Canon Responds To IP Camera HacksBy: IPVM Team, Published on May 30, 2018
Canon cameras made international news earlier this month, with reports of them being hacked in Japan (e.g., Hackers disable scores of Canon-made security cameras across Japan and Dozens of Canon security cameras hacked in Japan, possibly because factory default passwords weren’t changed).
Canon has responded to IPVM's request for comment, saying:
In the Canon cameras released from 2016 and onwards there is no default password preset. Users are forced to set their own administrator name and password when they first access the camera. There is no known vulnerabilities being exploited as of today.
The practical problem is that Canon cameras released before 2016 still do allow default passwords. Canon explained that:
Canon will release the upgrade firmware in June for the models released in 2015. With the new firmware, after defaulting the camera, the users need to set their own admin name and password when first accessing the camera.
However, cameras before 2015, still do not have a software update:
For the older models, released in 2014 or earlier, including VB-S800D, the solution for the customer is now under investigation.
On the other hand, since the issue is default passwords and since the cameras were deployed many years ago, a software update is not necessary to fix as much as simply going in and changing the default password.
Last year, Hikvision experienced a similar issue, though at far greater scale: Hikvision Defaulted Devices Getting Hacked. Hikvision requires setting a strong password but there are large numbers of older, never updated devices that still use default passwords.
Axis Overtaking Canon In Surveillance
Since the 2015 acquisition of Axis by Canon, Axis has effectively taken over Canon's video surveillance outside of Japan (see Axis Takes Over Canon Surveillance Sales and Marketing). As such, new releases and overall Canon IP camera offerings have been relatively muted compared to Axis'.
Default Passwords Vs Backdoors
Default passwords differ from backdoors (like the Dahua backdoor of Hikvision IP camera backdoor) as the former rely on the user leaving the password default. By contrast, with backdoors, no matter how strong a password one sets, the backdoor allows admin access.