Millions at risk from default webcam passwords | Cyber Security

Remember all those webcams that got infected by the Mirai IoT botnet two years ago? Well, Hangzhou Xiongmai Technology Co.,Ltd (Xiongmai) – the Chinese manufacturer that made many of them – is back with another vulnerability that puts of devices across the world at risk yet again.

Xiongmai eventually fixed the vulnerability in its products that enabled the Mirai authors to compromise an unknown number of devices and bring the internet to a standstill. That doesn’t mean that the company’s products are not watertight, though. The new vulnerability creates the opportunity for new attackers to make yet another large and powerful IoT botnet.

The vulnerability lies in a feature called XMEye P2P Cloud, which is enabled on all Xiongmai devices by default. It lets people access their devices remotely over the internet, so that they can see what’s happening on their IP cameras or set up recording on their DVRs.

Using a variety of apps, users log into their devices via Xiongmai’s cloud infrastructure. This means that they don’t have to set up complex firewall port forwarding or UPnP rules on their home routers, but it also means that it opens up a hole in the user’s network. That places the onus on Xiongmai to make the site secure. But it didn’t.

A technical advisory from SEC Consult, a cybersecurity consulting company that investigated the service, recently turned up a litany of security problems.

First, Xiongmai uses a unique ID for each device which is based on its MAC address, which is in a standard, non-random format. Because it uses MAC addresses in a known range that ascend incrementally, it is relatively easy to compile a program that checks these addresses and identifies those that are online. SEC Consult did, and found nine million of them, spread around the globe.

Second, it uses default, blank admin passwords for each device and doesn’t require the user to change them during installation. If users are savvy enough to do so anyway, then hackers need not be deterred, because there is also an undocumented user account which can be used to log into the device.

Once they have access, a hacker can do more than view a device’s video stream. They can also force it to install a firmware update and provide it with their own malicious version, because the device doesn’t require firmware signed with a digital key. The upshot of this is that they can hijack the device forever. The user can’t simply turn it off and on again.