Default Passwords Leaves Millions of Webcams at Risk Globally

CCTV cameras

A vulnerability inherent in millions of webcams developed by a Chinese manufacturer is raising fears of yet another internet of things (IoT) botnet attack.

The Hangzhou Xiongmai Tech Corp (Xiongmai), a Chinese manufacturer known for developing most of the IoT devices compromised by the Mirai botnet in 2016, discovered a new vulnerability inherent in all of its devices by default. Crucially, it was a vulnerability similar to the one exploited by Mirai authors in the infamous attack that crippled domain name system (DNS) provider Dyn, leading to widespread internet outages in the United States and some parts of Europe.

As cybersecurity firm SEC Consult reveals, the vulnerability specifically lies in a feature dubbed XMEye P2P Cloud. The service, which enables users to access their devices remotely over the internet to check their cameras, is enabled on all of the company’s devices by default.

Quite simply, users can use a variety of apps to access their devices using Xiongmai’s cloud platform. This ‘simplicity’ offered by Xiongmai means users won’t need advanced port forwarding via firewalls or UPnP rules on home routers to access their webcams. Since Xiongmai was at the center of it all, lax cybersecurity protocols employed at the company and the way their devices are designed has put the entire inventory at a hacking risk.

Using MAC addresses that are in a standard, non-random format, each and every device can be ascertained in a known range of MAC addresses that ascent incrementally. This makes it easier for a program to check these MAC addresses and identify the devices that are online.

Hackers would be able to gain access to approximately nine million webcams located all over the world.

The researchers who discovered the vulnerability wrote:

We have worked together with ICS-CERT to address this issue since March 2018. ICS-CERT made great efforts to get in touch with Xiongmai and the Chinese CNCERT/CC and inform them about the issues. Although Xiongmai had seven months’ notice, they have not fixed any of the issues.

“The conversation with them over the past months has shown that security is just not a priority to them at all,” they added, damningly.

Image credit: Pexels.