Nine Million Xiongmai IoT Devices Vulnerable to Hacking

Security firm SEC Consult has published research indicating that over nine million internet-of-things (IoT) devices produced by the Chinese corporation Xiongmai contain critical vulnerabilities. At least 742,000 of these devices are security cameras, digital video recorders (DVRs), and network video recorders (NVRs) located within the US. These vulnerabilities are present in Xiongmai’s XMEye Peer-to-Peer (P2P) Cloud, which allows users to remotely control and view video streams of their device through mobile apps or desktop applications. Threat actors can compromise a device by guessing the sequential Unique ID (UID) assigned to a device and log in through a default administrator account with no password or through a hidden, default account with the password “tluafed.” Xiongmai does not sign firmware updates for authenticity, so once an attacker is inside, an update containing malware can be triggered. Additionally, threat actors can view video streams of the victim and alter device configurations. Xiongmai has not yet patched the vulnerabilities. The NJCCIC highly recommends users review the SEC Consult blog post and consider discontinuing use of vulnerable Xiongmai IoT devices until a patch is available. Additionally, users are advised to always change default credentials on IoT devices and ensure to enable multi-factor authentication where available.