ******** *** ** entered ******** *** *** standard **, *** *** cameras ** ********** ******* utility ** ******** ** send *** ********/***** ********. In ****** ****, *** end ****** ** * device **** *** ***** password *******, ******** *** a *** ***** ******** to ** ***.

But ***** *** *** ******

***** ********* *** **** for *** ****** ****** and **** *** ****** on ******* *** ****** specific *********** **** ****** number ** *** *******.

Compared ** ********* ****** *********

********* ******** ********* * ****** password ** **** ****** to * ****** **** a ********* ***** ********, however *** ********* *** also **** ** **** the ****** ****** ** the ******. ** ********* the ****** ****** ** part ** *** *********** there ** ** ****** list ** "****** *********" for *********, ******** *** chances ** **** ********. Hikvision *** **** ***** ****-***** ******** *****, ******** ***** ** enter ******** ********* **** can ****** ** *******/***** a ********* ********.

Vulnerability ********

***** **** ****** **** being **** ** ******** reset *** ***** ********, this ************* ***** ***** up * *********** ************* ** users. ** ******** *** gains ****** ** *** LAN *** ** ******** PC, ****** ******* ******, or ***** ****** ********* to *** ** * reverse ***** *** ****** access ***** ******* ***** passwords ** *** ***** access ** ******* ** recorders, ******* ** *** potential *** ********** ********, or **** ********* ***** in ********* *********.

Sign ** *** ******?

** **** ** *********** that **** ******** ***** to ******* ***** ***********, instead ** *** ******, in ***** *****. **** could ** * **** that **** ***-****** ******* resellers *** ******* ** difficult ** *** *** more *********** ** *******, and *** **** ** resort ** ***** ******* to ******* *** ********. 

Comments (9)

Undisclosed #1

IPVMU Certified | 12/05/16 07:00pm

For DVR's work locally means the LAN, not the just the console?

Avatar

Brian Karas

IPVM | In reply to Undisclosed #1 | 12/05/16 07:10pm

Based on my conversations with them, yes, that is my understanding.

Avatar

Blake Murphy

12/05/16 11:21pm

So many dots connected with this article.
I await future "promotional" emails

Undisclosed Integrator #2

12/06/16 12:19am

They'll soon promote Analog HD as being more secure than IP. only 1 password to worrry about!!!!

Undisclosed Manufacturer #3

12/06/16 02:46am

Interesting looking through the passwords... There are a lot of repeated sequences throughout the year at the end of the code. I think their code is pretty weak.

Avatar

Paul Curran

12/06/16 12:30pm

I got the same email. Really odd. Questions..

1). Why would you have this backdoor in 2016?

2). Why would you email it when XiongMai are clearly up for a fight.

Undisclosed #1

IPVMU Certified | In reply to Paul Curran | 12/10/16 08:41pm

2). Why would you email it...

They fell for the SMTP honeypot address:

super-hard-coded-credential-sweepstakes@ipvm.com

Undisclosed Distributor #4

12/10/16 07:01pm

Nothing new ,Hikvision's secure code generator based on serial number and date has been on the web for many years! I don't consider it an issue as you need to be on site in order to clear the password.

Just look at your broadband routers, they have a factory reset button , a one-touch wifi connection, one password for all and remote access. I haven't seen much negative publicity on that subject and there are more routers than CCTV system around the world.

Xionmai used to use telnet ( local ) but decided on one password per day just like Dahua did. Dahua has now revised the " one password " facility. Hikvision also used to have Telnet.

Undisclosed Integrator #5

In reply to Undisclosed Distributor #4 | 12/10/16 08:23pm

I think the difference is you can access any device via the daily master password remotely across the lan without physical access. The hikvision system is also insecure as their tool lists the serial across the lan without requiring physical access, I know I have done it in takeovers. However a router reset has to be done via a local button.

If you using the master password list and as the list is short only 365 guesses so local lan malware could easily repeatedly try passwords or even users. Even if the date was wrong on the device it's not going to take long to crack. Agreed there are easier targets but is it confirmed if there is no remote wan access to this issue?

Read this IPVM report for free.

This article is part of IPVM's 6,604 reports, 890 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Panasonic i-PRO Hid Huawei, Does Damage Control on Aug 21, 2020
Panasonic i-PRO hid their usage of Huawei from the public, continues to...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Honeywell Warns of Huawei, Advocates Futureproofing on Aug 31, 2020
For years, Honeywell has profited from OEMing Dahua and using Huawei...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Amazon, Microsoft and IBM Abandoning Face Recognition Is An "Irresponsible PR Stunt" Says AnyVision on Jul 17, 2020
In the wake of national protests against US police abuses, big tech firms...
Faked Convergint Fever Camera 'Expert' Marketing on Jun 16, 2020
Convergint touts they are "THERMAL CAMERA SOLUTION EXPERTS" while faking...
Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
US Passes Uyghur Human Rights Law Condemning Mass Surveillance on Jun 18, 2020
The US government has passed the Uyghur Human Rights Policy Act of 2020,...

Recent Reports

Motorola Solutions Total Revenue Down, Video Revenue Up on Oct 30, 2020
Motorola Solutions' total revenue is down, but video (both fixed and...
Recruiters Show 2020 On-Demand Recordings on Oct 30, 2020
Recordings from the 12 recruiter presentations are now available...
Consultants Show 2020 On-Demand Recording on Oct 29, 2020
Recordings from the consultant show are available on-demand at the end of...
Hikvision AcuSense G2 Camera Test on Oct 29, 2020
Hikvision has released their next generation of AcuSense analytic cameras...
Biggest Problems Selling Access Control 2020 on Oct 29, 2020
Access control can cause integrators big headaches. What practical issues do...
Taiwan Geovision AI Analytics and NDAA Examined on Oct 29, 2020
Taiwan manufacturer Geovision's revenue has been falling for years. However,...
Bedside Cough and Sneeze Detector (Sound Intelligence and CLB) on Oct 28, 2020
Coronavirus has increased interest in detecting symptoms such as fever and...
Fever Tablet Thermal Sensors Examined (Melexis) on Oct 28, 2020
Fever tablet suppliers heavily rely on the accuracy and specs of...
Verkada Fires 3 on Oct 28, 2020
Verkada has fired three employees over an incident where female colleagues...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...