Arecont and Bosch - Default Security Risk

Author: IPVM Team, Published on Dec 14, 2015

Default passwords are a major security risk, enabling hackers around the world to access and control devices like IP cameras (using Shodan, turning devices into bitcoin miners, etc.). Because of that, many manufacturers now force changing the default password and using strong passwords.

But two very well known manufacturers, Arecont and Bosch, continue to take the opposite, risky and irresponsible route.

******* ********* *** * ***** ******** ****, ******** ******* ****** the ***** ** ****** *** ******* ******* **** ** ******* (using******, ******* ******* *********** ******, ***.). ******* ** ****, **** ************* *** ***** ******** the ******* ******** *** ***** ****** *********.

*** *** **** **** ***** *************, ******* *** *****, ******** to **** *** ********, ***** *** ************* *****.

[***************]

*******

**** ** *******'* ********:

"******* ****** *******do *** **** **** ************** *******. To enable authentication, access the web interface of the camera and click either the 'Administration' or 'System' tabs. Passwords can then be configured for the Admin and Viewer user names. Note that custom usernames cannot be created, only the 'Admin' and 'Viewer' user names are available for usage.

******** ****limit ** * ********** MAX with letters and numbers only. No ******* ******."

*** **** *** ****** ****** ** ******* ****** ****** * user ********** ******* **************, ******* ***** ** **** ** *** up * ****** ********.

*****

***** **** ***** **** ** ************** *** **** ***** ** as * ****** ** * ******* '*** ***** ********* ******'************:

"** ***'* ******* ******* ******** ** *** **. ** **** telnet ****.... ***** ***** ** ******, ** *******, ***** **** you *** **** *********** ** ** *********."

**'* ********* ********, **** ******** * ***** ******* ******* *** locks ** *** *****.

UPDATE: ***** ********

******** ** *.** ********, ***** ******* ***** ** *** * password, **** **** ***** ********* **** ********** ** *** ******'* web *********. **** **** ** ******** ** *** ** ******* and **** ** ********, ****** ******* ** *********, ***** ***** users ** *** ***.

******** ** ***** ***** ** *** ******** ***** ****, **** a ***** ******* ******** "********." **** **** *** ******** ** this ******* *** * ********** **** *** ******** ********* *** lowercase *******, *******, *** * ******* *********, *** *** ***** only ******** ** "******." ****** ********* ******* ** ********** *** a *** ** ***** *****.

*******

*** ******* **** ********** ** ** ************** ** **** **** users *** *********** **** ***** *** ** * ******** ** not ********. ** * **** **** ****,**** * ***** ** ********* **** ***** ********* ********* ****** ** "**** ** *** time."** ******* ****, * **** **% **** **** ************* ****** ** ******* to ***** ****** *********.

**** ** **************/******* ********* *** ** ****** **** ** ******** incidents ** *** **** *-* *****, **** ******* ************ ********* ******* *******, ** ***** * ******* ********'* **** **** ******** ******** and ***** ****. *** ** *** ******** ******* *****, ********* consumers, ** **** (***** ****** ******** - ************* ************,*** ****** ************ ******* - * *******).

***** ***** **** ******* *********, *** **** *********** **** *******, *******, *** ********** ***** ** ******** ******** ** *** **** ****, ******* and *****'* ******** ***** *************, ** ****.

****

***** ***** ******** *** *** **** *********** **** ******** ****, Arecont *** ***** ***** ***** ********* ** *********** *** *********** competitive ****.

Comments (7)

**** * ***** ************* ******** ** ******** ******** *******. ***** devices *** ** ****** ** * ***** ** ****** ********. They *** ******* **** *** ** *** **** ** **'* network *** **** **** ** ********** **** **** **** **** may ** *** ****** ******* **** ****** ** *** **** video, *** *** **** ***-******* ** *** ******* ******* **** attacks. * ***** ***** ****** **** *** **** **** "******" the ******** ** **** *** ***** ** ********** **** ******* a ******** ***** ** (**** * ******* ****) ** * good **** ******* *********** **************.

***** *** ******* - *** * *****. **'* *** **** hard ** ****** **** ***** ******* *** ******** ** ****** tight ******** ** **** *******. ***** ** **** *********, *** your ****. ** **** ***'* **** *** ****** ** *********** to ****** *** ******** *** ****** ** **** ** *** bench *** ****-**, **** *** *******'* ** ******* ** **** in *** ***** *****.

****'* *** ****? **** ***** **** **** - ***'* ***** that ******* ***** ********** *** ****. *** *** ****** *** hacked * *** ***** **** - ** **** *** **** wasn't ******* *** **** ** ** ******* ******. *** **** VARS ******* *** ** ***** ****** ** *** ******** ********?

* ******** ********* **** ****** ******** ********** ** ******* **** IP ***** ******* *** ****** *********** ********* ** ****** ***** devices *** ********* ** *** *** **** *********'* ***** ************* to ****** **** ***** ********* ********* **** *** **** ***** end ********* *******.

*'** **** **** ******, *** ******** ******** ******** *** *** to *** **** *** *******, *****. **** ******* ***** *** it, *** **** *** ***** ******* *** ** ** ********** - **** ** *** ***-***** *** ***** ******* *** **** in *** *********** *** ********** *********** ** **** ***-*********, **** and *********. ** **** ** **** ** **** *** ************ of * ****** ********* ************.

***** ******* **** ** ********* **** ** **** *** ******* is *** *******. *** ******* ** * ****** ******* **** needs **** *** *******. ***'* ***** ****** ** ** *** name, ******** *** **** *** ** ***** ****** ***** ******** by ********** *** ****** **** ***** ***** *** **** ************.

******** **** **'* ****, * ***...

****, * ******* **** ******* *** ***** ******* ********:****** * ******* **********. **** *** *** ********* **** *** to**** **** ********, *** ** ** ****** *************** ********.

** *** ****** *** ******, ******* *** ***** ********* *** viewing ** *** ***** ****:**** ** *********.

* ***'* ******* **** ***** ***** **** ****** ****! **** is *****.

* ** ******* ** **** ******* **** *** **** **** allowing *** ** ************** ** ******* ** * **** ****. Here ** *** ***:

**'* * ***** ******** ** ****, ******* **** ** *** know ***** *** ***** ******* ********* *** **** *** *** easily **** *** ** ********.

***** ** ** *****, *** *** * ****** ** ********* this ***** **** * **** **. *** "*** *****" **** does *** ****** ** **** ***** *** ****** **** *** well ****** ***** *******. * **** *** ***** ******* ** the ************ *** **** ******* **** **** ** **** *** make ** **, **** ** *********. ** (******* ****** **** have **** ** *** ******** ******** *** **** **** **** minutes) *** ***** ******* ** *********, ********** *** *********** ** IP ******** ****** *** ** **** **** ***** ** *** quite **** ****. ** ** *** ***** ** *********** ** you ***** **** *** ***** *******. *****, ** ***'* ***** it *****, ** **** ******* ** *********** *** *** ** is ********* ** *** ******. * ** **** ********* **** there *** ****** ** ****** ****** *********** *** ********* ****** passwords. * ** ******* ** ********* (******* * **** *** entire *******) **** *** ***** ** ****** *** **** *** HVAC ****** ****** *** ********** **** ** *** **** ** their ***** *** **** *** **** ** **** **** ****** overworked. **** ****** *** ****** ** **** *********** *** **** happens ** ***** ******* ****** ****? ** ** ***** *** within ***** **** ********** *** ** ***** ** ***** ***** to ****** **** ****** *** ***** *********** ** ********* ***** customer ***** ******* *** ************ ** ******** ******* ** ***** vendor. ****** **** **** ***** **** *** ** ***** ******* vendors ** ******, ********* ** *********, ***** **** ***** ***** responsibility ** ******** *** ******** ** *********** *** *** *********** so **** ***** ********* *** ***** ***** ** ***** ******, which ** ********** ***** ***, *** **** **** ***** *** their ************.

* ** ******* ***** **** *********** *** *********** ********* (**). IA ** ** ***************** ***** ********* ********** ** ** ** an ***************** ***** ********* ********* ** ********, **********, **** **********, fraud ***********, ******** *******, ********** *******, ******* ***********, ******** ***********, and ***********, ** ******** ** ******** *******. ***** ** * perception ****** ** **** **** ***-***** *********** *** ******* **** men *** *** **** ************** ********* ** ******** ***** ***-***** concepts, **** ** **** ** **** ************ **********, ***** ** fact, ** **** ** ***** ******. ** *** ** *** not **** ** *******, *** *********** ********** *** *** ****** security *** ** **** *** ***** *** *** **** *** network.

* ** **** * ****** ******* ** **** ********** **** any ****** **** **** *** **** ** *** ******* ***** certification ** ****** *** ******* ***** ********* ****. **** ** those *** *** ****** ****** *** ******* ******** ********* ****** meet * ******** **** ***/*** ***** ********* ****** *** ******** of *** ******** ** ********* *** ******* ******** ******** *************. Where ** *** *******?

*** ***** ********** **** ** *** **** ***** ******? ** be ****. * ********** **** **** ********** *********** **** ******* security, ************ ****, ******* *** ** *** ************** *** *******.**** ** ** ** *** ********* *******.*** ** ** ***** *** ****? ** **** *** *********** fault? **** ** **** **** *** ********? * **** **** this *** *****, *** * **** **** ** ** **** board; ****** *** ***** ***** *** **** ****** ********* ******* (and * **** ** *** **** ** **** ** ******** codes - *** ***************) ***** ** ** *** ** *****.

***** **. *****, *** * ********* ** **** ******* *** sir, *** **** "*******" ***** * *** ****** ** **. But **** ***** ** ****** **** *** ***** **** * broad *****.

**** - * **** ** *******. *'* ******* **** ** "broad *****" ** ** ********** ** ** ******** *********** **** VARS *** ***********. * **** *** **** *** **** **** the ***** ** ** ***************. *'* ******* **** *** **** had, ***** **** **** ********, * ****** **********. ** *** whether *** ******** ** ** ** ***** (*** *** *****) - *'* **** ** ******** ********.

* ******* **** ******* (*************) **** * ************** ** **** their ****/********** ** *** ***** *********, *** ** ***** ****** than ** ******* *** ***-********.

***-*-*** ** (*********** *********), **** *** ******* ******** ** *** Manufacturers. **** * *** ** *** ****** ******** ** ******* camera ********* ** *** ******* **********, *** ******** ****** **** up, "** **** ******* ** *********?" - ** ** *********, there *** **** *** ** *** ******** **** ******** **** the **** ********** **** ** (**** * ******** ***********). * only ***** * ***** ******* ** ** ********** **** *********** edge *******. **** ***** ***** *** ** **** ******* ** passwords *** ******** ********** **** ******* *********, ********** *** ********* of ******. **'* *** ** *********** ** ***** ****** ***** as *** ***** *****.

** *******, * ******* ******** ********** ***** ******** ** **, the ******** ********, ****** ** ** *** ********* ** **** process *** ****** ** ****** ** *********** ********. ***** **, in *** *******, **** ******* *********** ** *** ******* *****. We *** **** ** ***** (**) ************** *** **** ** be **** ******** ** **** **************.

***** *** *** **** ******** -

**

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Sony IP Camera Backdoor Uncovered on Dec 06, 2016
A backdoor has been uncovered in ~80 Sony IP camera models, attackers can remotely enable telnet on the camera, and then potentially login as root,...
XiongMai Master Password List Emailed By Chinese Spammer on Dec 05, 2016
XiongMai created an international uproar as their devices drove massive botnet attacks of major Internet sites. After pledging to recall cameras...
Hikvision Cloud Security Vulnerability Uncovered on Dec 05, 2016
A security researcher uncovered a critical vulnerability in Hikvision's global cloud servers. This vulnerability allowed an attacker to remotely...
Hikvision 'Phone Home' Raises Security Fears on Nov 10, 2016
The escalating attention towards Hikvision's China government ownership and Genetec's removal of Hikvision due to cyber security concerns has...
Genetec Expels Hikvision on Nov 08, 2016
Genetec has removed support for Hikvision devices, deeming them 'untrustworthy', citing customer concerns about Chinese government ownership /...
Now Knocking A Country Offline - The Video Surveillance Driven Botnet Wreaks Havok on Nov 03, 2016
The video surveillance driven botnet is now attacking an entire country. The Mirai malware that took advantage of poor security in Xiongmai, Dahua...
Dahua Says They Are Botnet Attack 'Victims' on Oct 26, 2016
'Victim' or 'accomplice'? Dahua has issued a new press release, referring to their products as 'victims' of the massive botnet attacks hitting the...
The Xiongmai Botnet 'Recall' Will Not Work on Oct 25, 2016
The Xiongmai 'recall' has been the topic of global news, following the unprecedented bot net attacks that use their equipment, among...
Video Surveillance Manufacturers Risk Lawsuits For Botnet Attacks on Oct 24, 2016
The unprecedented scale of internet outages on October 21st from botnet attacks risk triggering lawsuits against video surveillance manufacturers,...
Hacked DVRs Surge To 400,000 on Oct 19, 2016
The global internet is under attack from record breaking botnets. And it is getting worse, Mirai doubled in size in the last month. Shamefully,...

Most Recent Industry Reports

Knightscope - $122,509 Revenue, $2.5 Million Loss Seeks $20 Million Investment on Dec 09, 2016
The robot that ran over a child, Knightscope, wants money and they need it. Investors can invest as little as $1,000 to participate and...
The Russian SMP Security Robot on Dec 08, 2016
A Russian manufacturer, SMP, has a commercially available outdoor security robot, at a lower price and with much less marketing than their main...
How Hikvision Beats Its OEMs on Dec 08, 2016
Hikvision GM declared that they are not aggressive with their competitors. But some of their own OEM partners disagree. Inside, we reveal a key...
Dahua Discontinuing H.264 Only Products on Dec 08, 2016
Dahua has taken a stand for H.265 and is discontinuing its H.264 only products. We examine the shakeup inside this...
IP Networking Course January 2017 on Dec 08, 2016
This is the only networking course designed specifically for video surveillance professionals plus it includes live training, personal help and...
Hikvision vs Dahua Mobile Apps Tested on Dec 07, 2016
With smartphone use and low-cost video recorders surging, many user's main interface to their surveillance system is their phone. With mobile video...
Paxton Drops US Reps, Plans Major Expansion on Dec 07, 2016
Paxton is gearing up to make a big run at  US access control success. The first step they have made is to cut all US Rep Firms, in anticipation of...
Axis Partner Elder Care Video Analytics (Smartervision) on Dec 07, 2016
Can video analytics be used to improve the care of the elderly? Axis and a video analytics startup, Smartervision, are working together to do so....
Sony IP Camera Backdoor Uncovered on Dec 06, 2016
A backdoor has been uncovered in ~80 Sony IP camera models, attackers can remotely enable telnet on the camera, and then potentially login as root,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact