IoT search engine ZoomEye 'dumbs down' Dahua DVR hijackings by spewing passwords Login passwords for tens of thousands of Dahua digital video recorder devices have been cached by ZoomEye, an IoT search engine, and published on the web so that even the dumbest hacker could crack unpatched kit. "A new low has been achieved in the ease of hacking IoT devices," said Ankit Anubhav, principal researcher at …
IoT reflects the sad state of product UX in general. Security / privacy gets stripped away and stuff you don't want gets bolted on. Look at Amazon Prime today. There's no one around in 'real' Stores anymore to curate products or filter crap out. Everything is get it today, lowest price now. No one is is hired to fix any of the after effects anymore. So the IoT gotcha game rolls on!
-------------------
https://www.zdnet.com/article/crapware-why-manufacturers-install-it-and-what-you-can-do-about-it/
https://www.theregister.co.uk/2018/07/16/amazon_prime/
"devices to have an update feature, which can be used to automatically push patches to the firmware as soon as the device is connected to the internet"
There is no way in hell you can make me install or use another device that auto-patches - my phone does that (including the obligatory crashing as a result) basically daily and it's enough to make me want to escape that particular hell as soon as I figure out a workable alternative. Argue about normal people needing to be rapedated "or else they won't update" all you want if you're the type that believes the ends justify the means, there will never be forced updates on any computing device I own as long as I can help it.
Zoomeye comes from the XM part of the firmware they run (and the XMEye remote access software provided) - which stands for "Hangzhou Xiongmai Technology Co.,LTD."
Xiongmai provide the core of almost ALL the chinese DVRs out there. If the support software has XM in the title then that's where it came from. They're at the heart of Dahua, Hikvision, Annke/Sannce, Swann, etc.
if the engine of the DVR is a Huawei Hi3xxx series SoC, then you can almost guarantee that the firmware is Xiongmai - and that comes with a bunch of problems:
1: It's embedded linux with hardcoded passwords (it's easy enough to unravel the firmware to verify this)
2: Xiongmai _refuse_ point blank to comply with GPL
3: It's seldom-if-ever updated
4: "Secutrity? We've heard of it"
5: These holes are mainly due to the "need" for external access through Carrier-grade NAT - qhich ends up requiring the DVR to connect to XMeye.net to say "here I am"
6: The actual DVR software is an embedded, stripped binary blob containing a bunch more GPL software (you can see the symbols inside it) that's almost never updated (sound familiar?)
7: Xiongmai are running around accusing all and sundry of pirating their software
As far as I can tell, it looks like Huawei contracted Xiongmai to make firmware for these SoCs. I've brough the GPL issues up with Huawei Europe, but they seem powerless to intervene.
A few journalists taking an interest might help.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
