Originally posted by SafeSmallTowns
View Post
Bit of a heads up about a bit of a disconcerting security issue in some ONVIF IP
cameras.
I had my eye on some low cost, Chinese OEM IP cameras because
they have good NAS compatibility (claimed Synology). They are branded as IPS,
Uvision, Gsvision, Sunvision, Aote among others. I was willing to put up with
the clunky ActiveX interface because I figured I'd only have to configure them
once and would be viewing the video through the NAS/NVR
interface.
Everything went fairly smoothly- I set the time, IP address,
changed the password- and when I went to log back in it would not accept the
same one copied and pasted. No problem- went for the old reset button and… no
reset button.
So I emailed the Chinese manufacturer, they asked for me to
give their technician access to my computer via TeamViewer so he could reset it-
I said that was not really an acceptable solution. So they sent me the default,
hard-written to firmware, root password for their cameras so I could just
remotely log-in and hard-reset the camera over telnet.
That's
right, there's a root user, but you can't change the
password.
Yeah- not too happy about that.
I spent a few
days going back and forth with them- explaining why, with these cameras in homes
and businesses all over the world this was a Bad Thing. Either they were playing
dumb and had to have it for the Powers That Be (as has been documented with
other network products of similar origin), or else they truly think it's ok.
Their attitude was basically that they had made a mistake in giving it to me-
and not in having one in the first place. Their "fix" was a promise to change
the hard-written root pass in future firmware revisions. Given that the password
is sent to the camera in plaintext, it's hardly likely the new one would remain
secret for long.
(In case you are wondering, even after a few hard reset
cycles the camera would still not accept a new admin password but that is no
longer really a concern for me.)
All this seems a bit insane. As we all
know few LANs are very secure- wifi is not tough to crack, we all password
protect our computers and NASs against this eventuality. As it stands, anyone
with access to the LAN that these cameras are on can take them all offline with
a few keystrokes, or reset the admin password, restore the original IP and leave
anonymous access on- so the owner would never know they had been compromised. Or
set them to forward images to an outside location.
As far as cameras that
are accessible via the Internet, many people will not change the cameras default
IP- which means that even on reset it won't lose its port mapping and video
could be viewed by anyone, anywhere. At the very least they could still disable
it. Other than that, root is root and someone with better Linux skills could
probably make more of it.
I'm posting this because as we all know there
is no security in obscurity- and if they could accidentally just email me the
root pass this is far from obscure. People have these cameras pointed at
playgrounds and in private homes- hoping they don't give the password to anyone
else (or that it is not already being used) is not really an option in my
opinion. I would never consider installing a camera with this kind of known
backdoor- perhaps others feel differently.
If you'd like to check your
camera, here is the information:
Not going to give this part
cameras.
I had my eye on some low cost, Chinese OEM IP cameras because
they have good NAS compatibility (claimed Synology). They are branded as IPS,
Uvision, Gsvision, Sunvision, Aote among others. I was willing to put up with
the clunky ActiveX interface because I figured I'd only have to configure them
once and would be viewing the video through the NAS/NVR
interface.
Everything went fairly smoothly- I set the time, IP address,
changed the password- and when I went to log back in it would not accept the
same one copied and pasted. No problem- went for the old reset button and… no
reset button.
So I emailed the Chinese manufacturer, they asked for me to
give their technician access to my computer via TeamViewer so he could reset it-
I said that was not really an acceptable solution. So they sent me the default,
hard-written to firmware, root password for their cameras so I could just
remotely log-in and hard-reset the camera over telnet.
That's
right, there's a root user, but you can't change the
password.
Yeah- not too happy about that.
I spent a few
days going back and forth with them- explaining why, with these cameras in homes
and businesses all over the world this was a Bad Thing. Either they were playing
dumb and had to have it for the Powers That Be (as has been documented with
other network products of similar origin), or else they truly think it's ok.
Their attitude was basically that they had made a mistake in giving it to me-
and not in having one in the first place. Their "fix" was a promise to change
the hard-written root pass in future firmware revisions. Given that the password
is sent to the camera in plaintext, it's hardly likely the new one would remain
secret for long.
(In case you are wondering, even after a few hard reset
cycles the camera would still not accept a new admin password but that is no
longer really a concern for me.)
All this seems a bit insane. As we all
know few LANs are very secure- wifi is not tough to crack, we all password
protect our computers and NASs against this eventuality. As it stands, anyone
with access to the LAN that these cameras are on can take them all offline with
a few keystrokes, or reset the admin password, restore the original IP and leave
anonymous access on- so the owner would never know they had been compromised. Or
set them to forward images to an outside location.
As far as cameras that
are accessible via the Internet, many people will not change the cameras default
IP- which means that even on reset it won't lose its port mapping and video
could be viewed by anyone, anywhere. At the very least they could still disable
it. Other than that, root is root and someone with better Linux skills could
probably make more of it.
I'm posting this because as we all know there
is no security in obscurity- and if they could accidentally just email me the
root pass this is far from obscure. People have these cameras pointed at
playgrounds and in private homes- hoping they don't give the password to anyone
else (or that it is not already being used) is not really an option in my
opinion. I would never consider installing a camera with this kind of known
backdoor- perhaps others feel differently.
If you'd like to check your
camera, here is the information:
Not going to give this part
Credit to milo****
Leave a comment: