Further details can be found in our technical security advisory. Xiongmai uses a few different OUIs and assigns interface IDs in ascending order. It has a well-defined structure: a 3-byte OUI ( organizationally unique identifier of the vendor) + 3-byte NIC ID (Interface ID).
The MAC address is not a good source of randomness. We reverse engineered parts of the Xiongmai firmware and found that the cloud ID is derived from the device’s MAC address. Using this ID, the user can connect to the device through one of the supported apps. One would assume that the cloud ID is sufficiently random and complex to make guessing correct cloud IDs hard. So how does this “XMEye P2P Cloud” feature work in practice? Each device has a unique ID, called cloud ID or UID. Now, attackers cannot only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach), but a large number of devices that are exposed via the “P2P Cloud”. The “P2P Cloud” feature bypasses firewalls and effectively allows remote connections into private networks.If the data connection is not properly encrypted ( spoiler alert: it’s not, we’ve checked!), anyone who can intercept the connection is able to monitor all data that is exchanged.Do they comply with local jurisdiction?.Who controls these servers? Where are they located?.video streams that are viewed). Open questions: The cloud server provider gets all the data (e.g.However, this approach has several security implications: Additionally, no firewall rules, port forwarding rules, or DDNS setup are required on the router, which makes this option convenient also for non-tech-savvy users. the same Wi-Fi network) in order to connect to the device. Users can connect to their devices using various XMEye apps (Android, iOS), a desktop application called “VMS”, or an SDK for app developers. All connections are established via a cloud server infrastructure provided by Xiongmai.įrom a usability perspective, this makes it easier for users to interact with the device, since the user does not have to be in the same network (e.g. One part of it is a proprietary protocol that allows users to access their IP cameras or NVRs/DVRs via the Internet. Gwelltimes/FREDI, MiSafes), has another attack vector, advertised as “P2P cloud”, “remote viewing capabilities”, or just “watch from anywhere in the world – there is an app available for iOS/Android”.Īll Xiongmai devices come with a feature called “XMEye P2P Cloud” that is enabled by default. Unfortunately, Xiongmai, like other video surveillance products (e.g. In the Mirai case, this worked well, fortunately only Xiongmai devices with exposed TCP ports 23 or 9527 could be infected, while all others were safe. XMEye P2P CloudĬommon guidance for IT systems usually is: “Do not expose them to the web”. One of our motivations for doing this kind of research is to use the results to improve the automated analysis by IoT Inspector.
The analysis works for all kinds of IoT devices including ones from Xiongmai. The automated firmware security analysis platform IoT Inspector reliably detects the kind of vulnerabilities Mirai and other IoT botnets are exploiting. Why is the SEC Consult Vulnerability Lab involved? IoT botnet actors are still looking for vulnerable Xiongmai devices, large numbers of these devices have been “bricked” by an “anti-botnet botnet” dubbed Brickerbot. The people behind Mirai were caught and sentenced and Xiongmai eventually fixed the vulnerabilities in new products. – basically for half of the internet? Or the attacks on the “ Krebs on Security” Blog that caused Akamai to stop their Anti-DDoS protection service for the blog? Large parts of that DDoS firepower came from hacked Xiongmai devices. Remember the DDoS attacks against Dyn that caused outages for Netflix, Twitter, GitHub, Spotify, Airbnb, …. Hundreds of thousands of Xiongmai-manufactured devices were infected and used as part of one of the largest distributed denial of service (DDoS) attack to date. Starting in 2016, Mirai and variants of Mirai exploited critical vulnerabilities in Xiongmai devices, namely the fact that the devices offered high-privileged shell access over TCP ports 23 (Telnet) and 9527 (a Telnet-like console interface) using hard-coded credentials. If it were not for the Mirai IoT botnet, their business strategy of acting only as an original equipment manufacturer (OEM) would have kept them a unheard-of corporation located in East-China. Hangzhou Xiongmai Technology Co., Ltd. is one of the largest manufacturers of video surveillance equipment (surveillance cameras, digital video recorders ( DVRs), and network video recorders ( NVRs)) in the world.