XiongMai Master Password List Emailed By Chinese Spammer

Author: Brian Karas, Published on Dec 05, 2016

XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites.

After pledging to recall cameras after the attack, and then threatening to sue those who criticized them, XiongMai is back.

A Chinese reseller of XiongMai equipment sent us a spam email that contains master passwords for XiongMai devices.

They consider this list a benefit for dealers, enabling faster and easier customer support, while overlooking the security risks it creates.

******** ******* ** ************* ****** ** ***** ******* ***** ******* botnet ******* ** ***** ******** *****.

***** ******** ** ****** ******* ***** *** ******, *** *************** ** *** ***** *** ********** ****, ******** ** ****.

* ******* ******** ** ******** ********* **** ** * **** email **** ******** ****** ********* *** ******** *******.

**** ******** **** **** * ******* *** *******, ******** ****** and ****** ******** *******, ***** *********** *** ******** ***** ** creates.

[***************]

"Helpful" ********

* ***** ********,**********, ******* **. ****** **** ***** *** ****** ** *** to *** ******** (*** ******* ******), **** ******** * "***** Password ****" *** ** (********) ********:

*** ********* ***** ** * ****** **** *********** ****, ***** *** *** ***-******** ****** ******** *** **** *** of ****.

Super ******** ***** ***** ****

*** "***** ********" ******** ***** ****** ** *** ****** **** used, ********* ** **********. *** *********, *** ******** *** ** entered ******** *** *** ******** **, *** *** ******* ** additional ******* ******* ** ******** ** **** *** ********/***** ********. In ****** ****, *** *** ****** ** * ****** **** the ***** ******** *******, ******** *** * *** ***** ******** to ** ***.

But ***** *** *** ******

***** ********* *** **** *** *** ****** ****** *** **** not ****** ** ******* *** ****** ******** *********** **** ****** number ** *** *******.

Compared ** ********* ****** *********

********* ******** ********* * ****** ******** ** **** ****** ** a ****** **** * ********* ***** ********, ******* *** ********* you **** **** ** **** *** ****** ****** ** *** device. ** ********* *** ****** ****** ** **** ** *** calculation ***** ** ** ****** **** ** "****** *********" *** Hikvision, ******** *** ******* ** **** ********. ********* *** **** added *****-***** ******** *****, ******** ***** ** ***** ******** ********* **** *** ****** to *******/***** * ********* ********.

Vulnerability ********

***** **** ****** **** ***** **** ** ******** ***** *** admin ********, **** ************* ***** ***** ** * *********** ************* to *****. ** ******** *** ***** ****** ** *** *** via ** ******** **, ****** ******* ******, ** ***** ****** comprised ** *** ** * ******* ***** *** ****** ****** could ******* ***** ********* ** *** ***** ****** ** ******* or *********, ******* ** *** ********* *** ********** ********, ** just ********* ***** ** ********* *********.

Sign ** *** ******?

** **** ** *********** **** **** ******** ***** ** ******* their ***********, ******* ** *** ******, ** ***** *****. **** could ** * **** **** **** ***-****** ******* ********* *** finding ** ********* ** *** *** **** *********** ** *******, and *** **** ** ****** ** ***** ******* ** ******* new ********.

Comments (9)

For DVR's work locally means the LAN, not the just the console?

Based on my conversations with them, yes, that is my understanding.

So many dots connected with this article.
I await future "promotional" emails

They'll soon promote Analog HD as being more secure than IP. only 1 password to worrry about!!!!

Interesting looking through the passwords... There are a lot of repeated sequences throughout the year at the end of the code. I think their code is pretty weak.

I got the same email. Really odd. Questions..

1). Why would you have this backdoor in 2016?

2). Why would you email it when XiongMai are clearly up for a fight.

2). Why would you email it...

They fell for the SMTP honeypot address:

super-hard-coded-credential-sweepstakes@ipvm.com

Nothing new ,Hikvision's secure code generator based on serial number and date has been on the web for many years! I don't consider it an issue as you need to be on site in order to clear the password.

Just look at your broadband routers, they have a factory reset button , a one-touch wifi connection, one password for all and remote access. I haven't seen much negative publicity on that subject and there are more routers than CCTV system around the world.

Xionmai used to use telnet ( local ) but decided on one password per day just like Dahua did. Dahua has now revised the " one password " facility. Hikvision also used to have Telnet.

I think the difference is you can access any device via the daily master password remotely across the lan without physical access. The hikvision system is also insecure as their tool lists the serial across the lan without requiring physical access, I know I have done it in takeovers. However a router reset has to be done via a local button.

If you using the master password list and as the list is short only 365 guesses so local lan malware could easily repeatedly try passwords or even users. Even if the date was wrong on the device it's not going to take long to crack. Agreed there are easier targets but is it confirmed if there is no remote wan access to this issue?

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Hikvision 2018 Revenue Tops $7 Billion USD But Growth Slows To Low on Feb 15, 2019
Hikvision's annual revenue topped $7 billion for the first time in 2018, although growth slowed sharply. In this post, we analyze the latest...
Hikvision Chairman Praises United Front on Feb 14, 2019
Hikvision’s controlling shareholder held a meeting last month praising the United Front, a Communist Party organization known for its secretive...
US Senator Calls Hikvision and Dahua “Puppets of the Chinese Communist Party”, Urges Sanctions on Feb 07, 2019
Tom Cotton, Republican senator from Arkansas, has publicly called Hikvision and Dahua “puppets of the Chinese Communist Party and the People’s...
3 UK MPs Call For Investigating Hikvision Over Xinjiang on Feb 04, 2019
3 UK members of Parliament, including 2 with direct comments to IPVM, have called for the UK government to investigate Hikvision's Xinjiang...
Hanwha Techwin Favorability Results 2019 on Jan 31, 2019
Hanwha Techwin's favorability results surged, in IPVM's 2019 study, going from barely neutral in 2016 to strongly net positive, as the results...
Dahua China Significant Job Cuts on Jan 28, 2019
Dahua China has cut a significant number of jobs in the past few months, according to numerous sources. This is a significant shift from Dahua's...
Genetec Favorability Report 2019 on Jan 25, 2019
Genetec's favorability moderately strengthed, in new IPVM integrator statistics over their results from 2017, with 2019 results showing solid, but...
Huawei: Hikvision / Dahua "Strategy Is Just To Provide Cheap Cameras" on Jan 24, 2019
At the Intersec 2019 show in Dubai, IPVM spoke with the show's "exclusive artificial intelligence sponsor" Huawei who recently declared their...
Intersec 2019 Show Report on Jan 23, 2019
The 2019 Intersec show, held annually in Dubai, is now complete. IPVM attended for 3 days, interviewing numerous Chinese and Western video...
NYPD Refutes False SCMP Hikvision Story on Jan 18, 2019
The NYPD has refuted the SCMP Hikvision story, the Voice of America has reported. On January 11, 2018, the SCMP alleged that the NYPD was using...

Most Recent Industry Reports

Casino Surveillance Pro Interview: James Lathrop on Feb 15, 2019
James Lathrop has been working in casinos for almost 25 years. During that time, he says he has held "just about every job you can do in the...
Hikvision 2018 Revenue Tops $7 Billion USD But Growth Slows To Low on Feb 15, 2019
Hikvision's annual revenue topped $7 billion for the first time in 2018, although growth slowed sharply. In this post, we analyze the latest...
Hanwha Smaller Multi Imager Tested (PNM-9000VQ) on Feb 14, 2019
Hanwha's first repositionable multi imager PNM-9081VQ tested well, but was huge, over 12" wide and weighing in at over 10 pounds. Now, they have...
ADT And 'The Defenders' Silent About Massive Complaints on Feb 14, 2019
ADT's largest dealer, "The Defenders" has been the subject of a massive number of complaints over many years and many forums, most recently a CBS...
Hikvision Chairman Praises United Front on Feb 14, 2019
Hikvision’s controlling shareholder held a meeting last month praising the United Front, a Communist Party organization known for its secretive...
Sales Turnover At Anyvision on Feb 13, 2019
Anyvision raised a $43 million Series A and according to their newest investor: what you need to do is push the gas pedal and build an...
Cisco Meraki Cloud VMS/Cameras Tested on Feb 13, 2019
Cisco Meraki says their cameras "bring Meraki magic to the enterprise video security world". According to Meraki, their magic is their management...
Uniview / UNV Favorability Results 2019 on Feb 12, 2019
Uniview / UNV, the self-proclaimed #3 China manufacturer, while starting late, has been working to make inroads internationally. In IPVM's 2019...
Nortek Mobile Access Reader BluePass Examined on Feb 12, 2019
Nortek's Linear access control division claims to make mobile credentials "more secure and easier to use than ever before" with their BluePass...
Solink Raises $12 Million - Company Profile on Feb 12, 2019
Most industry professionals have never heard of Solink, a company whose tagline is: It's time to revolutionize the way business uses...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact