Weak Default Logins Expose Internet Cameras to Hacking

If your internet-continued camera works over an app called XMEye Cloud, and so you lot might want to consider turning the device off.

New security research is warning that possibly millions of video surveillance cameras from a Chinese manufacturer have been secured with weak default login credentials, making them easy to hack.

On Tuesday, the security business firm SEC Consult published a blog postal service on the potential threat. The manufacturer, Xiongmai Technology, is a supplier of internet-connected cameras that can let you lot view the video feed over an application chosen XMEye Deject. Merely open the app on a smartphone, add your camera, and you can begin viewing the recorded footage online.

The only problem is that Xiongmai secured all the cameras with the default username "admin." No countersign is needed. According to SEC Consult's inquiry, you can also access a photographic camera'due south video feed with the username "default," and then the password "tluafed."

"Users are non required to set a secure password in the initial setup phase, so information technology is likely that a large number of devices are attainable via these default credentials," SEC Consult researcher Stefan Viehbock wrote in the weblog post.

The good news is that knowing the default login credential isn't enough to access a random's person camera over the XMEye app; you also take to know the device'due south "cloud ID," which is a 16 character-long string. Nonetheless, Viehbock discovered information technology wasn't hard to estimate a correct deject ID. Each one is derived from the camera's MAC address, a serial number all internet-connected devices have.

"The MAC address is not a skilful source of randomness. Information technology has a well-defined structure," he wrote. As a consequence, a hacker could exploit this feature to plug in character sequences into the XMEye's app to find valid cloud ID addresses.

During our research nosotros came beyond a Xiongmai user manual that independent screenshots with lots of #xmeye cloud IDs. One provided admission to a NVR with default credentials at a Xiongmai factory! https://t.co/7NOfZxcqVx motion-picture show.twitter.com/n7hsZsUSxy

— SEC Consult (@sec_consult) October 9, 2022

To sympathise the scale of the problem, SEC Consult developed a scanner to search the open internet for the cloud IDs and estimates that at to the lowest degree 9 1000000 Xiongmai-manufactured products are online. By accessing the camera devices, a bad actor can non only view whatever footage they tape, just also potentially infect them with malware to create a botnet — or an army of enslaved computers. This could be done by designing a malicious firmware update and tricking the cameras to download it via the XMEye'southward programmer API.

SEC Consult submitted its research to United states of america cyber government, which issued an advisory on Tuesday, warning the public most the threat. Camera owners can consider irresolute the default countersign, but to truly stay safe SEC Consult is advising consumers to stop using Xiongmai-manufactuered cameras birthday.

The security firm said its spent the last 7 months trying to button the Chinese supplier to fix the vulnerabilities. However, according to SEC Consult, Xiongmai has even so not issued a patch.

Xiongmai did not immediately reply to a request for annotate, but the visitor has a history of failing to accept IT security seriously. The visitor's products were previously ensnared in the Mirai botnet dorsum in 2022 over their weak default usernames and passwords, which made them easy to infec with malware.

Co-ordinate to SEC Consult, Xiongmai is the supplier to dozens of lesser-known camera brands, some of which are sold by Abode Depot, Walmart and Amazon. You can find the brand names in the security firm's weblog post, only products that feature XMEye app connectivity were likely built past the Chinese supplier.

Source: https://sea.pcmag.com/news/29845/weak-default-logins-expose-internet-cameras-to-hacking

Posted by: jenningsthassences.blogspot.com

Share this post