Millions of Xiongmai surveillance devices discovered vulnerable to hackers

• The devices contain multiple vulnerabilities that could allow attackers to remotely access them.
• The vulnerabilities can be easily exploited by cybercriminals to spy on victims.

Hundreds of thousands of cameras, DVRs and NVRs sold by Hangzhou Xiongmai Technology Co. Ltd. have been found to contain multiple vulnerabilities that could allow attackers to remotely access the devices.

Security researchers from EU-based SEC Consult discovered the issue after investigating some Xiongmai surveillance devices. The researchers explained that all Xiongmai devices are vulnerable to hackers.

The source of all vulnerabilities was found in a feature named XMEye P2P Cloud, which comes enabled by default in all Xiongmai devices.The feature contains a proprietary protocol that allows users to access their IP cameras or NVRs/DVRs via the Internet.

“Users can connect their devices using various XMEye apps (Android, iOS), a desktop application called “VMS”, or an SDK for app developers. All connections are established via a cloud server infrastructure provided by Xiongmai,” the researchers said in a blog post.

The researchers said that accounts created on XMEye P2P Cloud are not properly secured. This, in turn, makes it easy for cybercriminals to hack the devices.

“We reverse engineered parts of the Xiongmai firmware and found that the cloud ID is derived from the device’s MAC address. The MAC address is not a good source of randomness. One would assume that the cloud ID is sufficiently random and complex to make guessing correct cloud IDs hard” the researchers explained.

The researchers also observed several other security loopholes in the XMEye P2P Cloud. For instance, it used a default admin username - “admin” - without any password. What is more, users cannot change the default passwords during the setup process. Researchers also discovered that the ‘P2P Cloud’ feature bypasses firewalls, which, in turn, could give hackers an upper hand when infiltrating systems.

“The “P2P Cloud” feature bypasses firewalls and effectively allows remote connections into private networks. Now, attackers cannot only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach) but a large number of devices that are exposed via the “P2P Cloud”, the researchers added.

The vulnerabilities can be easily exploited by cybercriminals to spy on victims. Furthermore, the vulnerable devices can also be used to conduct cyberespionage operations or to relay traffic in from organizations.

Over 100 vendors, who sell Xiongami devices, have been impacted by the vulnerabilities.

This is not the first time that the company’s devices have come under scrutiny. The devices have previously been abused by IoT botnets, especially Mirai. Although Xiongami recalled all vulnerable devices after the incident, SEC Consult researchers claim that the company did not invest in security after the Mirai attack incident.

“The vendor does not provide proper mitigations and hence it is recommended not to use any products associated with the XMeye P2P Cloud until all of the identified security issues have been fixed and a thorough security analysis has been performed by professionals” SEC Consult researchers said.