Own a Xiongmai cam? Unplug it now! [Updated]

UPDATE: Hangzhou Xiongmai Technology has contacted Bitdefender with word that it has updated the surveillance equipment in question and repaired it in the latest firmware. “You can update to the latest firmware to fix it,” a company representative told us.

Owners of surveillance equipment manufactured by Hangzhou Xiongmai Technology are urged to stop using these products immediately. Researchers have discovered the equipment contains multiple vulnerabilities that could allow bad actors to spy on users, eavesdrop on conversations using the built-in mic, or use the devices in a DDoS attack, among other things.

The cameras use default credentials to authenticate, and the users is not prompted upon setup to change the password. Anyone could connect to millions of Xiongmai devices via the XMEye cloud and view video streams, change the device configuration, enlist the cam in a Distributed Denial of Service (DDoS) attack, and even issue malicious firmware updates.

Some types of attacks researchers expect to be made possible by vulnerabilities in the devices include:

• “The Voyeur”: Using the vulnerabilities, an attacker can spy on users of Xiongmai surveillance products. Some even have a two-way audio intercom, so it is even possible to interact with victims as well.
• “The APT Lateral Mover”: Xiongmai devices are used in various “interesting” organizations/networks all over the world. An attacker can use the vulnerabilities to gain a foothold in the local network and use lateral movement techniques to gain access to other systems.
• “The Botnet Herder”: Using the vulnerabilities, millions of devices can be infected by a Mirai-like malware. The resulting botnet would likely be the largest IoT botnet in history.

Hundreds of thousands of Xiongmai devices were involved in the Mirai botnet that took down the giant DNS service provider Dyn, bringing almost half of the Internet down for several hours.

SEC Consult’s warning couldn’t be more urgent. More than 100 vendors sell branded devices with Xiongmai hardware/firmware inside. About 9 million affected devices are estimated to be in use today. The full list of vendors that sell the hardware can be found in SEC Consult’s advisory.

Researchers suggest using IoT inspector as a way of identifying the OEM of a device. Users who determine their device is on the black list are told to stop using the hardware immediately.

“Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether,” SEC Consult said. “Please note, identifying a Xiongmai devices is difficult. The company has a bad security track record including its role in Mirai and various other IoT botnets. There are vulnerabilities that have been published in 2017, which are still not fixed in the most recent firmware version.”