Security Alert Digital video recorder installers master password list 'leaked' – claims

Discussion in 'News Archive' started by Solarquest, Jan 11, 2017.

  1. Solarquest

    Solarquest Moderator
    Staff Member AV Tester

    Jul 22, 2014
    If true, we're talking remote viewing of people's CCTV cams
    Xiongmai, the vendor behind many Mirai-vulnerable DVRs, has earned the consternation of security watchers once again.

    The vendor's 2017 list of superuser passwords for certain DVRs – designed only for CCTV installers to access customer installations – appears to have leaked online.

    "If the creds are what we think they are, they may be enough to remotely take over certain CCTV systems," Ken Munro, a director at UK security consultancy Pen Test Partners (PTP), told El Reg. "[It's] a bit like Mirai, but the consequence is remote viewing of people's CCTV cameras."

    PTP found the leaked list [PDF] on the LinkedIn page for a CCTV installer in Nigeria. This list, which covers login credentials for the rest of 2017, is essentially a one-time pad or per-day superuser password for a DVR service. One-time pads are only effective if they are shared in complete confidence and not reused.

    Mikko Hyponnen, CRO of security software firm F-Secure, has since noted the same documents elsewhere on the internet.

    The document references XMEye, a cloud service offered by ZY Security for remotely accessing DVR video streams. "The service only appears available to certain DVR types, which we can't find on sale outside of China," according to Munro. "[We] still haven't successfully attributed the creds, but this is yet another massive Xiongmai DVR fail."

    ..more in the link above...
    DardiM and MalwareBlockerYT like this.
Similar Threads Forum Date
Digital Car-jackers show off New Attacks (Video) General Security Discussions Jul 25, 2013
Microsoft Microsoft Outlines Digital ID Plan Using Blockchain Technology News Monday at 8:07 AM
New Western Digital My Cloud Bugs Give Local Attackers Root on NAS Devices (critical vulnerabilities Security News Feb 2, 2018