From the previous discussion, here is a con:
CON - "For professional brands, forcing you to change/set passwords on first logins would not be the right thing to do, IMO. It should be safe to assume the installer handles that task as part of a professional install.
As an example, the customer might want to set passwords and not give knowledge to the installer, or the installer might be checking some units beforehand (maybe they are installing 20 cameras, 15 they are familiar with and 5 are new models, so they bench test those to get familiar with them). Forcing password changes arbitrarily shouldn't be necessary when dealing with a "professional". So, I would not blame Exacq or others for now following that process, I would blame the installer OR the customer, that is THEIR job, not the manufacturers."
The system owner (not the integrator) should have the passwords; the passwords need to be rotated periodically to meet norms of enterprise network behavior; in reality this stuff should be hanging off RADIUS or some other centralized authentication mechanism. Using the out-of-the-box password to pass video at all is a security issue. If your VMS implementation is so cool, it should facilitate dealing with this in a reasonable manner that doesn't burden the integrator/installer or the end user.
If your Axis cameras are still on root/pass then shame on you when you fail your next network audit.
Of course, the key question is can the cameras be viewed by outside entities. In a closed system, who cares?
Very much do care "in a closed system". The "hard shell, soft center" cyber defense logic might have worked last century but definitely not today, with advanced persistent threats, expert virus writers, and overly casual integrators lugging around infected usb fobs. If your integrator has an inside-only a/k/a sloppy deployment style, find another integrator.
Rodney, I fail to see your point. Please explain how changing the password of IP cameras would protect a Surveillance system from a cyber attack or unauthorized access any more than having the system totally disconnected from the outside world in the first place and whose network infrastructure is separate from the corporate network with physical access tightly controlled in the second place?
IPVMU Certified | 04/13/14 05:42pm
In my opinion, Donald Rumsfeld's 'unknown unknowns' quote apolitically applies to password discipline here. It's not that you think you're vulnerable that inspires you change the password. It's because you don't know what abuse could potentially be stopped because you did.
Hah! You are all welcome to change the passwords on approximately 1,100 devices for us. All reasonable (read free) offers considered.
If you have sane login management attached to the devices you can change 1100 devices' passwords. That's what RADIUS is for, as an example. No, that's not common. That'd be part of why us IT folks (and the hackers) laugh at your primitive light sensors hanging off our network...
It only takes one compromised camera to make a network vulnerable.