Arecont and Bosch - Default Security Risk

Author: IPVM Team, Published on Dec 14, 2015

Default passwords are a major security risk, enabling hackers around the world to access and control devices like IP cameras (using Shodan, turning devices into bitcoin miners, etc.). Because of that, many manufacturers now force changing the default password and using strong passwords.

But two very well known manufacturers, Arecont and Bosch, continue to take the opposite, risky and irresponsible route.

******* ********* *** * ***** ******** ****, ******** ******* ****** the ***** ** ****** *** ******* ******* **** ** ******* (using******, ******* ******* *********** ******, ***.). ******* ** ****, **** ************* *** ***** ******** the ******* ******** *** ***** ****** *********.

*** *** **** **** ***** *************, ******* *** *****, ******** to take *** ********, ***** *** ************* *****.

[***************]

*******

**** ** *******'* ********:

"******* ****** *******do *** **** **** ************** *******. To enable authentication, access the web interface of the camera and click either the 'Administration' or 'System' tabs. Passwords can then be configured for the Admin and Viewer user names. Note that custom usernames cannot be created, only the 'Admin' and 'Viewer' user names are available for usage.

******** ****limit ** * ********** MAX with letters and numbers only. No ******* ******."

*** **** *** ****** ****** ** ******* ****** ****** * user ********** ******* **************, ******* ***** ** **** ** *** up * ****** ********.

*****

***** **** ***** **** ** ************** *** **** ***** ** as * ****** ** * ******* '*** ***** ********* ******'************:

"** ***'* ******* ******* ******** ** *** **. ** **** telnet ****.... ***** ***** ** ******, ** *******, ***** **** you *** **** *********** ** ** *********."

**'* ********* ********, **** ******** * ***** ******* ******* *** locks ** *** *****.

UPDATE: ***** ********

******** ** *.** ********, ***** ******* ***** ** *** * password, **** **** ***** ********* **** ********** ** *** ******'* web *********. **** **** ** ******** ** *** ** ******* and **** ** ********, ****** ******* ** *********, ***** ***** users ** *** ***.

******** ** ***** ***** ** *** ******** ***** ****, **** a ***** ******* ******** "********." **** **** *** ******** ** this ******* *** * ********** **** *** ******** ********* *** lowercase *******, *******, *** * ******* *********, *** *** ***** only ******** ** "******." ****** ********* ******* ** ********** *** a *** ** ***** *****.

*******

*** ******* **** ********** ** ** ************** ** **** **** users *** *********** **** ***** *** ** * ******** ** not ********. ** * **** **** ****,**** * ***** ** ***** **** **** ***** ********* ********* ****** ** "**** ** *** time."** ******* ****, * **** **% **** **** ************* ****** ** ******* to ***** ****** *********.

**** ** **************/******* ********* *** ** ****** **** ** ******** incidents ** *** **** *-* *****, **** ******* ************ ********* ******* *******, ** ***** * ******* ********'* **** **** ******** ******** and ***** ****. *** ** *** ******** ******* *****, ********* consumers, ** **** (*** ** ****** ******** - ************* ******** *** *,*** ****** ************ ******* - * *******).

***** ***** **** ******* *********, *** **** *********** **** *******, *******, *** ********** ***** ** ******** ******** ** *** **** ****, ******* and *****'* ******** ***** *************, ** ****.

****

***** ***** ******** *** *** **** *********** **** ******** ****, Arecont *** ***** ***** ***** ********* ** *********** *** *********** competitive ****.

Comments (7)

**** * ***** ************* ******** ** ******** ******** *******. ***** devices *** ** ****** ** * ***** ** ****** ********. They *** ******* **** *** ** *** **** ** **'* network *** **** **** ** ********** **** **** **** **** may ** *** ****** ******* **** ****** ** *** **** video, *** *** **** ***-******* ** *** ******* ******* **** attacks. * ***** ***** ****** **** *** **** **** "******" the ******** ** **** *** ***** ** ********** **** ******* a ******** ***** ** (**** * ******* ****) ** * good **** ******* *********** **************.

***** *** ******* - *** * *****. **'* *** **** hard ** ****** **** ***** ******* *** ******** ** ****** tight ******** ** **** *******. ***** ** **** *********, *** your ****. ** **** ***'* **** *** ****** ** *********** to ****** *** ******** *** ****** ** **** ** *** bench *** ****-**, **** *** *******'* ** ******* ** **** in *** ***** *****.

****'* *** ****? **** ***** **** **** - ***'* ***** that ******* ***** ********** *** ****. *** *** ****** *** hacked * *** ***** **** - ** **** *** **** wasn't ******* *** **** ** ** ******* ******. *** **** VARS ******* *** ** ***** ****** ** *** ******** ********?

* ******** ********* **** ****** ******** ********** ** ******* **** IP ***** ******* *** ****** *********** ********* ** ****** ***** devices *** ********* ** *** *** **** *********'* ***** ************* to ****** **** ***** ********* ********* **** *** **** ***** end ********* *******.

*'** **** **** ******, *** ******** ******** ******** *** *** to *** **** *** *******, *****. **** ******* ***** *** it, *** **** *** ***** ******* *** ** ** ********** - **** ** *** ***-***** *** ***** ******* *** **** in *** *********** *** ********** *********** ** **** ***-*********, **** and *********. ** **** ** **** ** **** *** ************ of * ****** ********* ************.

***** ******* **** ** ********* **** ** **** *** ******* is *** *******. *** ******* ** * ****** ******* **** needs **** *** *******. ***'* ***** ****** ** ** *** name, ******** *** **** *** ** ***** ****** ***** ******** by ********** *** ****** **** ***** ***** *** **** ************.

******** **** **'* ****, * ***...

****, * ******* **** ******* *** ***** ******* ********:****** * ******* **********. **** *** *** ********* **** *** to**** **** ********, *** ** ** ****** *************** ********.

** *** ****** *** ******, ******* *** ***** ********* *** viewing ** *** ***** ****:**** ** *********.

* ***'* ******* **** ***** ***** **** ****** ****! **** is *****.

* ** ******* ** **** ******* **** *** **** **** allowing *** ** ************** ** ******* ** * **** ****. Here ** *** ***:

**'* * ***** ******** ** ****, ******* **** ** *** know ***** *** ***** ******* ********* *** **** *** *** easily **** *** ** ********.

***** ** ** *****, *** *** * ****** ** ********* this ***** **** * **** **. *** "*** *****" **** does *** ****** ** **** ***** *** ****** **** *** well ****** ***** *******. * **** *** ***** ******* ** the ************ *** **** ******* **** **** ** **** *** make ** **, **** ** *********. ** (******* ****** **** have **** ** *** ******** ******** *** **** **** **** minutes) *** ***** ******* ** *********, ********** *** *********** ** IP ******** ****** *** ** **** **** ***** ** *** quite **** ****. ** ** *** ***** ** *********** ** you ***** **** *** ***** *******. *****, ** ***'* ***** it *****, ** **** ******* ** *********** *** *** ** is ********* ** *** ******. * ** **** ********* **** there *** ****** ** ****** ****** *********** *** ********* ****** passwords. * ** ******* ** ********* (******* * **** *** entire *******) **** *** ***** ** ****** *** **** *** HVAC ****** ****** *** ********** **** ** *** **** ** their ***** *** **** *** **** ** **** **** ****** overworked. **** ****** *** ****** ** **** *********** *** **** happens ** ***** ******* ****** ****? ** ** ***** *** within ***** **** ********** *** ** ***** ** ***** ***** to ****** **** ****** *** ***** *********** ** ********* ***** customer ***** ******* *** ************ ** ******** ******* ** ***** vendor. ****** **** **** ***** **** *** ** ***** ******* vendors ** ******, ********* ** *********, ***** **** ***** ***** responsibility ** ******** *** ******** ** *********** *** *** *********** so **** ***** ********* *** ***** ***** ** ***** ******, which ** ********** ***** ***, *** **** **** ***** *** their ************.

* ** ******* ***** **** *********** *** *********** ********* (**). IA ** ** ***************** ***** ********* ********** ** ** ** an ***************** ***** ********* ********* ** ********, **********, **** **********, fraud ***********, ******** *******, ********** *******, ******* ***********, ******** ***********, and ***********, ** ******** ** ******** *******. ***** ** * perception ****** ** **** **** ***-***** *********** *** ******* **** men *** *** **** ************** ********* ** ******** ***** ***-***** concepts, **** ** **** ** **** ************ **********, ***** ** fact, ** **** ** ***** ******. ** *** ** *** not **** ** *******, *** *********** ********** *** *** ****** security *** ** **** *** ***** *** *** **** *** network.

* ** **** * ****** ******* ** **** ********** **** any ****** **** **** *** **** ** *** ******* ***** certification ** ****** *** ******* ***** ********* ****. **** ** those *** *** ****** ****** *** ******* ******** ********* ****** meet * ******** **** ***/*** ***** ********* ****** *** ******** of *** ******** ** ********* *** ******* ******** ******** *************. Where ** *** *******?

*** ***** ********** **** ** *** **** ***** ******? ** be ****. * ********** **** **** ********** *********** **** ******* security, ************ ****, ******* *** ** *** ************** *** *******.**** ** ** ** *** ********* *******.*** ** ** ***** *** ****? ** **** *** *********** fault? **** ** **** **** *** ********? * **** **** this *** *****, *** * **** **** ** ** **** board; ****** *** ***** ***** *** **** ****** ********* ******* (and * **** ** *** **** ** **** ** ******** codes - *** ***************) ***** ** ** *** ** *****.

***** **. *****, *** * ********* ** **** ******* *** sir, *** **** "*******" ***** * *** ****** ** **. But **** ***** ** ****** **** *** ***** **** * broad *****.

**** - * **** ** *******. *'* ******* **** ** "broad *****" ** ** ********** ** ** ******** *********** **** VARS *** ***********. * **** *** **** *** **** **** the ***** ** ** ***************. *'* ******* **** *** **** had, ***** **** **** ********, * ****** **********. ** *** whether *** ******** ** ** ** ***** (*** *** *****) - *'* **** ** ******** ********.

* ******* **** ******* (*************) **** * ************** ** **** their ****/********** ** *** ***** *********, *** ** ***** ****** than ** ******* *** ***-********.

***-*-*** ** (*********** *********), **** *** ******* ******** ** *** Manufacturers. **** * *** ** *** ****** ******** ** ******* camera ********* ** *** ******* **********, *** ******** ****** **** up, "** **** ******* ** *********?" - ** ** *********, there *** **** *** ** *** ******** **** ******** **** the **** ********** **** ** (**** * ******** ***********). * only ***** * ***** ******* ** ** ********** **** *********** edge *******. **** ***** ***** *** ** **** ******* ** passwords *** ******** ********** **** ******* *********, ********** *** ********* of ******. **'* *** ** *********** ** ***** ****** ***** as *** ***** *****.

** *******, * ******* ******** ********** ***** ******** ** **, the ******** ********, ****** ** ** *** ********* ** **** process *** ****** ** ****** ** *********** ********. ***** **, in *** *******, **** ******* *********** ** *** ******* *****. We *** **** ** ***** (**) ************** *** **** ** be **** ******** ** **** **************.

***** *** *** **** ******** -

**

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Dahua Forbes 'Next Web Crisis' Vulnerability Dispute on Nov 16, 2017
The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published. What is in dispute is...
Hikvision China Criticizes The WSJ on Nov 15, 2017
Hikvision, through the Chinese government's authoritative news service, has criticized the WSJ investigation into Hikvision. In this...
Vivotek Remote Stack Overflow Vulnerability on Nov 14, 2017
A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in...
WSJ Investigates Hikvision on Nov 13, 2017
The Wall Street Journal (WSJ) has released a detailed investigation into Hikvision's government ownership and cybersecurity problems, hitting the...
Ingram Micro: The Blind Lead The Blind on Nov 02, 2017
Ingram Micro, as a huge as they are overall, with $40+ billion in annual sales, has never been a force in physical security, despite, or perhaps...
Hikvision Admits Backdoor 'PR Issue' on Oct 24, 2017
Hikvision is admitting a problem. The backdoor itself is evidently not the problem for them. The problem, according to Hikvision, is a public...
Deceptive ASIS Attendance on Oct 06, 2017
ASIS is being deceptive with its conference reporting, effectively inflating the event's real actual attendance. What they try, but struggle to...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response. On the positive side,...
Hikvision USA Misleads Dealers On Backdoor on Oct 03, 2017
Hikvision USA emailed their dealers overnight with their 5th cyber security 'special bulletin' of the year. Misleading Unfortunately, they...
FLIR Thermal Camera Multiple Vulnerabilities, Patch Released on Oct 03, 2017
Multiple cyber security vulnerabilities exist in FLIR thermal cameras, which have not been fixed, despite being reported months ago. In this note,...

Most Recent Industry Reports

Amazon Key In-Home Package Delivery Examined on Nov 21, 2017
Interesting idea or invitation for criminals to rob you? Amazon's recent announcement of Key, a service that will help manage visitors, welcoming...
Top Maglock Provider Warns Against Using Maglocks on Nov 21, 2017
Do not buy my company's product. It sounds strange indeed, but a senior Allegion consultant stated that maglocks should not be used in common...
CBR vs VBR vs MBR - Surveillance Streaming on Nov 21, 2017
How you stream video has a major impact on quality and bandwidth. And it is not simply CODEC choice (e.g., H.264 vs H.265). Regardless of the...
Dahua Hard-Coded Credentials Vulnerability on Nov 20, 2017
A newly discovered Dahua backdoor is described by the researcher discovering it as: not the result of an accidental logic error or poor...
Panasonic Unified Surveillance Strategy Analyzed on Nov 17, 2017
Panasonic is now a "Unified Surveillance" offering, as their ASIS 2017 booth proclaimed: Looking to make a comeback in the security industry,...
Amazon Cloud Cam Is Poor (Tested) on Nov 17, 2017
Retail behemoth Amazon has entered the surveillance market with the Amazon Cloud Cam, the eyes of its just-announced Amazon Key delivery...
Nest Secure Alarm System Tested on Nov 16, 2017
Google's expansion continues, this time into home security with their Nest subsidiary's move into alarm systems. They paid more than a...
Dahua Forbes 'Next Web Crisis' Vulnerability Dispute on Nov 16, 2017
The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published. What is in dispute is...
Isonas Cofounders Split, Launch Partner/Competitor on Nov 16, 2017
Breaking up is hard to do, especially when door access security is at stake. But that is exactly what has happened at Isonas. Senior employees...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact