Security Alert Digital video recorder installers master password list 'leaked' – claims

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.


Staff member
Jul 22, 2014
If true, we're talking remote viewing of people's CCTV cams
Xiongmai, the vendor behind many Mirai-vulnerable DVRs, has earned the consternation of security watchers once again.

The vendor's 2017 list of superuser passwords for certain DVRs – designed only for CCTV installers to access customer installations – appears to have leaked online.

"If the creds are what we think they are, they may be enough to remotely take over certain CCTV systems," Ken Munro, a director at UK security consultancy Pen Test Partners (PTP), told El Reg. "[It's] a bit like Mirai, but the consequence is remote viewing of people's CCTV cameras."

PTP found the leaked list [PDF] on the LinkedIn page for a CCTV installer in Nigeria. This list, which covers login credentials for the rest of 2017, is essentially a one-time pad or per-day superuser password for a DVR service. One-time pads are only effective if they are shared in complete confidence and not reused.

Mikko Hyponnen, CRO of security software firm F-Secure, has since noted the same documents elsewhere on the internet.

The document references XMEye, a cloud service offered by ZY Security for remotely accessing DVR video streams. "The service only appears available to certain DVR types, which we can't find on sale outside of China," according to Munro. "[We] still haven't successfully attributed the creds, but this is yet another massive Xiongmai DVR fail."

..more in the link above...