World's largest CCTV maker leaves at least 9 million cameras open to public viewing

Xiongmai's cloud portal opens sneaky backdoor into servers


Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses.

This time, it's Chinese surveillance camera maker Xiongmai named and shamed this week by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed to were exposed default credentials and unsigned firmware updates that could be delivered via the service.

As a result, SEC Consult warns, the cameras could be compromised to do everything from spy on their owners, to carry out botnet instructions and even to serve as an entry point for larger network intrusions.

"Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether," SEC Consult recommended.

"The company has a bad security track record including its role in Mirai and various other IoT botnets. There are vulnerabilities that have been published in 2017, which are still not fixed in the most recent firmware version."

Enabled by default, the P2P Cloud service allows users to remotely connect to devices via either a web browser or an iOS/Android app and control the hardware without needing a local network connection.

mirai

Mirai, Mirai, pwn them all, who's the greatest botnet on the whole?

READ MORE

Unfortunately, SEC Consult explained, shortcomings in both the devices themselves and the service, such as unencrypted connections and default passwords (owners are not required to change the defaults when setting up the device) mean that in many cases, accessing and compromising camera could be a cinch.

Additionally, SEC Consult notes, the Xiongmai devices do not require that firmware updates be signed, meaning it would be possible for an attacker to install malware-laden firmware updates to build a botnet or stage further attacks on the local network.

"This is either possible by modifying the filesystems, contained in a firmware update, or modifying the 'InstallDesc' file in a firmware update file," researchers explain.

"The 'InstallDesc' is a text file that contains commands that are executed during the update."

On top of it all, SEC Consult accuses Xiongmai of a pattern of ignoring security warnings and failing to take basic precautions.

The research house claims that not only were its latest warnings to the company ignored, but Xiongmai has a history of bad security going all the way back to its days as fodder for the notorious Mirai botnet. As such, the researchers advise companies stop using any OEM hardware that is based on the Xiongmai hardware. The devices can be identified by their web interface, error page, or product pages advertising the EMEye service. ®

Broader topics


Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022