Are Shipping Products With Default Passwords A Vulnerability?

I added a poll (and voted no).

Lots of devices ship with default passwords, I think users/installers need to bear some amount of responsibility for things.

Some things that are (IMO) vulnerabilities or bad practice would be:

1) Devices that do not support lockout after X failed login attempts

2) Devices that contain hard-coded accounts that cannot be changed (eg: admin), users should be able to change the username of the "admin" account

3) Devices that contain unpublished "back door"/support accounts

4) Devices that have functions auto-enabled that are not critical to basic operation (telnet, ssh, phone-home functions)

Wow, good point. I'm gonna tout IPVM discussions here. I have never once thought about this till seeing it here. We are incredibly strict with our techs and programmers in regard to passwords. I surely don't want us to be responsible for the next large information breach.

I would certainly consider this a vulnerability of it were to be added on one of our installed systems. From time to time, we do direct ship a camera to our IT savvy customers and have not given this any thought. We just trust that they follow their own best practices.

I think I may start presenting an email waiver to the customer if they add a camera on to the system without protection. It is no guarantee, but due diligence.

Thanks U1!

Of course it is. Hikvision has a great way around using default credentials. You must activate each device and assign your own password. They also encourage strong passwords as well.

Yes, default (or no) credentials are a vulnerability, and it's starting to become one of the biggest issues.

What concerns me is that manufacturers still don't see it as an issue. Dedicated Micro's response to reporting the issue of no authentication was terrible. Had their response been good, I wouldn't have gone to CERT for co-ordinated disclosure.

Having a default username and password is absolutely a vulnerability. It is the result of users of security cameras willingness to trade off convenience for security. I recall it starting when more and more security directors expressed a desire to be able to see cameras from their home or from the local coffee shop using public Wi-Fi. I would advise against these types of connections without the use of a secure VPN, but many users opted for convenience over the cost of a secure connection. Some have paid the price. Many of us are aware of the websites that post links to cameras on the public network with the default username and password still set.

It also goes without saying that the installers/integrators of these devices bear responsibility for ensuring that devices that are installed on public networks employ good IT security practices, of which not using the default username and password (if there is one) is just one of the many steps that need to be taken during install. While everyone should change the username/password, many do not. This has left camera makers no choice but to remove the default username and password from their devices to force discipline where there was none.

So while having a default username and password is a vulnerability that could have been easily mitigated, there were too many people who were not employing best practices so the vendors are left having to do it.

While we are on the subject, there are other necessary steps that good camera manufacturer's should be taken, like protection against dictionary attacks, cross site request forgeries and other common vulnerabilities. Improved authentication and encryption and overall hardening of the devices. As traditional computing platforms are hardened against attacks, hackers are looking for alternative paths of vulnerability. As security professionals we can not allow our devices to become paths of entry for hackers.

This is asking two different things. The poll asks a question different from the discussion topic.

Shipping with a default password that MUST be changed during initial set up is not a vulnerability at all. Whereas A default password that you are not required to ever change is indeed a vulnerability.

Any camera that supports ONVIF Profile Q will not have a default password, but will require a password be set as part of the initial setup.

There is a good write up on IPVM already: https://ipvm.com/reports/new-onvif-profile-q-aims-to-change-discovery-and-default-passwords

Manufacturers appear to be slow adding support for this profile, but in the interests of security I think it will pick up.

ANY DECADE NOW OnVIF will be realistic and then it'll be the cheap Chinese vendors providing it. If Onvif delivered interoperability it's baggage might be tolerable but right now it's still just one of those features people ignore because it doesn't work.