Arecont and Bosch - Default Security Risk

Author: IPVM Team, Published on Dec 14, 2015

Default passwords are a major security risk, enabling hackers around the world to access and control devices like IP cameras (using Shodan, turning devices into bitcoin miners, etc.). Because of that, many manufacturers now force changing the default password and using strong passwords.

But two very well known manufacturers, Arecont and Bosch, continue to take the opposite, risky and irresponsible route.

******* ********* *** * ***** ******** ****, ******** ******* ****** the ***** ** ****** *** ******* ******* **** ** ******* (using******, ******* ******* *********** ******, ***.). ******* ** ****, **** ************* *** ***** ******** the ******* ******** *** ***** ****** *********.

*** *** **** **** ***** *************, ******* *** *****, ******** to take *** ********, ***** *** ************* *****.

[***************]

*******

**** ** *******'* ********:

"******* ****** *******do *** **** **** ************** *******. To enable authentication, access the web interface of the camera and click either the 'Administration' or 'System' tabs. Passwords can then be configured for the Admin and Viewer user names. Note that custom usernames cannot be created, only the 'Admin' and 'Viewer' user names are available for usage.

******** ****limit ** * ********** MAX with letters and numbers only. No ******* ******."

*** **** *** ****** ****** ** ******* ****** ****** * user ********** ******* **************, ******* ***** ** **** ** *** up * ****** ********.

*****

***** **** ***** **** ** ************** *** **** ***** ** as * ****** ** * ******* '*** ***** ********* ******'************:

"** ***'* ******* ******* ******** ** *** **. ** **** telnet ****.... ***** ***** ** ******, ** *******, ***** **** you *** **** *********** ** ** *********."

**'* ********* ********, **** ******** * ***** ******* ******* *** locks ** *** *****.

UPDATE: ***** ********

******** ** *.** ********, ***** ******* ***** ** *** * password, **** **** ***** ********* **** ********** ** *** ******'* web *********. **** **** ** ******** ** *** ** ******* and **** ** ********, ****** ******* ** *********, ***** ***** users ** *** ***.

******** ** ***** ***** ** *** ******** ***** ****, **** a ***** ******* ******** "********." **** **** *** ******** ** this ******* *** * ********** **** *** ******** ********* *** lowercase *******, *******, *** * ******* *********, *** *** ***** only ******** ** "******." ****** ********* ******* ** ********** *** a *** ** ***** *****.

*******

*** ******* **** ********** ** ** ************** ** **** **** users *** *********** **** ***** *** ** * ******** ** not ********. ** * **** **** ****,**** * ***** ** ***** **** **** ***** ********* ********* ****** ** "**** ** *** time."** ******* ****, * **** **% **** **** ************* ****** ** ******* to ***** ****** *********.

**** ** **************/******* ********* *** ** ****** **** ** ******** incidents ** *** **** *-* *****, **** ******* ************ ********* ******* *******, ** ***** * ******* ********'* **** **** ******** ******** and ***** ****. *** ** *** ******** ******* *****, ********* consumers, ** **** (*** ** ****** ******** - ************* ******** *** *,*** ****** ************ ******* - * *******).

***** ***** **** ******* *********, *** **** *********** **** *******, *******, *** ********** ***** ** ******** ******** ** *** **** ****, ******* and *****'* ******** ***** *************, ** ****.

****

***** ***** ******** *** *** **** *********** **** ******** ****, Arecont *** ***** ***** ***** ********* ** *********** *** *********** competitive ****.

Comments (7)

**** * ***** ************* ******** ** ******** ******** *******. ***** devices *** ** ****** ** * ***** ** ****** ********. They *** ******* **** *** ** *** **** ** **'* network *** **** **** ** ********** **** **** **** **** may ** *** ****** ******* **** ****** ** *** **** video, *** *** **** ***-******* ** *** ******* ******* **** attacks. * ***** ***** ****** **** *** **** **** "******" the ******** ** **** *** ***** ** ********** **** ******* a ******** ***** ** (**** * ******* ****) ** * good **** ******* *********** **************.

***** *** ******* - *** * *****. **'* *** **** hard ** ****** **** ***** ******* *** ******** ** ****** tight ******** ** **** *******. ***** ** **** *********, *** your ****. ** **** ***'* **** *** ****** ** *********** to ****** *** ******** *** ****** ** **** ** *** bench *** ****-**, **** *** *******'* ** ******* ** **** in *** ***** *****.

****'* *** ****? **** ***** **** **** - ***'* ***** that ******* ***** ********** *** ****. *** *** ****** *** hacked * *** ***** **** - ** **** *** **** wasn't ******* *** **** ** ** ******* ******. *** **** VARS ******* *** ** ***** ****** ** *** ******** ********?

* ******** ********* **** ****** ******** ********** ** ******* **** IP ***** ******* *** ****** *********** ********* ** ****** ***** devices *** ********* ** *** *** **** *********'* ***** ************* to ****** **** ***** ********* ********* **** *** **** ***** end ********* *******.

*'** **** **** ******, *** ******** ******** ******** *** *** to *** **** *** *******, *****. **** ******* ***** *** it, *** **** *** ***** ******* *** ** ** ********** - **** ** *** ***-***** *** ***** ******* *** **** in *** *********** *** ********** *********** ** **** ***-*********, **** and *********. ** **** ** **** ** **** *** ************ of * ****** ********* ************.

***** ******* **** ** ********* **** ** **** *** ******* is *** *******. *** ******* ** * ****** ******* **** needs **** *** *******. ***'* ***** ****** ** ** *** name, ******** *** **** *** ** ***** ****** ***** ******** by ********** *** ****** **** ***** ***** *** **** ************.

******** **** **'* ****, * ***...

****, * ******* **** ******* *** ***** ******* ********:****** * ******* **********. **** *** *** ********* **** *** to**** **** ********, *** ** ** ****** *************** ********.

** *** ****** *** ******, ******* *** ***** ********* *** viewing ** *** ***** ****:**** ** *********.

* ***'* ******* **** ***** ***** **** ****** ****! **** is *****.

* ** ******* ** **** ******* **** *** **** **** allowing *** ** ************** ** ******* ** * **** ****. Here ** *** ***:

**'* * ***** ******** ** ****, ******* **** ** *** know ***** *** ***** ******* ********* *** **** *** *** easily **** *** ** ********.

***** ** ** *****, *** *** * ****** ** ********* this ***** **** * **** **. *** "*** *****" **** does *** ****** ** **** ***** *** ****** **** *** well ****** ***** *******. * **** *** ***** ******* ** the ************ *** **** ******* **** **** ** **** *** make ** **, **** ** *********. ** (******* ****** **** have **** ** *** ******** ******** *** **** **** **** minutes) *** ***** ******* ** *********, ********** *** *********** ** IP ******** ****** *** ** **** **** ***** ** *** quite **** ****. ** ** *** ***** ** *********** ** you ***** **** *** ***** *******. *****, ** ***'* ***** it *****, ** **** ******* ** *********** *** *** ** is ********* ** *** ******. * ** **** ********* **** there *** ****** ** ****** ****** *********** *** ********* ****** passwords. * ** ******* ** ********* (******* * **** *** entire *******) **** *** ***** ** ****** *** **** *** HVAC ****** ****** *** ********** **** ** *** **** ** their ***** *** **** *** **** ** **** **** ****** overworked. **** ****** *** ****** ** **** *********** *** **** happens ** ***** ******* ****** ****? ** ** ***** *** within ***** **** ********** *** ** ***** ** ***** ***** to ****** **** ****** *** ***** *********** ** ********* ***** customer ***** ******* *** ************ ** ******** ******* ** ***** vendor. ****** **** **** ***** **** *** ** ***** ******* vendors ** ******, ********* ** *********, ***** **** ***** ***** responsibility ** ******** *** ******** ** *********** *** *** *********** so **** ***** ********* *** ***** ***** ** ***** ******, which ** ********** ***** ***, *** **** **** ***** *** their ************.

* ** ******* ***** **** *********** *** *********** ********* (**). IA ** ** ***************** ***** ********* ********** ** ** ** an ***************** ***** ********* ********* ** ********, **********, **** **********, fraud ***********, ******** *******, ********** *******, ******* ***********, ******** ***********, and ***********, ** ******** ** ******** *******. ***** ** * perception ****** ** **** **** ***-***** *********** *** ******* **** men *** *** **** ************** ********* ** ******** ***** ***-***** concepts, **** ** **** ** **** ************ **********, ***** ** fact, ** **** ** ***** ******. ** *** ** *** not **** ** *******, *** *********** ********** *** *** ****** security *** ** **** *** ***** *** *** **** *** network.

* ** **** * ****** ******* ** **** ********** **** any ****** **** **** *** **** ** *** ******* ***** certification ** ****** *** ******* ***** ********* ****. **** ** those *** *** ****** ****** *** ******* ******** ********* ****** meet * ******** **** ***/*** ***** ********* ****** *** ******** of *** ******** ** ********* *** ******* ******** ******** *************. Where ** *** *******?

*** ***** ********** **** ** *** **** ***** ******? ** be ****. * ********** **** **** ********** *********** **** ******* security, ************ ****, ******* *** ** *** ************** *** *******.**** ** ** ** *** ********* *******.*** ** ** ***** *** ****? ** **** *** *********** fault? **** ** **** **** *** ********? * **** **** this *** *****, *** * **** **** ** ** **** board; ****** *** ***** ***** *** **** ****** ********* ******* (and * **** ** *** **** ** **** ** ******** codes - *** ***************) ***** ** ** *** ** *****.

***** **. *****, *** * ********* ** **** ******* *** sir, *** **** "*******" ***** * *** ****** ** **. But **** ***** ** ****** **** *** ***** **** * broad *****.

**** - * **** ** *******. *'* ******* **** ** "broad *****" ** ** ********** ** ** ******** *********** **** VARS *** ***********. * **** *** **** *** **** **** the ***** ** ** ***************. *'* ******* **** *** **** had, ***** **** **** ********, * ****** **********. ** *** whether *** ******** ** ** ** ***** (*** *** *****) - *'* **** ** ******** ********.

* ******* **** ******* (*************) **** * ************** ** **** their ****/********** ** *** ***** *********, *** ** ***** ****** than ** ******* *** ***-********.

***-*-*** ** (*********** *********), **** *** ******* ******** ** *** Manufacturers. **** * *** ** *** ****** ******** ** ******* camera ********* ** *** ******* **********, *** ******** ****** **** up, "** **** ******* ** *********?" - ** ** *********, there *** **** *** ** *** ******** **** ******** **** the **** ********** **** ** (**** * ******** ***********). * only ***** * ***** ******* ** ** ********** **** *********** edge *******. **** ***** ***** *** ** **** ******* ** passwords *** ******** ********** **** ******* *********, ********** *** ********* of ******. **'* *** ** *********** ** ***** ****** ***** as *** ***** *****.

** *******, * ******* ******** ********** ***** ******** ** **, the ******** ********, ****** ** ** *** ********* ** **** process *** ****** ** ****** ** *********** ********. ***** **, in *** *******, **** ******* *********** ** *** ******* *****. We *** **** ** ***** (**) ************** *** **** ** be **** ******** ** **** **************.

***** *** *** **** ******** -

**

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

PR Campaign Exploiting Manufacturer Cybersecurity on Jul 20, 2017
Manufacturers increasingly have a bulls-eye on their back. As cyber security solutions providers grow, they realize a great way to get publicity...
Hikvision USA Head of Cybersecurity Exits on Jul 18, 2017
Hikvision USA's Head of Cybersecurity has exited the company. In this note, we review the move, share Hikvision's feedback and examine the...
'Suicidal' Knightscope Robot Drowns on Jul 17, 2017
Knightscope continues its hyper growth, at least when it comes to controversy, this time with a 'suicidal' robot in Washington DC. And here is...
Wrongly Accused Critical Vulnerability for Vivotek on Jul 13, 2017
Vulnerabilities are an increasing branding and business problem for video surveillance manufacturers. However, sometimes vulnerabilities reported...
ONVIF Chairman Criticizes Low Cost Cameras (Also, He Works At Axis) on Jul 12, 2017
ONVIF Chairman Per Björkdahl has taken a strong public stance against low cost cameras that are 'much more vulnerable to attack' as he explains in...
Smartcard Copier Tested (13.56MHz) on Jul 05, 2017
Copying 125kHz cards is certainly easy, as our test results showed, but how about 13.56MHz smart cards? Are they more secure? IPVM focused on the...
No Hack, Still Liable, Court Finds ADT on Jun 20, 2017
Recently, ADT has been in the news for a $16 million settlement for a cyber security vulnerability class action suit. One of the most important...
Hikvision: IPVM Is "Destined To Fail" on Jun 14, 2017
Hikvision has accused IPVM of 'cyberbullying' them, declaring IPVM 'destined to fail.' This is the 3rd anti-IPVM Hikvision post in 2 weeks,...
Morten Tor Nielsen Defends Hikvision on Jun 12, 2017
Morten Tor Nielsen, veteran software developer for Prescienta working for OnSSI, has posted "In Defence of Hikvision". As Nielsen explains...
How To Hack Your Company's Hikvision Recorder on May 29, 2017
Here's how easy it is to hack your company's Hikvision recorder: It does not matter how hard or secret the admin password is. Hikvision will...

Most Recent Industry Reports

Axis Door Station Tested (A8105-E) on Jul 19, 2017
Axis continues their push into niche markets, especially audio, with network speakers, an IP horn, and video door stations. We tested Axis'...
Manufacturer Favorability Guide on Jul 19, 2017
This 120 page PDF guide may be downloaded inside by all IPVM members. It covers our 20 manufacturer favorability rankings and 20 manufacturer...
$8 Billion Utility Georgia Power Enters Surveillance Business Offering Avigilon And Genetec on Jul 19, 2017
Utilities are typically considered major customers of surveillance integrators but one utility, Georgia Power, with $8+ billion in annual revenue...
Knightscope Laughs off Robot Drowning on Jul 18, 2017
A day after a Knightscope robot drowned, Knightscope has issued an 'official statement' making fun of the issue: The implied message is that...
Microsoft Video AI Cloud Services Examined on Jul 18, 2017
Microsoft has released one of the most amazing video analytics marketing videos ever. In it, they detect oil spills, track individual people giving...
Hikvision USA Head of Cybersecurity Exits on Jul 18, 2017
Hikvision USA's Head of Cybersecurity has exited the company. In this note, we review the move, share Hikvision's feedback and examine the...
'Suicidal' Knightscope Robot Drowns on Jul 17, 2017
Knightscope continues its hyper growth, at least when it comes to controversy, this time with a 'suicidal' robot in Washington DC. And here is...
March Networks Company Profile on Jul 17, 2017
March Networks was one of the most well-known video surveillance manufacturers of the 2000s. In 2012, March was acquired by Chinese / American...
Milestone Beats OnSSI In Court on Jul 17, 2017
The litigation between former partners Milestone and OnSSI has finished, confirmed by both parties. In April 2016, OnSSI sued Milestone and in...
Power For Burglar Alarms on Jul 14, 2017
In order to operate, alarm panels require the high voltages found in electrical outlets be converted to the low voltages they run on. In this...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact