I know that many that did are no longer doing so. Are there any major manufacturers that still are?
List Of Cameras/Nvrs That Still Ship With A Default Password
I've crossed off the ones I know, I assume there must be others...
ACTi: admin/123456
American Dynamics: admin/admin
Arecont Vision
Avigilon: Administrator/<blank>
Axis
Basler: admin/admin
Bosch
Brickcom: admin/admin
Canon: root/camera
Cisco
Digital Watchdog: admin/admin
DVTel: Admin/1234
DynaColor: Admin/1234
FLIR: admin/fliradmin
FLIR (Dahua OEM): admin/admin
Foscam: admin/<blank>
GeoVision: admin/admin
Grandstream: admin/admin
Hikvision
Honeywell: admin/1234
IQinVision: root/system
JVC: admin/jvc
March Networks: admin/<blank>
Mobotix: admin/meinsm
Panasonic
Pelco Sarix: admin/admin
Samsung
Sentry360 (mini): admin/1234
Sony: admin/admin
Speco: admin/1234
Stardot: admin/admin
Trendnet: admin/admin
Toshiba: root/ikwd
VideoIQ: supervisor/supervisor
Vivotek: root/<blank>
Ubiquiti: ubnt/ubnt
Uniview: admin/123456
Wodsee: admin/<blank>
Why did you cross off Arecont Vision? Arecont Vision ships with no authentication at all, and has not changed, as confirmed by their own FAQ.
Because I couldn't find any default creds for them in anyone's list. Didn't realize it was actually null/null.
Thanks!
Btw, I'm sure the list contains other errors as well, I just threw it together as a starting point.
If there are no other changes coming, i'll redo the list.
I don't understand the point of this list. Every device must come with a default username and password so that it can be configured. I think a more pertinent list would be cameras/NVRs that still do not prompt users to change the default passwords and/or do not enforce strong password rules.
Every device must come with a default username and password so that it can be configured.
What is the default password/user name for Axis? It makes you set it right away, before you ever login.
I think a more pertinent list would be cameras/NVRs that still do not prompt users to change the default passwords...
What do you mean by 'prompt'? Force them or ask them?
If the camera ships with a static password that does not have to be set or changed to enable operation, that is what I am looking for, as they are potential targets for mirai conscription.
"What is the default password/user name for Axis? It makes you set it right away, before you ever login."
Login direct to the admin page and/or add into any VMS with root/pass. It does make you change it in many places, but out of the box there is a default password. NOTE: This may have changed with newer firmwares in the last 6 months.
Yes, I agree it used to do this, for many months after they made the change to ask for a new password.
But, yes it seems like the new firmware works correctly. On the other hand root pass is still a valid password, and I would imagine a majority of people who would have left it root pass in the past, will just make it root pass today :(
On the other hand root pass is still a valid password, and I would imagine a majority of people
New discussion/poll: Should Axis Prohibit Using Root/Pass?
I see what you mean and agree that a forced password change should done upon first booting a device similar to how Axis does it. Of course this leads to a myriad of calls for lost/forgotten passwords when a user is put on the spot to come up with something before proceeding, but this is preferable to leaving a well known username/password combination on a device.
I believe that the Mirai botnet agents made use of the OS root level backdoor accounts that were accessible via telnet on the unsecure devices and not through the IP Cameras/NVR/DVR application that is running on top of the unsecured OS. These accounts are the real crime here, the manufacturers knowingly left back doors into these devices with passwords that could not be changed by the user. Most of these devices are built on a BusyBox Linux platform that has been traded and re-used among these manufacturers for the past 10 years without any consideration of applying the simplest of security measures to the OS. I can't say that the devices were not compromised through accessing them through the application layer, but they were definitely being infected at the OS level through this access.
I believe that the Mirai botnet agents made use of the OS root level backdoor accounts that were accessible via telnet on the unsecure devices and not through the IP Cameras/NVR/DVR application that is running on top of the unsecured OS
You are right, that is how they were compromised. However, the cameras are not likely safe if admin access is possible thru the web interface. Often, like in the case of Axis, one can just enable ssh.
Mirai is 'open source' now, so it will be extended as needed...
Even if they have enabled SSH instead of telnet, the device is still ridiculously vulnerable if they have unpublished and unchangeable root level accounts.
Yes exactly, ssh is just as vulnerable. And devices that have not (yet) changed their default passwords are as ridiculuosly vulnerable as those that cannot be changed.
Its just that the blame gets spread between two parties in the first case, but is mostly on the mfr in the second.
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.