back to article World's largest CCTV maker leaves at least 9 million cameras open to public viewing

Yet another IoT device vendor has been found to be exposing their products to attackers with basic security lapses. This time, it's Chinese surveillance camera maker Xiongmai named and shamed this week by researchers with SEC Consult for the poor security in the XMEye P2P Cloud service. Among the problems researchers pointed …

  1. Youngone Silver badge

    Security? We've heard of it.

    It looks like almost every network camera available on aliexpress is made by these muppets.

    They seem to set up complete with a default IP address and admin user. I'm not sure why.

    The password for the default admin is blank if anyone was wondering.

    1. Lee D Silver badge

      Re: Security? We've heard of it.

      To be honest - for home use, yes, that's pretty devastating.

      For anywhere that matters - are you really allowing your cameras on the same VLAN as anything other than other cameras? Are you really giving that VLAN Internet access? And do you really need to allow viewing of those cameras remotely from random IPs requiring port-forwarding etc. that you couldn't just do over an approved VPN to the right VLAN?

      The kit is dodgy, whether it's £2000 big-name cameras or £20 Amazon specials, it shouldn't need to talk out like this at all, and thus you shouldn't let it. If you don't let it, it can't be used as a launching-off point to the rest of the network even if entirely compromised, and can't be found just by trawling the Internet for open-ports.

      Hell, my own users can't ever get to the point where they can see the cameras on the network themselves, or any of the NVRs. They can only connect to a single machine which straddles the CCTV VLAN and provides them access via a logged and audited relaying portal which then mirrors some of the RTSP streams that the NVR provides from the cameras it records 24/7.

      The IoT problem is as much about people just throwing stuff on their systems as if it'll magically configure itself securely as it is about devices coming with poor defaults and dodgy cloud portals.

      1. tony72

        Re: Security? We've heard of it.

        For anywhere that matters - are you really allowing your cameras on the same VLAN as anything other than other cameras? Are you really giving that VLAN Internet access? And do you really need to allow viewing of those cameras remotely from random IPs requiring port-forwarding etc. that you couldn't just do over an approved VPN to the right VLAN?

        Yes on all counts. This was the way it was set up by the security company that provided and installed the camera (not a Xiongmai system, though I don't have too much faith that it's any better) and alarm systems. As it happens, we know enough to know that it's probably not ideal, and will probably get around to making things more secure, but I suspect 90% of smaller businesses getting a system installed would have no idea. Small businesses typically have limited in-house IT expertise, and use kit in whatever configuration suppliers set up for them, like it or not, so it would be really helpful if kit was at least a little bit secure out of the box.

      2. katrinab Silver badge

        Re: Security? We've heard of it.

        Regardless of all the stuff about VLANs, you could check out the building remotely and use the information to find out the best route and time to break in, and delete the evidence afterwards.

        1. Lee D Silver badge

          Re: Security? We've heard of it.

          "Regardless of all the stuff about VLANs, you could check out the building remotely and use the information to find out the best route and time to break in, and delete the evidence afterwards."

          No, you just wear a balaclava. Done.

          Nobody in their right mind will break into a building and then try to hunt/destroy the cameras. Mostly because they'll almost always be synced to off-site storage, cameras often comes with SD cards inside to double-record all footage nowadays, and the actual reliance on "roll the camera back" is fading fast in favour of "the camera just texts me when it detects movement on an internal camera, with a copy of the last 30 seconds of the footage" (note: all perfectly viable without third-party cloud servers).

          Honestly, if it's an average private home, the police don't even have the time to obtain footage and unless they pull up with their car number plate facing the camera, or look up into the camera, you stand precisely 0% chance of identifying them. (Source: Three police incidents of burgled neighbours with captured footage of vehicles and burglars).

          If it's any property that you need to keep more secure, that footage is stored in a secure location and mirrored (you tell me where that network cable I plugged into the camera is actually recording TO... could be anywhere in the world, synced to an off-site backup, sitting in a cabinet anywhere on site, accessed live over a VPN, etc. etc. etc.). You'd have to smash all the cameras you passed (which is why they are vandal resistant), pull them off the wall, destroy the cards inside them, find the NVR (or NVRs!) on-site, destroy them too, and hope that in all that time it never got to send out a single message, alert, alarm signal, footage or backup off site.

          P.S. any modern NVR has "camera blackout" alerts that can detect obscured / disconnected cameras and alert you in a number of ways. You have from the time you smash the first camera, until the time the security company van arrives to destroy all traces of the CCTV system.

          P.P.S. CCTV is not there to roll back and see what people did. That's just one function. It's there to alert someone to something unusual. Like burglar alarms - there's no point getting home and the light is flashing and it's been going off all night and everyone ignored it. At that point you KNOW you've been burgled. You fit a burglar alarm to alert someone who'll do something about it quickly - like your neighbour (highly unlikely), a security firm (better, but expensive), the police (yeah, right, they don't even come out for persistently-ringing alarms any more, they tell you to call Noise Abatement), or... the best option in the world... you. By texting your phone and saying "Internal camera detected movement" or "Lost contact with Front Camera".

          You have to notify the only person in the world who care about your property - which is you. That's the function of CCTV, burglar alarms, car alarms and anything else. Everything else you might "think" will happen is a nonsense. I hear a car/house alarm literally every night. I do precisely zip about them. As do all my neighbours. (Source: three house burglaries, nobody "heard anything", several site intrusions, vandalism, burglaries, thefts, not a single one caught in the act or discovered until the next morning).

          I supply CCTV footage from large sites to police. Pretty much, it's useless and nothing comes from it. (Source: Three house burglaries, plus dozens of site burglaries and vandalism: convictions - zero, arrests - one [a teacher that was arrested for restraining a teenager from beating his mate up, I kid you not, the guy was never able to work in a school again], time spent - literally MONTHS of hunting footage).

          The reason it's on the wall is so that people can see we're watching, and so that the guy who's in charge of the site at night can see whether the banging outside is a gang of kids, or a loose fence panel before he puts himself in harm's way. I guarantee if there's someone actually doing something, he will call the police, but only after he checks the LIVE footage. The historical footage is there for a court many months in the future, if necessary, and is usually so pitiful as to be useless.

          If you don't know this, I suggest that you've never managed CCTV or been asked to provide footage to police after an incident. Note also: Approximately 70-80% of the thefts, break-ins, vandalism, intrusions, etc. that I've ever dealt with in my professional life - there is ZERO CCTV footage, even with dozens and dozens of cameras around all the places I've worked.

          1. katrinab Silver badge

            Re: Security? We've heard of it.

            Sure, but if you have admin access to the cameras, you can find out all this stuff. You can figure out where all the cameras are, so you don't end up looking straight at one when you go round a corner or open a door, you can disable the notifications and remote uploading to cloud services and so on.

          2. usbac

            Re: Security? We've heard of it.

            We run a bunch of these cheap Chinese cameras at several sites. What we do is put them on their own physical network segment (not VLAN) fire-walled off from the rest of the network. They don't have access to the internet at all. We then run Blue Iris NVR software on rack-mount servers that are on the isolated segment. These servers are accessible from the internet through an enterprise class firewall for certain authorized people.

            Any security contractor that installs a camera system that is not isolated from the company's internal network should be sued out of existence.

            I once tossed an alarm contractor out of the building when the technicians (with very poor IT skills) insisted on having access to our internal network. I told our CFO to find a more cooperative vendor, and he did.

    2. J. R. Hartley Silver badge

      A spokesperson said:

      "This Is The One Thing We Didn't Want To Happen"

    3. John Brown (no body) Silver badge
      Joke

      Re: Security? We've heard of it.

      "They seem to set up complete with a default IP address and admin user. I'm not sure why."

      Because China wants to expand it's CCTV network to the whole world and realised that cheapskate muppets would do the job for them and even pay for the privilege?

      1. katrinab Silver badge

        Re: Security? We've heard of it.

        The UK are world leaders in CCTV deployment, by a very wide margin. 16% of all CCTV cameras in the world are in the UK, monitoring 0.88% of the world's population.

        1. Bliar003

          Re: Security? We've heard of it.

          No it isn't you idiot, there are over 30 million security cameras in the US alone, with 125 per 1,000 people in 2014 compared to 91 in the UK. China will be the world leader by a very wide margin.

          You morons with a delusion about the UK being a "world leader" in CCTV deployment always forget just how many countries have far more than we do, per person as well. In fact you're always clueless as to their actual figures.

  2. Winkypop Silver badge
    Black Helicopters

    In china

    Poor security is a value-add feature.

  3. sanmigueelbeer Silver badge
    FAIL

    If you think that XM has a poor response, read THIS and scroll down to the Vendor Contact Timeline.

    SEC Consult, in coordination with ICS-CERT, contacted CN-CERT on 04 September 2018 but CN-CERT only responded with a generic response on 27 September 2018.

    So why would XM "care" when the PRoC government isn't even attempting to help?

    the researchers advise companies stop using any OEM hardware that is based on the Xiongmai hardware.

    And here is where the problem lies.

    1. Majority of customers are private use or household.

    2. Majority of the home use don't have access to vulnerability information like this.

    So this means, their sales will still continue on.

    Another thing, XM is an OEM company. They don't have a "brand" themselves. They leave it upon their "partners" to put a badge and sell the product. How easy is it to re-brand and/or re-badge a dodgy camera like this? Different brand, different "model", different form factor? For companies in PRoC, `tis a matter of minutes.

    The only way is to get FCC to put a "ban notice" (or something in this word) that will halt the importation and sale of these cameras. Only money (or lack of) will make XM pull their head in.

    1. alain williams Silver badge

      XM is an OEM company

      The only way to fix this is to make the UK reseller liable for any problems that might be caused by bad OEM security. The result would be that UK resellers would only deal with OEMs that provided products with good security. So the likes of Xiongmai would either go out of business or smarten up their act.

      Currently UK resellers can just shrug their shoulders to these problems.

      Yes: this would result in a small price hike, but we all understand that quality costs.

      1. AMBxx Silver badge

        Re: XM is an OEM company

        Resellers don't have the ability or finance to do this. We have kite-marks for electrical goods, need a similar idea for anything internet connected. That way the vendor pays.

        1. Gene Cash Silver badge

          Re: XM is an OEM company

          > Resellers don't have the ability or finance to do this

          Nope, and that's exactly why they'll stop reselling cheap dodgy kit.

          Put a couple of them out of business and the rest will shape up.

      2. JimC Silver badge

        Re: Make UK resellers liable

        And amazon and ebay vendors will just sell the dodgy kit direct from Elbonia or wherever, and there won't be any UK resellers. Will that help much?

        1. AMBxx Silver badge

          Re: Make UK resellers liable

          Make it illegal to sell stuff without certification. Make the reseller legally responsible for confirming their products are certified. For ebay/Amazon make the site that hosts the sale responsible.

          1. Cynic_999 Silver badge

            Re: Make UK resellers liable

            "

            Make it illegal to sell stuff without certification. Make the reseller legally responsible for confirming their products are certified. For ebay/Amazon make the site that hosts the sale responsible.

            "

            What sort of certification do you have in mind?

  4. Anonymous Coward
    Anonymous Coward

    If a camera is connected to the internet put a post it note on the lens, it's the only way you can be sure no one is watching.

    1. A.P. Veening

      sure no one is watching

      And in that case they are probably still listening.

      1. Anonymous Coward
        Anonymous Coward

        Re: sure no one is watching

        I never thought of that, two post it notes then.

        1. BoldMan

          Re: sure no one is watching

          So they . aren't listening or watching but they are using your pwned device to spam, DDoS and attack other devices...

          1. Anonymous Coward
            Anonymous Coward

            Re: sure no one is watching

            Damn it, ok, three post it notes, one on the network port as well.

            1. Lee D Silver badge

              Re: sure no one is watching

              "Researchers find way to tweak CCTV camera IR LED's to 'see through' Post-It notes".

  5. steviebuk Silver badge

    The problem is...

    ...lots of Chinese stuff is cheap. So Clever Dog cameras where mentioned to me recently and I reluctantly got some to watch the cats due to the price & ability to save locally to SD card (yes I know I loose the footage if someone comes in an nicks them). The software is shockingly shit, the motion detection is useless and the cameras are unreliable for connecting to them. I fear what they are doing while on my internal network. I might sit with wireshark one evening and see if I can see if they are doing anything they shouldn't be.

    Read the T&C of the company who runs Clever Dog and they essentially say "Our stuff should be secure. If it's not and someone breaks into your cameras or our servers, then it's not our fault. And we aren't liable"

    Trouble is the big name cameras are expensive, mostly require cloud subscriptions (which is not what I want) and don't really do what I want. It's annoying as some years back in the XP days I had a Logitech web cam that you could remotely move. Then had some free CCTV software (up to about 3 cameras then you had to pay) that had the ability to detect motion, you could sit and watch what it was seeing as motion as colours on the screen. It was really accurate but alas, the camera is no longer supported and it's so long ago I can't remember what that quality software was.

    1. Alan Brown Silver badge

      Re: The problem is...

      "Trouble is the big name cameras are expensive, mostly require cloud subscriptions"

      And when you start digging, frequently have XiongMai software internals.

      These come in standalone DVR, IP camera and cloud system flavours - the only difference is how the software is configured (the core is the same).

      It appears that XiongMai and Huawei have very intimate links.

      If it has a HiSilicon (Huawei) SoC at its core, then it will virtually always be XiongMai firmware. If XiongMai isn't part of the Huawei stable then the CCTV stuff was probably written under contract, because I haven't encountered it on anything except HiSilicon SoCs and it seems to be preinstalled at the fab, even before the chips hit circuit boards.

      If it's XiongMai firmware, it is ALWAYS "pirate" software - because Xiongmai are egrarious GPL license violators.

      - The firmware in these things is an embedded Linux system - with no source code available.

      - The Xiongmai CCTV controller software is a _large_ stripped monolithic binary, but it actually contains a number of subcomponents (an OS within an OS?) and whilst attempts have been made to obfuscate what is in there, GPL symbols abound, as do the signatures of a number of GPL packages

      XiongMai have not only refused to deal with anyone complaining about security or GPL issues, they have been very vocal about people "stealing their intellectual property" - and claiming ownership of the entire embedded linux system as a proprietary blob.

      They're not the only offender in the embedded systems area for this, but they've been becoming increasingly vocal about IP "theft", whilst ignoring their own large elephant in the room (Anyone remember Bill Gates, MS BASIC and the stolen mainframe time?)

      1. Chronos Silver badge

        Re: The problem is...

        - The Xiongmai CCTV controller software is a _large_ stripped monolithic binary, but it actually contains a number of subcomponents (an OS within an OS?) and whilst attempts have been made to obfuscate what is in there, GPL symbols abound, as do the signatures of a number of GPL packages

        Aye, the infamous "Sofia" binary. Realistically, the only way to secure these things is to filter at the gateway by MAC. Even then, a malicious local operator could easily break into the things or a zombie Windows box could deliver the payload, change the MAC with the nvram utility that is present on these things and bypass the filter.

        It's a shame because the hi3518 with the OV9712 sensor is a pretty capable little night vision system. If they opened the source for these things they'd probably sell millions more of them, especially if one were able to set up only rtsp, motion alarm (I have a listener daemon for XM alerts which spawns an ffmpeg 30s recording) and a simple control panel for the settings. Add MQTT instead of the XM proprietary alarms while we're at it...

  6. Andy 97

    Phone-home!

    I purchased a similar device from Amazon (of all places).

    Thankfully I read this before I unpacked the device:

    https://seclists.org/fulldisclosure/2017/Mar/23

  7. Cuddles Silver badge

    It's not CCTV

    It seems someone has to point this out every time, but surveillance cameras connected to the internet are not closed circuit. This is not just a minor nitpick, it's of fundamental importance for security. CCTV is inherently secure because the whole point is that there's no external connection; short of physically splicing extra parts into the system, there is no way of hacking into it. The big problem with connected surveillance cameras is that people keep treating them as CCTV, and that brings huge issues with security since you can't treat a connected system the same way as an unconnected one and expect everything to just work out fine.

    If even illustrious rags such as El Reg keep mixing up the terminology, the situation is never going to change. It's not enough to just draw attention to the occasional big screw-up, the only way to improve things is to get people to understand the systems they're dealing with. Using the correct names to distinguish fundamentally different categories such as connected and isolated is only a small first step, but without that first step none of the following ones are going to achieve anything.

    1. steviebuk Silver badge

      Re: It's not CCTV

      I think this is like arguing Tannoy is a speaker system in supermarkets etc, when it's in fact a brand name, like Hoover. Unfortunately over the years CCTV has just become this. Any camera that can watch your property, whether it's closed circuit or not is classed or seen as CCTV.

      Most people want to remote view CCTV in these times so most CCTV ends up, in some way connected to the Internet.

      Whats worse is when you have a so called "CCTV company" come in and install kit. Never bothered to put on SSL on any of the websites for the CCTV cameras, give them internet findable IP addresses, give the logins piss poor easy to guess or brute force passwords for the PVR boxes and set them up near lights so the light ends up blowing the picture out at night. That's whats also worrying, is the racket/cowboy/girl CCTV installers.

    2. Terry 6 Silver badge

      Re: It's not CCTV

      S'funny.

      A year or two back I had one of these over-the-internet systems described to me as "CCTV". I had a momentary thought of "How is that closed circuit then" and dismissed it from my mind. You can't argue everything and it wasn't my problem ( or system). But yeah. I fully get that. It's TV. Private TV ( hopefully) but TV nonetheless. And not "closed circuit" in the slightest. At best it's virtual closed circuit.

    3. G2

      Re: It's not CCTV

      CCTV = Connected Circuit TV or Cloud Circuit TV

      Unless they spell it out as "closed", it can mean anything... usually, in China, CCTV means "China Central Television" - https://en.wikipedia.org/wiki/China_Central_Television

      Not even ElReg's article bothers to fully write "closed circuit", they just use "CCTV".

      1. Anonymous Coward
        Anonymous Coward

        Re: It's not CCTV

        Internet Search Results:

        "Connected Circuit TV" - 0 Pages Returned

        "Cloud Circuit TV" - 0 Pages Returned

        Please stop trying to pervert the language. It's confusing and it makes engineers unhappy.

        1. G2

          Re: It's not CCTV

          @ Anonymous Coward - you didn't even bother to search and just made a statistical dump of zero numbers on the comment form, did you?

          search #1 has some (weird) results about connected circuits and tv

          search #2 ...

          feniva.eu (around since 2006) and cloud-tech.eu (around since 2010) have a product name tagged exactly like #2 in the extended description - Cloud Circuit TV

          https://www.youtube.com/watch?v=zYlYRGSQbEc

          video published on 11 Jun 2013

          q.e.d.

  8. Zippy´s Sausage Factory
    Unhappy

    Fringe called this years ago

    In an early episode, the COO of a company says "Massive Dynamic retains access to every security camera we sell" to help track someone down...

    I mean, they seem to totally forget about that forever after that, because plot holes, but it's nice to see a bit of science fiction coming true, right?

  9. Tom 7 Silver badge

    OCTV

    DFTFY.

  10. wyatt
    Unhappy

    I've had experience of installing and supporting one of these systems at my wifes shop. Out of the box, it's insecure as hell with every service turned on with default accounts. I had a firewall running blocking all outbound connections and couldn't keep up with the logs, once all the services were turned off on the monitoring unit it shut up.

    Problem was if you didn't enable a load you couldn't view it via the internet which is what the father in law had his heart set on.I setup a VPN so that the app was connecting via this to the local network so nothing was transmitted unencrypted and it worked well. Few years on and the shop is gone, he has the camera system at home and has enabled all the services so that it works with his phone/app with no VPN. I did offer to set up what he had before but he wasn't interested. In his opinion, why would anyone want to watch his cameras? I tried to explain the potential issues but again, he's not interested like many who want convenience over privacy/security.

  11. TseTT
    Joke

    £££$$$$

    They can't be that bad, they've sold 9 million of them !

    1. sanmigueelbeer Silver badge

      Re: £££$$$$

      They can't be that bad, they've sold 9 million of them

      According the SEC Consult, 5 million of them are in China alone. However, one security analyst commented that the figure of "9 million" is very, very conservative.

  12. Baldrickk Silver badge

    OEM devices can be recognised by xxx

    But no examples on how to make that check?

  13. vtcodger Silver badge

    Tedium

    Not that I'm in favor of insecure CCTV cameras, but have you folks ever spent any time actually looking at the output of a security camera? Typically it makes watching grass grow look exciting.

    I submit that for the vast majority of CCTV cameras, security simply isn't a reasonable concern. No one cares and no one should care.

    For too many of the fraction where securing is desirable, the toolkit for securing them is going to be utterly incomprehensible to the folks doing the installation. That seems to me at least as big a problem as shipping an insecure product.

    1. Claptrap314 Bronze badge

      Re: Tedium

      It is practically by definition that if there is a reason for a CCTV, there is a reason to hack it. I don't think you're sufficiently devious for this line of inquiry.

  14. Anonymous Coward
    Anonymous Coward

    There is a good PoC and write up on GitHub

    for DVR's that used this companies software.

    (I won't post the exact link but "pwn-hisilicon-dvr" by Git user tothi is an excellent read.)

  15. Claptrap314 Bronze badge

    In the IoT, the "s" is for security.

    I guess it was my turn to say it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019