Review Shows Glaring Flaws In Xiongmai IoT DevicesConsulting Firm Alleges Security Not A Priority for Vendor
Millions of internet-of-things devices made by a Chinese company and sold in stores such as Home Depot and Wal-Mart still have glaring security problems, a security consultancy warns.
Xiongmai was a little-known manufacturer until two years ago when its products and those of many other IoT manufacturers were compromised by the Mirai malware. Xiongmai has a surprisingly large reach, however (see Can't Stop the Mirai Malware). By SEC Consult's count, its technology is incorporated into the products of more than 100 companies, a practice known as white labeling. The problem is that identifying products that have Xiongmai embedded inside requires a bit of detective work, making it broadly more difficult for users of the products to even realize their networks are at risk.
SEC Consult's conclusions are stark: Attackers could view private video streams and use the vulnerable devices as a foothold to get inside a private network or corral the devices into a botnet.
"Our recommendation is to stop using Xiongmai and Xiongmai OEM devices altogether," writes SEC Consult's Vulnerability Lab.
Mirai infected millions of digital video recorders and IP cameras. That network of compromised devices was then used for devastating distributed denial-of-service attacks that caused widespread disruptions across the internet. Those who created Mirai were criminally charged and cooperated with U.S. investigators.
Predictable Cloud IDs
SEC Consult analyzed a cloud-based service that Xiongmai's software supports. The software and service is intended to make it simple for users to set up a networked camera.
The service, which is called the XMEye P2P Cloud, is enabled by default. The service bypasses firewalls and allows for remote connections into private networks, SEC Consult writes.
One of the first steps in attempting to create a large botnet is to identify devices that can be compromised. SEC Consult's investigation found that it was easy to identify devices running the service because Xiongmai did not sufficiently randomize the cloud IDs.
The cloud ID, SEC Consult found, was derived from a device's MAC addresses, and it is possible to enumerate further devices.
SEC Consult found more than 9 million devices online. It didn't appear that Xiongmai took basic security steps to stop potential attackers from doing such scans.
"Although we sent more [than] 33,000 queries from one single IP address, we were not banned from the cloud infrastructure," SEC Consult writes. "This indicates that there is no brute force protection in place."
Not Again: Default Credentials
Because Mirai was coded with a long list of default credentials for IoT devices, computer security experts have implored that manufacturers need to force users to change any factory-set credentials.
And although Xiongmai said after Mirai that it was taking steps to better secure its devices, SEC Consult's findings appear to contradict its stance. The XMEye cloud still ships with a default username of admin and an admin password that "is simply blank," SEC Consult writes.
"Users are not required to set a secure password in the initial setup phase, so it is likely that a large number of devices are accessible via these default credentials," it writes. "The admin user can view video streams, change the device configuration and even issue firmware updates."
But that discovery gets even worse. Even if a user changes the default credentials, SEC Consult found that there is an undocumented account. The username is "default," and the password is default spelled backwards. Those credentials can be used to log into the device via the XMEye cloud.
"This user seems to at least have permissions to access/view video streams," SEC Consult writes.
No Software Signing
Another gaping hole is firmware, SEC Consulting contends.
For some reason, Xiongmai doesn't digitally sign its firmware updates, the consulting firm found. Signing software ensures that the code hasn't been tampered with, because a confirmed valid update should have the same signature as that released by the developer.
Not signing software is especially bad because it also means malicious firmware updates could be distributed via the XMEye cloud, SEC Consult writes.
"Although Xiongmai had seven months' notice, they have not fixed any of the issues. The conversation with them [Xiongmai] over the past months has shown that security is just not a priority to them at all."
There was a saving grace with Mirai: Rebooting the device would erase the malware, although attackers could re-infect the device quickly if it had not been patched. SEC Consult says that erasure isn't possible with an attack on the XMEye cloud component.
"Unlike in the Mirai case, it [malicious firmware update] cannot be removed any more by rebooting the devices," SEC Consult says.
Security: 'Just Not A Priority'
SEC Consult contends it took pains to point out the problems to Xiongmai. The consultancy says it also has been working with ICS-CERT, as well as China's CNCERT/CC, since March.
"Although Xiongmai had seven months' notice, they have not fixed any of the issues," SEC Consult says. "The conversation with them [Xiongmai] over the past months has shown that security is just not a priority to them at all."
Efforts to reach Xiongmai officials were not immediately successful. But when ISMG reached out to Xiongmai in October 2016 in the fallout of Mirai, the company admitted that its products were imperfect (see Could a Defensive Hack Fix the Internet of Things?). A company spokesman contended Xiongmai was taking steps to secure its products, including removing a default password for telnet and requesting that users change other default passwords during device set up.
SEC Consult notes that the U.S. Defense Department's budget for fiscal 2019 contains a provision that forbids procurement of video surveillance equipment from other IoT manufacturers that have had security issues, including Hytera Communications Corp., Hangzhou Hikvision Digital Technology Co. and Dahua Technology Co.
"We think Xiongmai should receive the same treatment," SEC Consult says.