Are Shipping Products With Default Passwords A Vulnerability?

Any opinions?


I added a poll (and voted no).

Lots of devices ship with default passwords, I think users/installers need to bear some amount of responsibility for things.

Some things that are (IMO) vulnerabilities or bad practice would be:

1) Devices that do not support lockout after X failed login attempts

2) Devices that contain hard-coded accounts that cannot be changed (eg: admin), users should be able to change the username of the "admin" account

3) Devices that contain unpublished "back door"/support accounts

4) Devices that have functions auto-enabled that are not critical to basic operation (telnet, ssh, phone-home functions)

Lots of devices ship with default passwords,

True. But, why do they still need to?

I think users/installers need to bear some amount of responsibility for things.

Disagree, experience shows us that users are not interested in 'bearing' any responsibility for things. They want plug and play.

And everyone else pays for it, except for them, so there is little incentive.

And what is the reason for allowing it to continue?

So that the manufacturer can make more money thru less support calls and cheesier software??

I think in 5 years anyone shipping a network device with a default password will be laughed at, if not prosecuted.

I also believe that IPVM should take the lead in this regard to help rid the world of these problemetic practices as soon as possible

I think in 5 years anyone shipping a network device with a default password will be laughed at, if not prosecuted.

So, do you think this will also apply to manufacturers of other devices, or just IP cameras/IP accessible recorders?

Forcing users to set a password, even enforcing a strong(ish) password is not a full solution, it is a speedbump at best. What is really needed is a mechanism to prevent direct access to the devices in the first place, a scheme that does not rely on install-side port forwarding with connectivity open to the world.

So, do you think this will also apply to manufacturers of other devices, or just IP cameras/IP accessible recorders?

Yes, all network devices. The last home router I bought had a pre-assigned unique password embossed on the underside of the product.

Forcing users to set a password, even enforcing a strong(ish) password is not a full solution...

No, but it is an essential element of a full solution.

What is really needed is a mechanism to prevent direct access to the devices in the first place, a scheme that does not rely on install-side port forwarding with connectivity open to the world.

Absolutely this is needed, and slowly coming, as you aware.

But this will only intensify the need for strongish passwords. Because of the sheer number of these dial-out devices present in the home of the future, the attack vector changes to lateral:

One rogue 'behind the line' device will have an easy time infiltrating other LAN devices if defaults are allowed. And there will be hundreds of such devices in every home.

Wow, good point. I'm gonna tout IPVM discussions here. I have never once thought about this till seeing it here. We are incredibly strict with our techs and programmers in regard to passwords. I surely don't want us to be responsible for the next large information breach.

I would certainly consider this a vulnerability of it were to be added on one of our installed systems. From time to time, we do direct ship a camera to our IT savvy customers and have not given this any thought. We just trust that they follow their own best practices.

I think I may start presenting an email waiver to the customer if they add a camera on to the system without protection. It is no guarantee, but due diligence.

Thanks U1!

Of course it is. Hikvision has a great way around using default credentials. You must activate each device and assign your own password. They also encourage strong passwords as well.

Yes, default (or no) credentials are a vulnerability, and it's starting to become one of the biggest issues.

What concerns me is that manufacturers still don't see it as an issue. Dedicated Micro's response to reporting the issue of no authentication was terrible. Had their response been good, I wouldn't have gone to CERT for co-ordinated disclosure.

Thanks for posting and disclosing!

Interesting idea, which was mentioned above - to use a unique password to activate the device initially. The CERT states to possibly use something like the MAC address for an initial default.

  • Implement unique default passwords, even if based on something deterministic like the MAC address.

Certainly the MAC approach is far better than root:pass, but isn't still insecure on the LAN?

Having a default username and password is absolutely a vulnerability. It is the result of users of security cameras willingness to trade off convenience for security. I recall it starting when more and more security directors expressed a desire to be able to see cameras from their home or from the local coffee shop using public Wi-Fi. I would advise against these types of connections without the use of a secure VPN, but many users opted for convenience over the cost of a secure connection. Some have paid the price. Many of us are aware of the websites that post links to cameras on the public network with the default username and password still set.

It also goes without saying that the installers/integrators of these devices bear responsibility for ensuring that devices that are installed on public networks employ good IT security practices, of which not using the default username and password (if there is one) is just one of the many steps that need to be taken during install. While everyone should change the username/password, many do not. This has left camera makers no choice but to remove the default username and password from their devices to force discipline where there was none.

So while having a default username and password is a vulnerability that could have been easily mitigated, there were too many people who were not employing best practices so the vendors are left having to do it.

While we are on the subject, there are other necessary steps that good camera manufacturer's should be taken, like protection against dictionary attacks, cross site request forgeries and other common vulnerabilities. Improved authentication and encryption and overall hardening of the devices. As traditional computing platforms are hardened against attacks, hackers are looking for alternative paths of vulnerability. As security professionals we can not allow our devices to become paths of entry for hackers.

This is asking two different things. The poll asks a question different from the discussion topic.

Shipping with a default password that MUST be changed during initial set up is not a vulnerability at all. Whereas A default password that you are not required to ever change is indeed a vulnerability.

I haven't seen one that ships with a known default password but forces you to change it before the camera is operational in any way.

what have you seen?

Nothing that I know of off hand.

Why would you require a default password if it must be changed? Why not just not have a password?

Good point! Maybe just to have something in to prevent plug and play in case someone got their hands on it? Not sure. I would say just having to make a password when you fire it up the first time is the way to go.

This way, the Linux permissions are set to require authentication. When the user sets their password, it simply updates the passwords, does not need to change the permissions on the file system.

I have seen a brand of camera that ships with their "old" default password, but requires you to set a complex password on first log in to web page.

In theory, this allows you to get up and running with a PnP NVR quickly.

This way, the Linux permissions are set to require authentication. When the user sets their password, it simply updates the passwords, does not need to change the permissions on the file system.

Why would it need to change permissions in any event? Whatever account is created with UID 0 will have full control.

In any event, we are not, in my experience, talking about /etc/passwd users. It seems to me that cameras usually implement their own user database...

I don't understand I'm afraid.

The first time a device starts up out of the factory, there should be no need for any authentication at all. Force the user to immediately set a good password.

Any camera that supports ONVIF Profile Q will not have a default password, but will require a password be set as part of the initial setup.

There is a good write up on IPVM already: https://ipvm.com/reports/new-onvif-profile-q-aims-to-change-discovery-and-default-passwords

Manufacturers appear to be slow adding support for this profile, but in the interests of security I think it will pick up.

ANY DECADE NOW OnVIF will be realistic and then it'll be the cheap Chinese vendors providing it. If Onvif delivered interoperability it's baggage might be tolerable but right now it's still just one of those features people ignore because it doesn't work.

If Onvif delivered interoperability its baggage might be tolerable but right now it's still just one of those features people ignore because it doesn't work.

Onvif didn't deliver interoperability?

it's still just one of those features people ignore because it doesn't work.

Rodney, you may ignore it but lots of people use ONVIF. Feel free to list your complaints of what specifically does not work but it does work 'enough' for what many people need, finding, connecting and basic configuring of video that it is widely used.

Rodney, you may ignore it but lots of people use ONVIF.

Perhaps he means for Access Control ;)