Subscriber Discussion

List Of Cameras/Nvrs That Still Ship With A Default Password

U
Undisclosed #1
Nov 04, 2016
IPVMU Certified

I know that many that did are no longer doing so.  Are there any major manufacturers that still are?

(1)
U
Undisclosed #1
Nov 05, 2016
IPVMU Certified

I've crossed off the ones I know, I assume there must be others...

ACTi: admin/123456
American Dynamics: admin/admin
Arecont Vision
Avigilon: Administrator/<blank>
Axis
Basler: admin/admin
Bosch
Brickcom: admin/admin
Canon: root/camera
Cisco
Digital Watchdog: admin/admin
DVTel: Admin/1234
DynaColor: Admin/1234
FLIR: admin/fliradmin
FLIR (Dahua OEM): admin/admin
Foscam: admin/<blank>
GeoVision: admin/admin
Grandstream: admin/admin
Hikvision
Honeywell: admin/1234
IQinVision: root/system
JVC: admin/jvc
March Networks: admin/<blank>
Mobotix: admin/meinsm
Panasonic
Pelco Sarix: admin/admin
Samsung
Sentry360 (mini): admin/1234
Sony: admin/admin
Speco: admin/1234
Stardot: admin/admin
Trendnet: admin/admin
Toshiba: root/ikwd
VideoIQ: supervisor/supervisor
Vivotek: root/<blank>
Ubiquiti: ubnt/ubnt
Uniview: admin/123456
Wodsee: admin/<blank>

JH
John Honovich
Nov 07, 2016
IPVM

Why did you cross off Arecont Vision? Arecont Vision ships with no authentication at all, and has not changed, as confirmed by their own FAQ.

(1)
U
Undisclosed #1
Nov 07, 2016
IPVMU Certified

Because I couldn't find any default creds for them in anyone's list. Didn't realize it was actually null/null.

Thanks!

Btw, I'm sure the list contains other errors as well, I just threw it together as a starting point.

If there are no other changes coming, i'll redo the list.

UD
Undisclosed Distributor #2
Nov 07, 2016

I don't understand the point of this list. Every device must come with a default username and password so that it can be configured. I think a more pertinent list would be cameras/NVRs that still do not prompt users to change the default passwords and/or do not enforce strong password rules.

U
Undisclosed #1
Nov 07, 2016
IPVMU Certified

Every device must come with a default username and password so that it can be configured.

What is the default password/user name for Axis? It makes you set it right away, before you ever login.

I think a more pertinent list would be cameras/NVRs that still do not prompt users to change the default passwords...

What do you mean by 'prompt'? Force them or ask them?

If the camera ships with a static password that does not have to be set or changed to enable operation, that is what I am looking for, as they are potential targets for mirai conscription.

UI
Undisclosed Integrator #3
Nov 07, 2016

"What is the default password/user name for Axis? It makes you set it right away, before you ever login."

Login direct to the admin page and/or add into any VMS with root/pass. It does make you change it in many places, but out of the box there is a default password. NOTE: This may have changed with newer firmwares in the last 6 months.

U
Undisclosed #1
Nov 07, 2016
IPVMU Certified

Yes, I agree it used to do this, for many months after they made the change to ask for a new password.

But, yes it seems like the new firmware works correctly. On the other hand root pass is still a valid password, and I would imagine a majority of people who would have left it root pass in the past, will just make it root pass today :(

JH
John Honovich
Nov 08, 2016
IPVM

On the other hand root pass is still a valid password, and I would imagine a majority of people

New discussion/poll: Should Axis Prohibit Using Root/Pass?

UD
Undisclosed Distributor #2
Nov 07, 2016

I see what you mean and agree that a forced password change should done upon first booting a device similar to how Axis does it. Of course this leads to a myriad of calls for lost/forgotten passwords when a user is put on the spot to come up with something before proceeding, but this is preferable to leaving a well known username/password combination on a device.

I believe that the Mirai botnet agents made use of the OS root level backdoor accounts that were accessible via telnet on the unsecure devices and not through the IP Cameras/NVR/DVR application that is running on top of the unsecured OS. These accounts are the real crime here, the manufacturers knowingly left back doors into these devices with passwords that could not be changed by the user. Most of these devices are built on a BusyBox Linux platform that has been traded and re-used among these manufacturers for the past 10 years without any consideration of applying the simplest of security measures to the OS. I can't say that the devices were not compromised through accessing them through the application layer, but they were definitely being infected at the OS level through this access.

U
Undisclosed #1
Nov 07, 2016
IPVMU Certified

I believe that the Mirai botnet agents made use of the OS root level backdoor accounts that were accessible via telnet on the unsecure devices and not through the IP Cameras/NVR/DVR application that is running on top of the unsecured OS

You are right, that is how they were compromised. However, the cameras are not likely safe if admin access is possible thru the web interface. Often, like in the case of Axis, one can just enable ssh.

Mirai is 'open source' now, so it will be extended as needed...

UD
Undisclosed Distributor #2
Nov 07, 2016

Even if they have enabled SSH instead of telnet, the device is still ridiculously vulnerable if they have unpublished and unchangeable root level accounts.

U
Undisclosed #1
Nov 07, 2016
IPVMU Certified

Yes exactly, ssh is just as vulnerable. And devices that have not (yet) changed their default passwords are as ridiculuosly vulnerable as those that cannot be changed.

Its just that the blame gets spread between two parties in the first case, but is mostly on the mfr in the second.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions