An Interest In:
Web News this Week
- April 25, 2024
- April 24, 2024
- April 23, 2024
- April 22, 2024
- April 21, 2024
- April 20, 2024
- April 19, 2024
Some of Our Sources
- Slashdot
- BoingBoing
- TutsPlus - Code
- Joshua Blankenship
- Naldz Graphics
- Fudge Graphics
- Freelance Switch
- Web Resource Source
- Willems Lab
- Daily Now
Help Webnuz
Referal links:
A year later, giant Chinese security camera company's products are still a security dumpster-fire
A year ago, Chinese white-label CCTV/DVR vendor Xiongmai announced a recall and security update for its devices, whose weak security meant that they had been conscripted into a massive, unstoppable botnet.
A year later, Xiongmai's promises have been broken: the company has invested precious little resource into keeping its security current, and as a result the cameras and recorders it sells are routinely compromised by voyeurs (who use them to spy on their owners), criminals (who use them to case businesses and plan crimes) and cybercriminals (who take over the devices and use them to run bot attacks of various kinds, from denial-of-service to simply disguising the location of another attack by using a hacked device as a proxy).
To complicate the matter, Xiongmai is a white-label vendor whose products are sold under hundreds of brand-names, making it nearly impossible to tell whether you are about to buy (or already own) one of their defective products. It may not matter: Xionmai's major competitor, TVT, is another white label CCTV/DVR giant, and its products are incredibly insecure and it, too has failed to take action to fix things.
The exploits used to take over these devices are not supervillainry: thanks to weak default passwords, deliberate backdoors, and bad design decisions (like not forcing a password change during setup), they are taken over in their thousands by clumsy, amateurish exploits.
The latest Xiongmai vulnerability advisory comes from SEC Consult (who previously revealed similar defects in Shenzhen Gwelltimes Technology Co., Ltd's constellation of white-label internet of shit gadgets): they explored vulnerabilities in Xiongmai's cloud management system, called the "XMEye P2P Cloud."
Logins for this system are easily guessed because they are derived from Xiongmai products' sequential MAC addresses; the passwords use weak default usernames ("admin" and no password!), and every device has a second, hidden backdoor account whose login/pass is "default/tluafed."
Once an attacker gains access to a device, they have the ability to flash its firmware, and because Xiongmai doesn't practice firmware signing, an attacker can load anything onto its products. Read the rest
Original Link: http://feeds.boingboing.net/~r/boingboing/iBag/~3/jm12JXFuPg4/white-label-deniability.html
