Passwords for webcams web updating tool
Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group.Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group.If the password leak is authentic, it would represent another embarrassment for the company, which was one of several vendors blamed for enabling record-breaking distributed denial-of-services attacks.The Chinese company makes components that other manufacturers put into their cameras and video systems.The finding came - perhaps surprisingly - via Linked In. K.-based Pen Test Partners writes in a blog post that he and a colleague were researching digital video recorders used for CCTV systems when they found a master list of "super user" passwords posted on Linked In by a CCTV installer.The passwords may unlock an application called XMEye, which is a cloud-based service for remotely accessing DVR video streams."Personally, I think that network-level security for DVRs is very poor," Pen Test Partners' Munro says.
It's unclear if the passwords will work remotely, but his company is planning a tried-and-true check: Munro has ordered a DVR under a different brand name to put to the test.
The list published to Linked In only contains passwords, but Pen Test Partners has already discovered the username that works with all of them.
Unsurprisingly, it's "default." The account that accepts that username and password combination appears to be hidden, but Pen Test Partners is still investigating, Munro says.
"We will keep working on this, but whatever the conclusion, sharing super user account credentials with installers and expecting them not to leak is asking for trouble," Munro writes.
Xiongmai officials couldn't immediately be reached for comment.