The Expert's View with Jeremy Kirk

Endpoint Security , Governance & Risk Management , Network Firewalls, Network Access Control

'Super User' Password List May Allow Access to Webcams

Researchers Identify Potentially Serious IoT Access Management Lapse
'Super User' Password List May Allow Access to Webcams
XMEye can be used to remotely access CCTV and DVR video streams (source: YouTube)

When security experts start hunting, it usually doesn't take them long to unearth worrying findings related to internet of things manufacturers and devices. The industry has been operating on a 1990s-era security stance for so long that there's still plenty of low-hanging fruit (see FTC vs. D-Link: A Warning to the IoT Industry).

See Also: ISO/IEC 27001: The Cybersecurity Swiss Army Knife for Info Guardians

The latest finding relates to Hangzhou Xiongmai Technology, the Chinese manufacturer that in late October partially recalled webcams that had been taken over by hackers and used in massive distributed denial-of-services attacks.

The finding came - perhaps surprisingly - via LinkedIn. Ken Munro of U.K.-based Pen Test Partners writes in a blog post that he and a colleague were researching digital video recorders used for CCTV systems when they found a master list of "super user" passwords posted on LinkedIn by a CCTV installer. The passwords may unlock an application called XMEye, which is a cloud-based service for remotely accessing DVR video streams.

Plugin Leads To Xiongmai

XMEye works with products from ZYSecurity, a Chinese company that makes IP cameras, digital video recorders and CCTV systems. The list contains a new password for every day of 2017, organized by month.

Munro linked XMEye to Xiongmai after analyzing a software plugin, which contained the text "Hangzhou Xiongmai Information Technology Company."

The passwords definitely work for users via XMEye's local web interface, Munro tells me. It's unclear if the passwords will work remotely, but his company is planning a tried-and-true check: Munro has ordered a DVR under a different brand name to put to the test.

The list published to LinkedIn only contains passwords, but Pen Test Partners has already discovered the username that works with all of them. Unsurprisingly, it's "default." The account that accepts that username and password combination appears to be hidden, but Pen Test Partners is still investigating, Munro says.

In another twist, it appears that the passwords will work regardless of the date on which they're used, Munro says.

The pool of at-risk devices could be large, Munro says. The challenge will be working out which devices - likely under a variety of brand names - use the XMEye software.

One explanation for building such hard-coded passwords into an application might be to have enabled remote support device by personnel who install the devices. Munro says CCTV installers will likely not be qualified network security experts. Munro adds that Pen Test Partners has previously found serious errors in similar products such as "DVR and house alarm installers that have port forwarded through a customer's router, compromising their security."

For now, however, the jury is out on just how bad or extensive this problem might be. "We will keep working on this, but whatever the conclusion, sharing super user account credentials with installers and expecting them not to leak is asking for trouble," Munro writes.

Another Embarrassing Lapse?

Xiongmai officials couldn't immediately be reached for comment. If the password leak is authentic, it would represent another embarrassment for the company, which was one of several vendors blamed for enabling record-breaking distributed denial-of-services attacks.

The Chinese company makes components that other manufacturers put into their cameras and video systems. Xiongmai's circuit boards come with pre-installed firmware, which was the source of the problems.

The firmware shipped with telnet, a remote access tool, was enabled by default with weak, known passwords. To take over the devices, hackers merely scanned the internet for devices that responded and installed the Mirai malware.

In September, a large number of Mirai-infected devices were instructed to bombard computer security writer Brian Krebs' website and French hosting provider OVH, notching some of the largest-ever DDoS attacks.

A subsequent Mirai-fueled attack against networking company Dyn shattered its ability to provide outsourced Domain Name System services, causing knock-on disruptions to web surfers trying to reach Twitter, PayPal and Spotify (see Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).

Xiongmai acknowledged in October that Mirai was a huge disaster for the internet of things. The company released new firmware that would, among other things, require people to change default authentication credentials.

Experts estimated in the wake of the DDoS attacks that more than 500,000 devices worldwide used vulnerable Xiongmai firmware. But the company initiated a product recall that only applied to less than 10,000 products sold in the United States (see Mirai Aftermath: China's Xiongmai Details Webcam Recall).

Security experts say related problems remain widespread. "Personally, I think that network-level security for DVRs is very poor," Pen Test Partners' Munro says. "The fact that Mirai was based on default credentials indicates that DVR security is 15 to 20 years behind mainstream network security."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.