If you think that XM has a poor response, read THIS and scroll down to the Vendor Contact Timeline.
SEC Consult, in coordination with ICS-CERT, contacted CN-CERT on 04 September 2018 but CN-CERT only responded with a generic response on 27 September 2018.
So why would XM "care" when the PRoC government isn't even attempting to help?
the researchers advise companies stop using any OEM hardware that is based on the Xiongmai hardware.
And here is where the problem lies.
1. Majority of customers are private use or household.
2. Majority of the home use don't have access to vulnerability information like this.
So this means, their sales will still continue on.
Another thing, XM is an OEM company. They don't have a "brand" themselves. They leave it upon their "partners" to put a badge and sell the product. How easy is it to re-brand and/or re-badge a dodgy camera like this? Different brand, different "model", different form factor? For companies in PRoC, `tis a matter of minutes.
The only way is to get FCC to put a "ban notice" (or something in this word) that will halt the importation and sale of these cameras. Only money (or lack of) will make XM pull their head in.
Biting the hand that feeds IT
