When security experts start hunting, it usually doesn't take them long to unearth worrying findings related to internet of things manufacturers and devices. The industry has been operating on a 1990s-era security stance for so long that there's still plenty of low-hanging fruit (see FTC vs. D-Link: A Warning to the IoT Industry).
The latest finding relates to Hangzhou Xiongmai Technology, the Chinese manufacturer that in late October partially recalled webcams that had been taken over by hackers and used in massive distributed denial-of-services attacks.
"The pool of at-risk devices could be large ..."
The finding came - perhaps surprisingly - via LinkedIn. Ken Munro of U.K.-based Pen Test Partners writes in a blog post that he and a colleague were researching digital video recorders used for CCTV systems when they found a master list of "super user" passwords posted on LinkedIn by a CCTV installer. The passwords may unlock an application called XMEye, which is a cloud-based service for remotely accessing DVR video streams.
Plugin Leads To Xiongmai
XMEye works with products from ZYSecurity, a Chinese company that makes IP cameras, digital video recorders and CCTV systems. The list contains a new password for every day of 2017, organized by month.
Munro linked XMEye to Xiongmai after analyzing a software plugin, which contained the text "Hangzhou Xiongmai Information Technology Company."
The passwords definitely work for users via XMEye's local web interface, Munro tells me. It's unclear if the passwords will work remotely, but his company is planning a tried-and-true check: Munro has ordered a DVR under a different brand name to put to the test.
The list published to LinkedIn only contains passwords, but Pen Test Partners has already discovered the username that works with all of them. Unsurprisingly, it's "default." The account that accepts that username and password combination appears to be hidden, but Pen Test Partners is still investigating, Munro says.
In another twist, it appears that the passwords will work regardless of the date on which they're used, Munro says.
The pool of at-risk devices could be large, Munro says. The challenge will be working out which devices - likely under a variety of brand names - use the XMEye software.
One explanation for building such hard-coded passwords into an application might be to have enabled remote support device by personnel who install the devices. Munro says CCTV installers will likely not be qualified network security experts. Munro adds that Pen Test Partners has previously found serious errors in similar products such as "DVR and house alarm installers that have port forwarded through a customer's router, compromising their security."
For now, however, the jury is out on just how bad or extensive this problem might be. "We will keep working on this, but whatever the conclusion, sharing super user account credentials with installers and expecting them not to leak is asking for trouble," Munro writes.
Another Embarrassing Lapse?
Xiongmai officials couldn't immediately be reached for comment. If the password leak is authentic, it would represent another embarrassment for the company, which was one of several vendors blamed for enabling record-breaking distributed denial-of-services attacks.
The Chinese company makes components that other manufacturers put into their cameras and video systems. Xiongmai's circuit boards come with pre-installed firmware, which was the source of the problems.
The firmware shipped with telnet, a remote access tool, was enabled by default with weak, known passwords. To take over the devices, hackers merely scanned the internet for devices that responded and installed the Mirai malware.
In September, a large number of Mirai-infected devices were instructed to bombard computer security writer Brian Krebs' website and French hosting provider OVH, notching some of the largest-ever DDoS attacks.
A subsequent Mirai-fueled attack against networking company Dyn shattered its ability to provide outsourced Domain Name System services, causing knock-on disruptions to web surfers trying to reach Twitter, PayPal and Spotify (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).
Xiongmai acknowledged in October that Mirai was a huge disaster for the internet of things. The company released new firmware that would, among other things, require people to change default authentication credentials.
Experts estimated in the wake of the DDoS attacks that more than 500,000 devices worldwide used vulnerable Xiongmai firmware. But the company initiated a product recall that only applied to less than 10,000 products sold in the United States (see Mirai Aftermath: China's Xiongmai Details Webcam Recall).
Security experts say related problems remain widespread. "Personally, I think that network-level security for DVRs is very poor," Pen Test Partners' Munro says. "The fact that Mirai was based on default credentials indicates that DVR security is 15 to 20 years behind mainstream network security."