It assumes the local LAN and every user on it should be considered trustworthy. That's not a great idea. I've seen things like smaller schools which didn't have an IT staff who could set up a VLAN for the cameras. I'm not sure I'd put all students in the trustworthy category. Also a lot of smaller installs in SMB aren't going to have isolated cameras. And if they are watching for employee theft then it may be reasonable to assume they may not be trusted with the camera system.
Less likely but still possible is the idea that the LAN can be compromised from outside attack. While it's extremely unlikely that a hacker would be working a group looking to break in, there can still be danger. Axis had a very old issue where you could upload things via FTP and run them in the linux environment. There wasn't a lot of memory there but enough for small port scanner or other tool. Future issues along those lines are still possible.
So you can't just have default passwords that are left that way. The passwords need to be changed. And documented.
IPVMU Certified | 03/07/16 01:00am
Then all those routers with default password on Shodan let you reconfigure things so you can see all the cameras with default passwords?
Can anyone say why manufacturers who have not yet implemented systems to force a complex original password should not take the simple step of denying the default password from the WAN? At least in the interim while developing a comprehensive new scheme and mitigating the business issues surrounding that.
This is code-wise as simple of a change that there is, far less than a sophisticated new password scheme which would likely touch many areas and require extensive testing and support changes.
With virtually no negative ramifications to the user base and the elimination of 99% of the hacking, what is the reason for not taking this easy step?
Pro Focus LLC | 03/08/16 01:44am
Why not just give a fake default gateway? Instant local only filter!