Last minute geek

last minute tech news from around the net

You are here: English BoingBoing ibag A year later, giant Chinese security camera company's products are still a security dumpster-fire

A year later, giant Chinese security camera company's products are still a security dumpster-fire

User Rating: / 0
A year ago, Chinese white-label CCTV/DVR vendor Xiongmai announced a recall and security update for its devices, whose weak security meant that they had been conscripted into a massive, unstoppable botnet. A year later, Xiongmai's promises have been broken: the company has invested precious little resource into keeping its security current, and as a result the cameras and recorders it sells are routinely compromised by voyeurs (who use them to spy on their owners), criminals (who use them to case businesses and plan crimes) and cybercriminals (who take over the devices and use them to run bot attacks of various kinds, from denial-of-service to simply disguising the location of another attack by using a hacked device as a proxy). To complicate the matter, Xiongmai is a white-label vendor whose products are sold under hundreds of brand-names, making it nearly impossible to tell whether you are about to buy (or already own) one of their defective products. It may not matter: Xionmai's major competitor, TVT, is another white label CCTV/DVR giant, and its products are incredibly insecure and it, too has failed to take action to fix things. The exploits used to take over these devices are not supervillainry: thanks to weak default passwords, deliberate backdoors, and bad design decisions (like not forcing a password change during setup), they are taken over in their thousands by clumsy, amateurish exploits. The latest Xiongmai vulnerability advisory comes from SEC Consult (who previously revealed similar defects in Shenzhen Gwelltimes Technology Co., Ltd's constellation of white-label internet of shit gadgets): they explored vulnerabilities in Xiongmai's cloud management system, called the "XMEye P2P Cloud." Logins for this system are easily guessed because they are derived from Xiongmai products' sequential MAC addresses; the passwords use weak default usernames ("admin" and no password!), and every device has a second, hidden backdoor account whose login/pass is "default/tluafed." Once an attacker gains access to a device, they have the ability to flash its firmware, and because Xiongmai doesn't practice firmware signing, an attacker can load anything onto its products. Read the rest

Read all
Comment Policy:
We pre-moderate any comments and welcome all kinds of thoughts, supportive, dissenting, critical or otherwise. We delete or censor comments that are:

* abusive
* off-topic
* contain personal attacks, or against any company or organization
* promote hate of any kind
* use excessively foul language
* is blatantly spam or advertising

We do not discriminate based on the person who is posting, and we never censor comments for political or ideological reasons. We never delete an appropriate comment because we disagree with its viewpoint or ideology, and we never publish an inappropriate comment because we agree with or support its viewpoint or ideology.

Attention spammers: we manually approve all comments. Spamming and blatant advertising will NOT be published on this site and is deleted immediately, you've been warned, do not waste your time here.

Add comment

Security code