Do Axis Cameras Default To No Password Required?

It's well known that Axis cameras have no default password; you are prompted, from the web client, to create a administrator password when first used or after a reset.

But, what may not be as well known is that no password is required to access the camera thru VAPIX, as long as it's done before a root password is first set, e.g. by the web-client.

This is not a bug either:

However, if the device is first accessed using the VAPIX API (i.e. not the GUI) there is no hard requirement from the device to enter users with proper credentials. Instead, as this is the normal way a camera is plugged into a VMS, the client application is trusted to add proper users to the device to control the access as described above. VAPIX Authentication Guide

VMSes typically use VAPIX to connect. So the question is, if never accessed from the web client, do VMSes force you to set a password?

And if not, would that mean that those cameras are accessible without a password, even after being added to working system?

That blurb from the VAPIX doc is good info. I will keep that in mind.

Recently I have done some work installing Axis dome cameras using a handheld Axis T8414 viewer. The cameras were out-of-the-box new, and did reject any password other than "pass" when calling up live video with the viewer (before any configuration was done). As far as I understand the viewer uses both HTTP for VAPIX (tell camera to focus, pan, etc) and RTSP/RTP to provide video.

I agree. I have seen the same behavior with cameras after default.

So why is this not a big deal??

Axis gets a lot of kudos for forcing you to choose a root password from the web client, but if you can just bypass this by hooking them up to the VMS first, how is it better than the way that HIK got crucified for?

Still thinking I must be misunderstanding something....

I played around with this today, and reread that portion of the authentication paper you referenced. Careful reading of what you quote above says that the client (VMS) is trusted to add proper credentials, not that it is trusted to access the camera. This means that if you do not configure the camera manually, the burden of security lies with the VMS.

Quick rant on this:

I had a Q3505 in from repair today and tried this out after ensuring the camera was defaulted. In order to use VAPIX (via HTTP) or request a video stream via RTSP, username "root" with password "pass" must be given. But those methods do not force you to change the default password like accessing the camera web page does.

This is unavoidable by design, not a bad thing. There is no way tell a VMS "you must change the password first". You can do that to a human, but it is probably the case that all the relevant protocols (RTSP, ONVIF, VAPIX) have no way of handling this.

Sure, Axis could make VAPIX do this since it is their API, but that would probably break a lot of VMS features (auto-discovery, parameter listing, etc) during configuration, and would require VMS manufacturers to change their camera enrollment procedures just for Axis cameras.

Axis has made a best effort to get users to change the default password by requiring it when accessing the camera. It would be nice if VMS manufacturers followed the same practice and provided an option to change default camera credentials.

Careful reading of what you quote above says that the client (VMS) is trusted to add proper credentials, not that it is trusted to access the camera.

I'm not entirely sure what your getting at here. If the VMS is trusted to add an admin account with whatever password it wants, and that admin account has full rights to the system, it can access the system, no?

Perhaps we are equivocating between the human meaning of "trusted" and the comp-sci term-of-art?

Instead of "trusted to access the camera" I guess I could have said that it is not the case that the camera trusts any connection, VMS or otherwise.

My understanding is that you were concerned about Axis cameras being insecure (the practical meaning of secure here) because due to VAPIX design that they could be accessed without a password. That is not actually the case from what I have understood.

VMSes are different each in their own way. As a broad top of discussion, VMS security is a much murkier area and we would be talking more about best practices and "what ifs" than practical security.