• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Internet of Things
  • Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature

Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature

Pierluigi Paganini October 10, 2018

Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature, a gift for APT groups and cyber crime syndicates

Security experts from security firm SEC Consult have identified over 100 companies that buy and re-brand video surveillance equipment (surveillance cameras, digital video recorders (DVRs), and network video recorders (NVRs)) manufactured by the Chinese firm Hangzhou Xiongmai Technology Co., Ltd.(Xiongmai hereinafter) that are open to hack.

Millions of devices are affected by security vulnerabilities that can be easily exploited by a remote attacker to take over devices. The flaws could be exploited to spy on camera feeds of unaware users.

The flaws reside in a feature named the “XMEye P2P Cloud” that is enabled by default which is used to connect surveillance devices to the cloud infrastructure.

“From a usability perspective, this makes it easier for users to interact with the device, since the user does not have to be in the same network (e.g. the same Wi-Fi network) in order to connect to the device. Additionally, no firewall rules, port forwarding rules, or DDNS setup are required on the router, which makes this option convenient also for non-tech-savvy users.” reads the report published by SEC Consult.!However, this approach has several security implications:

  • The cloud server provider gets all the data (e.g. video streams that are viewed). Open questions:
    • Who runs these servers?
    • Who controls these servers? Where are they located?
    • Do they comply with local jurisdiction?
    • Does the service comply with EU GDPR?
  • If the data connection is not properly encrypted (spoiler alert: it’s not, we’ve checked!), anyone who can intercept the connection is able to monitor all data that is exchanged.
  • The “P2P Cloud” feature bypasses firewalls and effectively allows remote connections into private networks. Now, attackers cannot only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach), but a large number of devices that are exposed via the “P2P Cloud”.”

Each device has a unique ID, called cloud ID or UID (i.e. 68ab8124db83c8db) that allows users to connect to a specific device through one of the supported apps.

Unfortunately, the cloud ID is not sufficiently random and complex to make guessing correct cloud IDs hard because the analysis of the Xiongmai firmware revealed it is derived from the device’s MAC address.

According to SEC Consult experts, an attacker can guess account IDs and access the feed associated with other IDs,

Experts found many other security issues, for example, all new XMEye accounts use a default admin username of “admin” with no password and the worst aspect is that the installation process doesn’t require users to change it.

The experts also discovered an undocumented user with the name “default” and password “tluafed.”

“In addition to the admin user, by default there is an undocumented user with the name “default”. The password of this user is “tluafed” (default in reverse).” continues the analysis.

“We have verified that this user can be used to log in to a device via the XMEye cloud (checked via custom client using the Xiongmai NetSDK). This user seems to at least have permissions to access/view video streams.”

Experts also discovered that it is possible to execute arbitrary code on the device through a firmware update.

Firmware updates are not signed, this means that an attacker carries out a MITM attack and impersonate the XMEye cloud to tainted firmware version.

Xiongmai devices were involved in IoT botnets in the last months, both Mirai and Satori bots infected a huge number of devices manufactured by the Chinese firm.

“We have worked together with ICS-CERT to address this issue since March 2018. ICS-CERT made great efforts to get in touch with Xiongmai and the Chinese CNCERT/CC and inform them about the issues. Although Xiongmai had seven months’ notice, they have not fixed any of the issues.”

“The conversation with them over the past months has shown that security is just not a priority to them at all.” concludes SEC Consult.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Xiongmai, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Hacking IoT Mirai Pierluigi Paganini SEC Consult Security Affairs Xiongmai

you might also like

Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more
Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    Qantas data breach impacted 5.7 million individuals

    Data Breach / July 10, 2025

    DoNot APT is expanding scope targeting European foreign ministries

    APT / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT