Millions at risk from default webcam passwords

Remember all those webcams that got infected by the Mirai IoT botnet two years ago? Well, Hangzhou Xiongmai Technology Co.,Ltd (Xiongmai) – the Chinese manufacturer that made many of them – is back with another vulnerability that puts millions of devices across the world at risk yet again.
Xiongmai eventually fixed the vulnerability in its products that enabled the Mirai authors to compromise an unknown number of devices and bring the internet to a standstill. That doesn’t mean that the company’s products are watertight, though. The new vulnerability creates the opportunity for new attackers to make yet another large and powerful IoT botnet.
The vulnerability lies in a feature called XMEye P2P Cloud, which is enabled on all Xiongmai devices by default. It lets people access their devices remotely over the internet, so that they can see what’s happening on their IP cameras or set up recording on their DVRs.
Using a variety of apps, users log into their devices via Xiongmai’s cloud infrastructure. This means that they don’t have to set up complex firewall port forwarding or UPnP rules on their home routers, but it also means that it opens up a hole in the user’s network. That places the onus on Xiongmai to make the site secure. But it didn’t.
A technical advisory from SEC Consult, a cybersecurity consulting company that investigated the service, recently turned up a litany of security problems.
First, Xiongmai uses a unique ID for each device which is based on its MAC address, which is in a standard, non-random format. Because it uses MAC addresses in a known range that ascend incrementally, it is relatively easy to compile a program that checks these addresses and identifies those that are online. SEC Consult did, and found nine million of them, spread around the globe.
Second, it uses default, blank admin passwords for each device and doesn’t require the user to change them during installation. If users are savvy enough to do so anyway, then hackers need not be deterred, because there is also an undocumented user account which can be used to log into the device.
Once they have access, a hacker can do more than view a device’s video stream. They can also force it to install a firmware update and provide it with their own malicious version, because the device doesn’t require firmware signed with a digital key. The upshot of this is that they can hijack the device forever. The user can’t simply turn it off and on again.

SEC Consult says that this could be used to create another massive botnet, larger than Mirai. It could also be used to spy on cameras indefinitely, and finally it could create a foothold for attackers to compromise other devices in organizations.
Are you infected? Don’t bother looking for ‘Xiongmai’ on the label for your device to find out, because the company is an OEM that makes equipment for dozens of other vendors. There’s a list in the SEC Consult blog post outlining the vendors, and a list of domains and IP addresses used by the devices that could be useful to network administrators.
SEC Consult says it has tried to contact Xiongmai several times since March 2018, but received unsatisfactory responses, and has detailed the timeline here.
The security consultancy said:

We have worked together with ICS-CERT to address this issue since March 2018. ICS-CERT made great efforts to get in touch with Xiongmai and the Chinese CNCERT/CC and inform them about the issues. Although Xiongmai had seven months’ notice, they have not fixed any of the issues.

It added that security “is just not a priority for them at all”, and advised people to stop using devices from Xiongmai and its OEM customers, and also advised the US government to impose a ban on federal procurement of Xiongmai products. Presumably this will also make the sale of these devices problematic in California, where a law was recently passed forbidding default passwords where the manufacturer doesn’t force them to be changed.