Why did they publish mentioned credentials in the article? To make it easy for everybody? Anyway, it is bad bad for business. How will vendors react on it?
I think they absolutely should publish the credentials. The only way these things change is via massive pressure, and massive publicity is the only real pressure that can be applied.
There is precedent for the FTC fining manufacturers for things like this, also, but that doesn't seem to happen very often.
Pro Focus LLC | 02/18/16 10:58pm
I am all for exposing these types of security holes. It helps me dissuade clients from running to Harbor Freight and buying a DIY crap kit. These are the types of flaws you should come to expect from non-professional products.
IPVMU Certified | 02/19/16 07:11am
I think that publishing credentials in mass media in such a way is a very bad decision...
Imagine you are a CISO and suddenly you discover that your cameras are just completely off security. Questions emerging in the head:
Has anybody hacked them already?
Is someone spying in real-time?
I can't wait for the patch to come, I don't know how long I have to wait, I have to get rid of them all, do I have the budget?
How will I tell to general management that our security can be or already compromised?
I understand to publish a report stating that cameras have CRITICAL severity vulnerability which allows complete control. Then OK, my partner will tell me that (for example) and I will plan migration. And in described situation I need to migrate NOW! Cause any script kiddie who just completed school would like to "test" my security cause he knows that it is vulnerable...
Someone can just be fired from job cause he or she has missed to read a single article and some other employee accidentally has read it and made "a joke" on security department.
Re-sellers will suffer too. I as a CISO will ask them: why have they sold me such piece of garbage? They should have had a competence and expertise while consulting me on surveillance solution... Will I forget or forgive? (typically no) Will I buy something else from them? (typically no again, cause I've paid them wanting them to solve my problems and it turned into another greater problem) How do you think?
It's like publishing an exact drawing of a master key which will bypass security and open your car. Will your first thought will be about the vendor and marketing nightmare that awaits that company? Will you be happy about it? Or you will think, God, anyone anywhere can break into my car and steal it... what I am gonna do now?
Publishing credentials is not a vendor punishment... but worldwide customer's security Risk rise.
IPVMU Certified | 02/19/16 03:41pm
Less knowledge to complete the attack, more people to try it... more "direct password marketing", more incidents... this is like "just do it" for the laziest...
and OK I will not argue about knowledge on default passwords, but still even if I know the default password I will hesitate cause "they probably have changed it" and understanding that it is impossible to change it will encourage me.
I'm posting this with the very real knowledge that it may cause Ari's head explode:
Why are DVR's sending video stills to Frank Law via a Chinese email account?
IPVMU Certified | 02/19/16 03:58pm
probably:-)... they mostly not hackers just curious users...
Sounds like a job for Robin Hack...
thats what dear customers get if they choose wannabe security installers with their underpriced chinese crap instead of professionals...
Imagine the Internet of Things with all the Chinese low cost equipment from Aliexpress :)))
IPVMU Certified | 02/21/16 12:58pm
In general, security systems now are not ready to mitigate threats for IoT...
We in the sales/support side of the business can't fix stupid. This is simply another example of how costs are engineered out of a product.
However, if the WEB VIEW / REMOTE APP VIEW runs on a separate account, and the smart end user or integrator knows how to properly pin-hole a file wall, if using a dyndns type access, then the hard coded root makes for easy support.
As my friend in the used car biz says, "There's an Ass for every Seat."