Subscriber Discussion

ADI Declares: "Don’T Give The End-User The 'Admin' Or 'Root' Level Password"

Avatar
Ross Vander Klok
Dec 02, 2016
IPVMU Certified

This article from the ADI blog brought up a question for me. How many of you folks abide by their #1 rule. I will refrain from commenting until I see what you all think!

Vote:

Avatar
Josh Hendricks
Dec 02, 2016
Milestone Systems

I think that should depend on the business relationship between the customer and the integrator. If the integrator is on the hook for ongoing service/support I think it is fair that part of the condition is that the integrator retains administrative access. Think of it like a warranty label/sticker on a physical box. As soon as that is broken, all bets are off.

I don't think most integrators "lock out" their customers from their own systems though. Sometimes that comes back to bite them (or the manufacturer/software vendor) because the customer may know just enough to be dangerous, but most of the time it's fine. And a lot of the time it's the customer's infrastructure anyway, so the integrator has no right or ability to lock them out.

(3)
U
Undisclosed #1
Dec 02, 2016
IPVMU Certified

And a lot of the time it's the customer's infrastructure anyway, so the integrator has no right or ability to lock them out...

They don't have the right, but they have the ability, and will use it, if that is the way they operate.

Control4 HA products are* a good example of this:

  1. Propreitery hardware
  2. Propreitery software
  3. You buy it and own it
  4. Must buy thru integrator
  5. Integrator has software you don't
  6. Only Integrator has root password
  7. Any hardware addition or reconfiguration, besides the most trivial goes thru integrator
  8. Can't buy/sell hardware on eBay because won't work with Cloud

You can get rid of your integrator, but you just get another one assigned to you.

The ultimate lock-in program for integrators.

*unless they changed recently

Avatar
Ross Vander Klok
Dec 02, 2016
IPVMU Certified

Do people actually use them? Proprietary software I get, but the rest is crazy in this day and age. As an end user when I buy something it is mine. That sounds like a lease program that would require a rip and replace to do anything different so who would agree to be locked in like that?

I would think even an integrator would not want to take that risk. Something happens to the company/hardware/software and you are stuck trying to explain to your client that you are both out of luck? No thanks.

U
Undisclosed #1
Dec 02, 2016
IPVMU Certified

Do people actually use them?

Yes, they went public a while ago, today they have a market cap of 250 million, so somebody must be using them.

Thing is people don't really know to ask the right questions, so it is quite shocking to some when they realize the situation.

They think of it like buying a big screen tv with installation.

My excuse? I got the hardware for free from my brother-in-law. Once I figured out what was up I looked around for the default root password online, got a shell and proceeded to fubar the entire system.

When I finally got it going again I developed a rogue device with COTS hardware, a huge touchscreen controller, unlike any at the time.

I also was summarily kicked off the official forum for "hacking" my own system. Fortunately, IPVM was willing to look past my shady past and I was able to seamless transition to a Pro Membership here.

lol, here is the heretical video:

(2)
(2)
U
Undisclosed #2
Dec 02, 2016

Regardless if I install it myself or our installer sets it up, if our company paid for it we want the admin level access. As for passwords, once the system is commissioned I change the admin passwords, no repeats, on everything from cameras, switches, even copiers. If a technician needs a login or password I will gladly share...then I either change or disable as appropriate. Does it sometimes piss people off? Yes. Does it re-secure our systems? Yes again.

One time I had a tech who really didn't like having to ask for the door PIN each time, or maybe he just didn't like me...I offered a compromise...I would give him a 24x7 door PIN if he would be share his home alarm code with me the next time he went on vacation.

Then again, I'm sure we all know someone who never even thought they were allowed to make changes to their Wi-Fi once their ISP set it up in their home...

(3)
(1)
JH
John Honovich
Dec 02, 2016
IPVM

Ross, great topic. I changed the title to "ADI Declares: "Don’t give the end-user the 'Admin' or 'root' level password". This way it's clearer what is being asked without having to click over or guess.

I also added a poll up top.

(1)
(1)
Avatar
Armando Perez
Dec 02, 2016
Hoosier Security and Security Owners Group • IPVMU Certified

We prefer to give the client their own admin level credentials. If they dont want that, then we request permission for an additional user for us to use as our admin login. If they dont want that either then we notate it on the service order so its acknowledged when the work is done that we will retain no login credentials and thus have no way to remotely support the system unless they provide valid credentials, we also request and document the request that we have asked them to change the main admin password. At the end of the day, the client owns the equipment and if they want to lock us out, thats their right. However, it makes things much easier for us (and them) to be able to login as an admin when an issue arises. We also use a unique password for each client.

(4)
(2)
Avatar
Jon Dillabaugh
Dec 02, 2016
Pro Focus LLC

Before reading comments, I want to say that I always give the owner or authorized management all credentials. If they choose to use them and mess something up, they can simply pay me to fix it. It is their system, they paid for it.

This may be different if it was a leased system, but I don't offer leases anyway.

(4)
(1)
MM
Michael Miller
Dec 03, 2016

We setup our customers with the "master" admin account and then we set up an account for us to use to program and manage the system. I tell the end user to change the password on the "master" account and store it in a safe place. I then have them setup another account to use the system. With us having our own account it lets us track who made changes in the system and for the customer to remove us from the system if they like. If they screw up the system they pay us to fix it. If they remove us and lose the "master" account they pay us a lot to rebuild the system.

(1)
(1)
U
Undisclosed #1
Dec 03, 2016
IPVMU Certified

To be clear, ADI is not advocating a customer lockout from admin functions, only from changing the top-level admin account:

Don’t give the end-user the “Admin” or “root” levelpassword

This is the cause of most problems such as the one described above. Only the installing/servicing company should retain the top level username and password. Most devices allow permissions to be granted that allow users to perform any function including the issuing and deleting of user passwords. That user, however, will not have the ability to alter the “Admin” top level password.

I have not tried to delete the built-in admin account by using another admin-level account, so I'm not sure how many devices actually work like described above. Anybody?

(1)
Avatar
Armando Perez
Dec 03, 2016
Hoosier Security and Security Owners Group • IPVMU Certified

Most systems I have worked on wold not allow another administration level user to modify the "admin" account credentials. granted, it's been a while since I've been in a position to check that frequently.

U
Undisclosed #1
Dec 03, 2016
IPVMU Certified

Strictly speaking in Linux, there is no standard account type that has all the powers of root, except the ability to change root.

All accounts with uid 0, are equally powerful.

Of course, the capability can be added in higher levels, but it's worth taking a look to see if and how.

Avatar
Marty Major
Dec 03, 2016
Teledyne FLIR

This is an interesting topic.

I'm not sure I could agree with anyone who espouses the position that locking the customer/owner out of their own stuff is legitimate on any level. It is their stuff - they paid for it.

Do customers mess stuff up when they have this root access? Of course they do. Happens all the time, as any service company can attest.

But a LOT of the integrator posters above show that they have this covered already. They have specific plans in place that address this root level access and the responsibilities that possessing these creds bestows on those that possess them.

You simply have to address the issue with the customer so everyone is on the same page - like we should also be doing for other potentially pain/$$loss-inducing things like exporting video, audio laws, etc.

(1)
Avatar
Lysander Bone
Dec 05, 2016

The quickest way to permanently loose my business is to keep a "back door" into my system. As an "End User" I want my systems to be as secure as possible. The only way I can ensure that is to maintain control of the avenues by which the systems can be accessed. As a Security Professional, I know how to control passwords and logins and I am savvy enough to keep a copy in a secure location that requires two-person access to retrieve. That way, if something happens to the "gate keeper(s)", you can still obtain the information and continue operations.

I have a great deal of respect for this industry and I am aware that not all end users are at the same levels of awareness or abilities. That said, I believe the better approach would be to have the discussion with your customer and help them understand the ramifications, costs, etc. Then you have an informed customer that can make an informed decision. The final decision must belong to the customer.

(5)
(1)
JH
John Honovich
Dec 05, 2016
IPVM

Lysander, thanks for an excellent first comment!

To your points, I would also add that this approach is a risk to the end user, i.e. ADI's explanation that:

Most devices allow permissions to be granted that allow users to perform any function including the issuing and deleting of user passwords. That user, however, will not have the ability to alter the “Admin” top level password. [emphasis added]

Having an outsider have access that I, as the end user / owner, cannot override or block is a security risk. Also, a problem if the owner wants to change installers / providers (which might be an unstated benefit for some).

(1)
Avatar
Armando Perez
Dec 05, 2016
Hoosier Security and Security Owners Group • IPVMU Certified

On that note, our contract requires us to give the client any pass codes or passwords they request if they ever request it. For alarms it's only upon termination due to the massive liability of having a client change their own programming that cannot be contracted away. but for video, we are contractually oblighted to give them the administration password if they request it, even if they have allowed us to keep administration rights.

This goes a long way towards proving our intentions of providing the best service we can, but I don't believe everyone puts that in their contract.

(2)
WS
William Smith
Dec 05, 2016
IPVMU Certified

The end user paid for the system and therefore should have all rights to all levels for full control. If the end user miss uses that right, the end user will have to pay to correct the issue. If the end user contracts out the service/support, the end use would still need and should retain full access for verification/audit functions. The big problem is full ethical disclosure of access/root levels and access rights info to the end user prior to negotiating the sale of the system or service contract.

(1)
(1)
JH
Jay Hobdy
Dec 05, 2016
IPVMU Certified

For the majority of users, we give them just enough access to do what they need, and usually not admin rights. If we are ever asked for admin, we gladly give it, and explain if they mess it up, we are glad to fix on a billable basis :)

So we don't give them the rope unless they ask for it.

But it is their system and I agree with giving them full rights.

Our systems are not covered under any maintenance contracts.

(3)
(1)
aK
athanasios Kalavritinos
Dec 12, 2016

Absolutely disagree. A computer has much more valuable information than a camera, just as easy to hack and can do more than a hacked camera.

Yet I don't think the people who agreed with this pole would also agree to having a laptop without the admin password or BIOS/UEFI access.

DL
David Lieberman
Dec 12, 2016
IPVMU Certified

If I buy the system, the system is mine in its entirety, including the top-level credentials. I won't retain an integrator who withholds the credentials from me. There is too much opportunity for abuse,, such as: 1) withholding credentials as a means of generating service calls for simple issues and 2) locking themselves in as the service provider for as long as they are the sole holders of the credentials. These concerns have played out at our site historically.

If the integrator has a concern about the client doing harm to the system, then they should have that conversation, but the final decision is the client's.

(4)
(1)
Avatar
Ross Vander Klok
Dec 12, 2016
IPVMU Certified

Well said and this is exactly how I feel about the question.

Avatar
Ari Erenthal
Dec 12, 2016

A lot of integrators get real stubborn about this when it comes to alarms, because RMR is so important in that segment. Which is why alternatives like SimpliSafe are looking more and more attractive.

DL
David Lieberman
Dec 13, 2016
IPVMU Certified

I agree with your statement, Ari, but the best -- and most ethical -- means of ensuring RMR is providing a quality product and good service at a reasonable price. Withholding credentials to ensure RMR is an indication that a vendor cannot -- or is unwilling to -- provide them.

(1)
aK
athanasios Kalavritinos
Dec 14, 2016

I think you got me wrong, I voted Disagree on the poll. I agree with you and think that users should Admin details.

UI
Undisclosed Integrator #3
Mar 27, 2017

Its entirely based on the contract wording and which parties assume liability. How many integrators here have experienced the client ever actually admitting they went into the system and "messed things up"?

What happens when there is a loss and the client comes gunning for you to take responsibility? Is your liability and E&O insurance carrier on board with your password policy? 

if the integrator retains liability for system performance, then allowing any other party, end user included, to enter system and make alterations, is plain old nuts. Maybe you will prevail at trial. But who wants to go through all that? 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions