Digital video recorder installers master password list 'leaked' – claims

Xiongmai, the vendor behind many Mirai-vulnerable DVRs, has earned the consternation of security watchers once again.

The vendor's 2017 list of superuser passwords for certain DVRs – designed only for CCTV installers to access customer installations – appears to have leaked online.

"If the creds are what we think they are, they may be enough to remotely take over certain CCTV systems," Ken Munro, a director at UK security consultancy Pen Test Partners (PTP), told El Reg. "[It's] a bit like Mirai, but the consequence is remote viewing of people's CCTV cameras."

PTP found the leaked list [PDF] on the LinkedIn page for a CCTV installer in Nigeria. This list, which covers login credentials for the rest of 2017, is essentially a one-time pad or per-day superuser password for a DVR service. One-time pads are only effective if they are shared in complete confidence and not reused.

Mikko Hyppönen, chief research officer of security software biz F-Secure, has since noted the same documents elsewhere on the internet.

The document references XMEye, a cloud service offered by ZY Security for remotely accessing DVR video streams. "The service only appears available to certain DVR types, which we can't find on sale outside of China," according to Munro. "[We] still haven't successfully attributed the creds, but this is yet another massive Xiongmai DVR fail."

Some private forums and the vendor suggest that they're local, but the document suggests it's for a web service. The vendor involved has acknowledged the bug in private support channels without publicly confirming the problem. PTP would have to ship in a DVR from China to access the scope of the problem, but it's already clear that mistakes have been made.

"Sharing superuser account credentials with installers and expecting them not to leak is asking for trouble," Munro said.

PTP came across the leaked list during its ongoing research into the security of DVRs for CCTV systems. Munro said PTP has seen undocumented hidden superuser accounts on some other similar DVRs.

El Reg invited Xiongmai to comment on the credential leak on Monday. We're yet to hear back but we'll update this story as and when we hear more. In the meantime – and despite notification by El Reg and others – the leaked credentials remain online. PTP went public on the issue with a blog post late on Tuesday.

Xiongmai makes components (motherboards, network modules and more) for security surveillance systems, CCTVs and associated video recorders. ®