Security Alert Digital video recorder installers master password list 'leaked' – claims

Discussion in 'News Archive' started by Solarquest, Jan 11, 2017.

  1. Solarquest

    Solarquest Level 25
    Trusted AV Tester

    Joined:
    Jul 22, 2014
    Messages:
    1,464
    Likes Received:
    10,087
    If true, we're talking remote viewing of people's CCTV cams
    Xiongmai, the vendor behind many Mirai-vulnerable DVRs, has earned the consternation of security watchers once again.

    The vendor's 2017 list of superuser passwords for certain DVRs – designed only for CCTV installers to access customer installations – appears to have leaked online.

    "If the creds are what we think they are, they may be enough to remotely take over certain CCTV systems," Ken Munro, a director at UK security consultancy Pen Test Partners (PTP), told El Reg. "[It's] a bit like Mirai, but the consequence is remote viewing of people's CCTV cameras."

    PTP found the leaked list [PDF] on the LinkedIn page for a CCTV installer in Nigeria. This list, which covers login credentials for the rest of 2017, is essentially a one-time pad or per-day superuser password for a DVR service. One-time pads are only effective if they are shared in complete confidence and not reused.

    Mikko Hyponnen, CRO of security software firm F-Secure, has since noted the same documents elsewhere on the internet.

    The document references XMEye, a cloud service offered by ZY Security for remotely accessing DVR video streams. "The service only appears available to certain DVR types, which we can't find on sale outside of China," according to Munro. "[We] still haven't successfully attributed the creds, but this is yet another massive Xiongmai DVR fail."

    ..more in the link above...
     
    DardiM and MalwareBlockerYT like this.
Loading...
Other threads that you may like Forum Date
Digital Car-jackers show off New Attacks (Video) Security Discussions Jul 25, 2013
Q&A Lost in the Digital Swamp, Link by Link Security Discussions Sunday at 9:56 PM
Add-on Blurr new extension to anonymize your digital footprint for Google Chrome Browsers and Extensions Apr 26, 2017