Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Security IT

Over Nine Million Cameras and DVRs Open To APTs, Botnet Herders, and Voyeurs (zdnet.com) 34

Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. From a report: All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own. All of these devices are vulnerable to easy hacks, researchers say. The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud." The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time. SEC Consult researchers say that these XMEye cloud accounts have not been sufficiently protected. For starters, an attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs). Second, all new XMEye accounts use a default admin username of "admin" with no password.
This discussion has been archived. No new comments can be posted.

Over Nine Million Cameras and DVRs Open To APTs, Botnet Herders, and Voyeurs

Comments Filter:
  • by Oswald McWeany ( 2428506 ) on Thursday October 11, 2018 @02:41PM (#57463064)

    As an exhibitionist I regularly dance naked in front of my internet connected cameras. Unfortunately mine aren't on the list provided by ZDNet.

  • These are going to be illegal to sell in California. Ha!
    • by Jane Q. Public ( 1010737 ) on Friday October 12, 2018 @02:19AM (#57465786)
      Tips on getting a home "security" camera, or other networked devices:

      (1) If you don't know how to set it up yourself, either learn, or get a "supervised" home security system. With all the security holes that entails. Don't try to DIY-it with cheap Chinese stuff.

      (2) If you DO know how to set these things up yourself, then:

      (a) Make sure it will operate over the local network without a remote internet connection.

      (b) If registration of the device over the internet is mandatory, be suspicious. Those in (a) require remote access by the company to work. Not all do. But some registered with a company but don't "require" internet access will "call home" anyway if connected.

      (c) Make sure it will work with generic cam software (such as ONFIV), not just the company's own.

      (d) Set it up on your home network, establish username/password, then set your router to port forward (via a DIFFERENT remote port) to your camera IP/port, set your "generic" software to access the camera just like from home, but using external IP and external port.

      (e) Enjoy
      • BIG HINT: This means things like NEST, Alexa, Smart Things, etc. all of which are controlled remotely by someone else are not valid choices. Siri is maybe not as bad but still questionable.

        Wait for local language processing to arrive. It will within about two years. If you insisted on getting that other thing earlier, then switch.
  • by Anonymous Coward

    But where's the content?

    • by XXongo ( 3986865 )

      But where's the content?

      The content is on the internet, account name "admin," no password.

      • account name "admin," no password.

        I know some admins like that.

        "What's THAT?" they say. That's a computer.
        "But where the monitor?" It doesn't have one.
        "(smugly) Then it's not a computer, is it?

        A friend of mine has a picture of a guy praying: Lord, please grant me the ability to stab people over UDP. It's this [imgur.com], but improved. I think he was doing port knocking with attitude.

  • by RhettLivingston ( 544140 ) on Thursday October 11, 2018 @02:59PM (#57463216) Journal
    Links to 9 million streams or it didn't happen!
  • FTA"there is also a second hidden account with the username and password combo of default/tluafed". That sounds very deliberate.

  • by AHuxley ( 892839 ) on Thursday October 11, 2018 @04:44PM (#57463874) Journal
    from big ad brands into more rooms.
    We can trust the big ad brands.
  • The FTC should ask the largest retailers to remove these devices from their stores as an internet health hazard.

  • ... to test my WiFi connections per the article:
    I run Who's On My Wifi [whoisonmywifi.com]. copied the IP column into Excel.
    Where cell A1 is 192.168.000.001 cell B1 is ="start http://"&A1&"/err.htm"
    For row 2 & 3:
    192.168.000.002 ="start http://"&A2&"/err.htm"
    192.168.000.004 ="start http://"&A3&"/err.htm"
    etc ...
    Then I copied the contents of column B into Notepad and saved as a .bat file to the Desktop:
    --
    start http://192.168.000.019/err.htm
    start http://192.168.000.001/err.htm
    start http://192.168.000.00

You know you've landed gear-up when it takes full power to taxi.

Working...