Xiongmai XMeye IoT Cloud Server Vulnerabilities
Three vulnerabilities have been discovered in Hangxhou Xiongmai Technology Company's XMeye P2P Cloud, a server protocol used to control Internet-of-Things (IoT) devices, primarily IP cameras.
This content has been archived
This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk
Summary
Three vulnerabilities have been discovered in Hangxhou Xiongmai Technology Company's XMeye P2P Cloud, a server protocol used to control Internet-of-Things (IoT) devices, primarily IP cameras.
Threat details
A remote attacker could exploit these vulnerabilities to gain control of connected devices.
Xiongmai is an original equipment manufacturer that provides products to other vendors, who then package and sell the devices. They also supply and manage the XMeye service, which allows users to easily set-up and access their connected devices.
The three vulnerabilities are described below:
- By default, XMeye does not encrypt communications, including those sent to a device. A remote attacker may exploit this to access user video feeds, obtain XMeye login credentials or impersonate an XMeye server.
- XMeye server connections require 16 character ID strings that are automatically generated using a device's MAC address. If an attacker has access to a connected device's MAC address they may be able to connect to the server and enumerate other connected devices.
- All Xiongmai devices are shipped with default credentials. An attacker could exploit this to gain access to an affected device, at which point they could then access the connected XMeye server.
For further information:
Remediation steps
CVE Vulnerabilities
Last edited: 17 February 2020 12:58 pm