Over Nine Million Cameras and DVRs Open To APTs, Botnet Herders, and Voyeurs (zdnet.com) 34
Millions of security cameras, DVRs, and NVRs contain vulnerabilities that can allow a remote attacker to take over devices with little effort, security researchers have revealed today. From a report: All vulnerable devices have been manufactured by Hangzhou Xiongmai Technology Co., Ltd. (Xiongmai hereinafter), a Chinese company based in the city of Hangzhou. But end users won't be able to tell that they're using a hackable device because the company doesn't sell any products with its name on them, but ships all equipment as white label products on which other companies put their logo on top. Security researchers from EU-based SEC Consult say they've identified over 100 companies that buy and re-brand Xiongmai devices as their own. All of these devices are vulnerable to easy hacks, researchers say. The source of all vulnerabilities is a feature found in all devices named the "XMEye P2P Cloud." The XMEye P2P Cloud works by creating a tunnel between a customer's device and an XMEye cloud account. Device owners can access this account via their browser or via a mobile app to view device video feeds in real time. SEC Consult researchers say that these XMEye cloud accounts have not been sufficiently protected. For starters, an attacker can guess account IDs because they've been based on devices' sequential physical addresses (MACs). Second, all new XMEye accounts use a default admin username of "admin" with no password.
Re: (Score:2)
Well done.
I cannot tell if your serious or not.
Re: (Score:3)
it's a sino-the-times. =/
Re: (Score:2)
Exhibitionist (Score:3, Funny)
As an exhibitionist I regularly dance naked in front of my internet connected cameras. Unfortunately mine aren't on the list provided by ZDNet.
Reveals fundamental issue (Score:2)
Unfortunately mine aren't on the list provided by ZDNet.
So if can can summarize what you are saying here, the fundamental flaw revealed is that there's no submission page to get added your own cameras added to the list.
Re: (Score:2)
I know right? I constantly hope someone cares enough... to be watching... please?
admin user no password (Score:1)
Re:admin user no password (Score:4, Informative)
(1) If you don't know how to set it up yourself, either learn, or get a "supervised" home security system. With all the security holes that entails. Don't try to DIY-it with cheap Chinese stuff.
(2) If you DO know how to set these things up yourself, then:
(a) Make sure it will operate over the local network without a remote internet connection.
(b) If registration of the device over the internet is mandatory, be suspicious. Those in (a) require remote access by the company to work. Not all do. But some registered with a company but don't "require" internet access will "call home" anyway if connected.
(c) Make sure it will work with generic cam software (such as ONFIV), not just the company's own.
(d) Set it up on your home network, establish username/password, then set your router to port forward (via a DIFFERENT remote port) to your camera IP/port, set your "generic" software to access the camera just like from home, but using external IP and external port.
(e) Enjoy
Re: (Score:2)
Wait for local language processing to arrive. It will within about two years. If you insisted on getting that other thing earlier, then switch.
Scare words, scary scary scare words (Score:1)
But where's the content?
Re: (Score:2)
But where's the content?
The content is on the internet, account name "admin," no password.
Re: (Score:2)
account name "admin," no password.
I know some admins like that.
"What's THAT?" they say. That's a computer.
"But where the monitor?" It doesn't have one.
"(smugly) Then it's not a computer, is it?
A friend of mine has a picture of a guy praying: Lord, please grant me the ability to stab people over UDP. It's this [imgur.com], but improved. I think he was doing port knocking with attitude.
come on slashdot! (Score:5, Funny)
Secret second account? (Score:2)
FTA"there is also a second hidden account with the username and password combo of default/tluafed". That sounds very deliberate.
Lets welcome more camera devices (Score:3)
We can trust the big ad brands.
FTC should step in (Score:2)
The FTC should ask the largest retailers to remove these devices from their stores as an internet health hazard.
What I did ... (Score:2)
... to test my WiFi connections per the article: ... .bat file to the Desktop:
I run Who's On My Wifi [whoisonmywifi.com]. copied the IP column into Excel.
Where cell A1 is 192.168.000.001 cell B1 is ="start http://"&A1&"/err.htm"
For row 2 & 3:
192.168.000.002 ="start http://"&A2&"/err.htm"
192.168.000.004 ="start http://"&A3&"/err.htm"
etc
Then I copied the contents of column B into Notepad and saved as a
--
start http://192.168.000.019/err.htm
start http://192.168.000.001/err.htm
start http://192.168.000.00
Re: (Score:2)
What OS do you recommend?