Video surveillance systems and cameras from Xiongmai are as insecure as insecure gets. A recent report on their security problems by security firm SEC Consult, concluded that the vulnerabilities were insurmountable and the hardware should be trashed. If you own any video camera system, the report is a must read.

Even worse, is that identifying vulnerable Xiongmai hardware is far from obvious, because the hardware is not sold with their name on the box. SEC Consult found over 100 different brands selling Xiongmai video surveillance systems. Fortunately, they offered suggestions on identifying the devices.

The security issues are too many for me to repeat or even summarize here. Brian Krebs also offered an overview of the issues and even cited additional security problems with Xiongmai devices that were uncovered by Flashpoint. Suffice it to say that the problems are not the result of bugs, Xiongmai clearly does not care about security at all.

Xiongmai is also known as Hangzhou Xiongmai Technology Co., Ltd. and, according to SEC Consult, they are one of the largest manufacturers of video surveillance equipment (surveillance cameras, digital video recorders and network video recorders) in the world. SEC Consult conservatively estimates that there are around 9 million Xiongmai devices online. Krebs cited Zach Wikholm of Flashpoint who believes that this estimate of the number of vulnerable Xiongmai devices is extremely conservative.

If money is no object, then clearly the safer thing to do is to discard the hardware. But, money is often an object. In that light, I offer suggestions on how you can use a router to wall off these devices rather than throw them away.

NO INTERNET FOR YOU

The first thing to do is to block a Xiongmai video system from communicating with the Internet. This blocking needs to be in both directions, from the Internet into the Xiongmai system and from the Xiongmai system out to the Internet.

Every router has a firewall, and, if its doing its job, it will prevent outsiders from connecting directly into a Xiongmai system. The Test Your Router page on my RouterSecurity.org site, links to many online firewall testers that check if popular TCP/IP ports are open, closed or stealthed. In a secure router, all ports will be stealthed. Pay particular attention to TCP ports 23 and 9527.

A TCP/IP port that is closed today, can be open tomorrow. Almost every router sold to consumers or given out by ISPs lets devices on the Local Area Network open ports in the router. Router vendors prefer to enable features rather than lock down security. Fewer tech support calls that way. The router features that enable this are UPnP and NAT-PMP. Not many routers support NAT-PMP (it is an Apple protocol) but they all support UPnP. It is best to logon to your router and disable UPnP.

The secure router that I recommend at my RouterSecurity.org site, the $200 Pepwave Surf SOHO, is rare in that it ships in a secure state. All Internet facing ports are in a stealth status and it ships with both UPnP and NAT-PMP disabled.

Blocking the Xiongmai hardware from initiating a connection to the outside world requires an outbound firewall rule in the router. Sadly, consumer and ISP-supplied routers almost never support outbound firewall rules. It is, arguably, the main feature worth paying for when shopping for a router. Anyone with Xiongmai hardware and a router that does not offer outbound firewall rules, may be better off spending their money on a router upgrade, rather than a new video system.

LAN SIDE ACCESS

Once blocked from communicating with the Internet, you might think that access to the video system is then limited to the location where it is physically located. Not true.

One way to provide remote access to a LAN is through a VPN server running in a router. Connecting to the VPN server can be secured in a number of ways, and data transferred over the VPN link is encrypted. This is the most flexible option as it allows a valid VPN user to access the LAN (and thus the camera) from anywhere in the world.

Some VPN servers/firewalls can make this even more secure by limiting the IP addresses that they communicate with. That is, if only a few locations need video camera access, then everyone else in the world can be prevented from even talking to the VPN server.

A simpler approach to do the same thing would be to allow remote control of a computer on the same LAN as the video system. RealVNC is one of many remote control products but it also offers controls over the source IP addresses that it will communicate with. Thus, a valid RealVNC user can be blocked from communicating with the desired computer if they are not at a validated physical location. Combine this with a non-standard communication port and you have a reasonably secure remote access setup.

If remote access is only needed from one physical location, another option is a site to site VPN. This may be the hardest configuration to setup up, but should be very easy for non techies to use after its up and running.

LAN ISOLATION WITH VLAN

But what of the LAN itself? What of the devices that share a network with vulnerable video hardware? VLANs, that's what.

Virtual LANs are simply groups of devices on the LAN. These groups can either be allowed to communicate with the other groups, or not. A VLAN can be one or more Ethernet ports on either a router or a switch, or, it can be a single Wi-Fi network.

Clearly, a Xiongmai system should be isolated in its own VLAN that can not communicate with devices in other VLANs. Chances are, the hardware is useless on its own, so some computing device will need to be in the same VLAN as the cameras. Still, the VLAN protects/isolates all the other devices on the network.

That's the good news. The bad news is that, again, routers sold to consumers and given out by ISPs (almost definitely) do not offer VLANs as a feature. The Pepwave Surf SOHO does. On my RouterSecurity.org site, I have a long writeup about VLANs in general and configuring them on the Surf SOHO.

STILL MORE BLOCKING

A router than can block domain names (again consumer routers, as a rule, do not) can block the domains below, provided by SEC Consult.

mac.secu100.net
pub-cfg.secu100.net
upgrade.secu100.net
xmeye.com
xmsecu.com

The company also provided a list of IP addresses used by Xiongmai devices that you might want to block in your router, if it supports this. Any router that offers outbound firewall rules should be able to block specific IP addresses.

In a separate security advisory, SEC Consult laid out a worst case scenario for Xiongmai devices, where an attacker installs malicious firmware on the devices. Such firmware would survive a reboot and could be used to attack, or spy on, other devices on the network. To get malicious firmware installed, SEC Consult postulates that an attacker would change the DNS configuration of the devices to point to the attackers version of the update server 'upgrade.secu100.net'.

Some routers can prevent this too, by imposing their will on all DNS requests. For example, if a device attached to router wants to use Google's DNS server (8.8.8.8) the router can modify or intercept DNS requests to 8.8.8.8 and force them to go to DNS servers the router is configured to use (perhaps Quad9 or OpenDNS). I blogged about this back in March: Some routers can force their DNS servers onto all devices.

The research was done for SEC Consult by Stefan Viehböck. We all owe him a big thank you.