Hangzhou Xiongmai Technology (Xiongmai) is a company whose products you may have in your home or office but have never heard of. That’s because they make products that are then rebranded by other companies. Their focus is on security products such as cameras and video recording equipment. SEC Consult has been scouring the Internet and found products made by Xiongmai are vulnerable to attack.
In a recent article SEC Consult revealed that devices made by Xiongmai are vulnerable to an attack vector called “P2P Cloud”. It works by using vulnerabilities in a service Calle “XMEye P2P Cloud” that is offered with all of Xiongmai’s products. The service makes it easy to remotely connect to a Xiongmai-made device as you don’t need to manage any special router settings or perform any other network magic.
The way Xiongmai makes this work is to give every device a seemingly random name so it can be identified when it connects to the internet and is accessed via their service. The problem is that the “random” ID isn’t all that random and can be reverse engineered as it’s derived from the device’s MAC address.
SEC Consult was able to reverse engineer the XMEye P2P Cloud service and found that there were about nine million devices online they could access. In the process, they sent about 33,000 scan queries that were apparently not detected by Xiongmai as they were not stopped from accessing the company’s AWS-based cloud services that are distributed across several geographic regions.
The impact is significant. Unauthorised third parties could listen in or watch you remotely without your knowledge, the devices could be used to access a network and move laterally looking for other vulnerabilities or the devices could be recruited into a Mirai-type botnet.
As the devices aren’t labelled as being from Xiongmai they may be tricky to identify but the SEC Consult blog lists some of the over 100 brands that are stamped onto the affected products. They also list some of the domains and IP addresses used by the platform to help with detecting if you have a device that is connecting the Xiongmai cloud services.
The short lesson here is that it is becoming increasingly difficult to know what a safe device is. You need to monitor what’s happening on your network and look for unusual activity as well as keep track of vulnerability reports and keep devices updated with the latest patches and firmware.