10 Manufacturer Cyber Security Compared

Author: John Scanlan, Published on Dec 13, 2016

With the rise in exploits and growing awareness of cyber security issues in video surveillance, we tested ten different manufacturer's cameras. The verification and discovery in this test answers the following questions:

  • Positive: Are you required to create a password?
  • Positive: Are strong passwords enforced?
  • Positive: Do user accounts auto lock after repeated failed logins?
  • Negative: Are there hardcoded accounts?
  • Positive: Is HTTPS support provided?
  • Negative: Is the Telnet port defaulted open?
  • Negative: Is the SSH port defaulted open?
  • Negative: Is UPnP enabled by default?
  • Does the camera phone home by default or by user option?
  • What other ports are open?

The manufacturers in this test are:

  • Arecont Vision
  • Avigilon
  • Axis
  • Bosch
  • Dahua
  • Hikvision
  • Panasonic
  • Pelco
  • Samsung / Hanwha
  • Vivotek

Inside we take a look at how each performed.

**** *** **** ************* ****************** ***** ******** ****** ** ***** ************, ** ****** *** different ************'* *******. *** ************ *** ********* ** **** **** answers *** ********* *********:

  • ********: *** *** ******** ** ****** * ********?
  • ********: *** ****** ********* ********?
  • ********: ** **** ******** **** **** ***** ******** ****** ******?
  • ********: *** ***** ********* ********?
  • ********: ** ***** ******* ********?
  • ********: ** *** ****** **** ********* ****?
  • ********: ** *** *** **** ********* ****?
  • ********: ** **** ******* ** *******?
  • **** *** ****** ***** **** ** ******* ** ** **** option?
  • **** ***** ***** *** ****?

*** ************* ** **** **** ***:

  • ******* ******
  • ********
  • ****
  • *****
  • *****
  • *********
  • *********
  • *****
  • ******* / ******
  • *******

****** ** **** * **** ** *** **** *********.

[***************]

Key ********

**** ******** *****:

  • **** ** *** ************* *** ***** *** *** ****** ****, a ***** ****** ********* **** *******, ***** *** ***** ******* use ** ******
  • ******* *** *** ***** ******** ******** **********, **** ** ************** by *******, ** ********* ** ****** *********, ** **** ******* lock *** ****** ******** **** *** **** ************ *** ** support *****
  • ********* *** *** ********* ******** ******** **********, ********* ****** *********, supporting **** **** *** *** ****** ******** *** ******* ********* accounts.
  • ********* ** *** **** ************ ** *** ***** **** ********* phone **** ****** ***** ** * *********** ******* *** **** a ********* ******** ****
  • ******* ******** **** ****** ****** ** ***** ******** **** **** 3 ** *** ** ********** ** (*****, ********* *** *******) despite **** ***** * ****** ******** *** *** ************** ** mitigate********** *******

Password ********/**********

*** ***** ***** ***** ******** ******** ******** *** **** ************. Of *** *** *************, **** (*******, ********, *****, *** *******) do *** ******* ********* ** ***. **** ******** * ********, but ****** ********* ********* *** ***** *** ******* ** "****" are ********, **** ** ******** *****. ** ********, *********, ********* and ******* ******* ****** ********* ** ** ******* ****** ******* setup. ** *** ***** ***** * ********* ******* ** * user ******* **** *** ** ******* *** ******* *.*. ***** uses ***** *** * *** *** ****** **** ******** ** John *** ****** *** ******* **** ** * **** ******* an ********* ************ ***** *******.

*** *** ******** ****** ************ **** *********** ** **** ** ***** ********, ********* ** ******* ***** ********* ** ** ******* ** ***** Login?*** ********** ** ****** ******** ********.

Open *****

*********, ** ******* ***** ***** ******* ****** ** *******, ********** focused ** ******, ***, *** *** ***** ** **** **** been **** ******** ******** *** ******* (**** ** ******** ******).

***** ************ ****** ****** **** ****** *** ***, ****** *** was **** ** **** *** *******. **** ***** *** ********* (Value ****** **** ***** *******) **** ****** * ***** ** seven ***** *** ******* ******** *** ******* *****, ***** **** others ****** * ******* ** ****, *** ** ***** **** most ***** ****/*****. ********* *** ***** ****** **** ******* *****, HTTP *** ****.

********** ***** *** ** ***** ************ *********** **** *********** ** ****** ***** *** *** ***** ********, and******* ** ********** *** ** ***** ******* ***** **** ****** **** *******.

Phone ****/****

**************, ** ******* ******* ************* "****** ****" ** ***** ********, with *** ******* ***** ******** *** *******. ** *** *** manufacturers, **** *********'******/***** ********** **** ** ******* (*** *** ***** ***** ****** ****), to **********/***-******* ***** ******** (*** *** ****). ****** ***** **** ******* ** ** ******* (**** ****,***** *******, ************ **********).

************, ** ******* ******* ******* ******* **** *** ********* ** open ****** ***** ** *******, ***** ****, *****, *** ********* did.

*** ********* ******* ****** *** ***** *************** **** *********** ** ***** ******** *** ****, ** **** as *** ********** ********.

Manufacturer ******** *********

*****, ** ******* ******** ************ *** ********* ** **** ************:

******* ******

** ******** ********, *** *********, **** * ********* '*****' ****** that ******* *** ******** **** *** ******. *** ******* **** accounts *** ***** *** ****** *** ****** ** *******.

********

** ******** ********, *** *********. ******* ******** ** ************* **** no ********. ** * ******** ** *******, ***** *** ** requirements *** *********** *** ******** * ****** ********.

****

**** ******** * ******** ** ** ******* **** *****, *** users *** *** ***** ******** ******* "****" ** *** ********. Additionally, ***** *** ** ******** ******** ************, **** **** ****** characters *******.

**** **** ***** ** ******* *** **** ********, *** ****** may ** ******** ***** *** ******* ** **** / **** via *****. ******* *** **** ******** ******** **** ******* *** it **** ** **-******* ********.

*****

** ******** ********, *** "******** ***********" *** ***** ** *****. The ******** "*******", "****", *** "****" *** *** ** *******, but *** ********* ***** ***** ******** ** ** ******* ** addition.

*****

***** / ***** *** *** ******* *********** *** *** ****** prompts ***, *** **** *** ******* *** **** ** ****** the ******** ** ***** *****. ***** *** ******** ******** * password ******** *****, ***** *** ** ******** ************, **** **** one ********* ********* *******. ************, ***** **** *** ***** **** special ********** (**** ** ~).

*********

* ******** ** ******** ** ** ******* ** ***** *****, requiring ** ***** * **********, ***** *** ***** ** ********** (uppercase, *********, *******, ******* **********).

*********

****** **** ***** *** "*****" ******* ******* ** **** *******, Panasonic ******** **** ******** *** ******** ** ** ******* ****** initial *****.

*****

********* **** ** * ******* ** **** **********, *** **** no ***** ******** *****. *** ***** ******* *** *** ** renamed ** *******.

*******

* ****** ******** ** ******** ** ** ******* *** *** admin ******* ** ******* *****, **** ****** ******** ******** ************. Admin *** *** ** ******* ** *******, *** ***** ***** may ** *******.

*******

*** ****** ******* ***** *** * ****** ********, *** **** not ******* **. ************, **** ****** * ******* ** ********, no ******** ** ******** *** *** **** *******.

Test *******

******* ****** ****** **** **** ************ **** ****. *** ******* were ******* **** *** ****** ******** *** ***** ** ******* default ***** ** *******.

*** ********* ******** ******** **** ****:

  • ******* ****** *********-*: *****.*
  • ******** *.*-***-***-**: *.**.*.***
  • **** *****-*: **.**.*.*
  • ***** ***-*****-**: *.**.****
  • ***** **-***-**********: *.***.****.**.*
  • ********* **-*******-***: **.*.* ***** ******
  • ********* **-*********-*:**.*.* ***** ******
  • ********* **-*******: *.**
  • ***** ********: *.*.*.*.****-**.*
  • ******* ***-*****: *.*********
  • ******* ******-**: *****

Comments (36)

You will find considerable differences in security policy across the product lines of some manufactures. For example, Optera may show different results than other cameras from that same manufacturer, given the camera's heritage. Not saying it'd be better or worse, but maybe different.

That implies a potential lack of consistency of non-functional attributes like security policy. Which is one thing you want to chase out if we're talking about manufacturers and their reputation for producing secure products. The most secure will be those that take a holistic approach to security across their entire product lines, not just individual products. If tomorrow they slam a cheap OEM camera into the line it could present unexpected risk, unless they're managing those policies across the board.

IT security in video surveillance can be tricky business because the products sometimes straddle the identity between a fully embedded product and that of software based on an open platform like Windows or Linux--this is especially true on the VMS side of course.

Steve - True and related: evidenced above, the Hik Value/Value Plus gear (convenience trumps security) phoning home compared to the Hik Smart Series which does not.

What kind of hard coded accounts are present?

Is this referring to initial admin accounts assigned a password or hidden accounts that can be used? Are these used to access the camera through the web GUI or only telnet/ssh or ONVIF? For example Dahua had known hard coded accounts that couldn't be changed.

U1, I just added a note to the report for clarity. This is referring to the user accounts for the camera. Dauhua uses 'admin' and this can not be changed nor deleted, even after creating an alternate administrator level account and logging with this account. The image below shows that the default admin account is reserved.

Thanks for clarifying that.

What about hidden hard coded accounts on these devices? Is anything know about if they still exist or not?

Dahua still supports the password of the day. This is well documented, but only works locally.

Hikvision allows you to use their SADP utility to download and send to them the config data, on which they will change your password and return to you to upload back to the device.

The last time I tested (about 3 or 4 weeks ago), dahua still had the backdoor, OS root level account with hard coded, non-changeable password that was on the Mirai list. Although they disabled telnet access by default, a CGI string entered into a browser was able to re-enable telnet although it required an admin password to do so.

So you are saying that if you enable telnet as admin, you can log in as root?

Correct, at least in my testing. I could open a browser session to the camera, issue the CGI string (which was provided by John or Jon on here I think in one of the Mirai threads) and it would prompt for username and password. Using the default admin/admin it returned with an "OK" screen and at that point telnet was open on default port 23 and I was able to log in as root using one of the passwords from the published Mirai list.

Just a comment about the charts.

I think it might be easier to parse if the label on the left was rewritten so that the always refers to a more secure condition than the . Like in the case of "hard coded accounts".

Thank you, good observation and the chart has been changed.

Anyone able to root one of the cameras? Thoughts?

U3 - this was not a penetration test / we were not trying hack any of the cameras, rather we were analyzing their fundamental security features.

From this report show that IPVM do not do a good research enough, why do not compare the encryption, and others more important cyber security?

Just another comment about the charts.

Below chart, 'UPnP enabled by default?' is negative question and the 'X' represents positive result. But this may raise mis-understanding that the test result is negative.

So, could you change the question text to 'UPnP disabled by defaults' for easy understaning? And also the result to 'V'.

.

Thanks in advance.

Thank you HyuckRae - this has been updated.

About Key Findings, it seems the Hikvision is the only one that had strong password security management which Samsung/Hanwha also had.

Is there any other factors for comparison that you didn't mentioned?

A good article! However, I have performed my own analysis of several manufacturers cameras and suspect your findings on Samsung regarding UPnP being off by default are wrong. Can you clarify how you determined if UPnP was enabled/disabled by default for these devices?

Note that in your nmap port scan for Samsung, port 49152 is open. For the two Samsung cameras I scanned, I also found this. It turned out this was part of their UPnP implementation, and when I went into the web interface and unchecked the box to turn off this service, and then rescanned with nmap, the port was no longer open. (The same port is open on your Axis camera for the same reason).

Of course it's possible the model you used (PNO-9080R) has different default behavior than mine (SND L5013 and SND 6083N) - except then there must be some other reason yours has port 49152 open. I doubt this - the simple explanation is that the device had UPnP running, and your chart for that is incorrect.

Samsung (and Axis) likewise had Bonjour enabled by default, which should be disabled if one is security focused.

Samsung/Hanwha uses UPnP for two different reasons.

UPnP & Bonjour are turned on by default in the cameras, but it is for discovery purposes. You can go to the Windows Network (the old Network Neighborhood) and see an icon of the camera, view basic info (model, IP, manufacturer), and then double click to open the web page, which you are then prompted to authenticate.

The use of UPnP to perform automatic port forwarding is a completely separate function, and is ONLY turned on when the built-in DDNS is used and the "Quick Connect" option is checked, which is not checked by default when DDNS is used.

I hope this helps clear this up. In my experience, the Cyber Security concern of UPnP is related to auto port forwarding. The camera discovery via UPnP 1) can be turned on, and 2) shouldn't be much of an issue as most cameras have their own manufacturer discovery protocol running as well as ONVIF discover methods.

Both UPnP & Bonjour can be turned on/off/verified indivudially or in bulk using the Wisenet Device Manager.

Thank you for your post and the info!

However I disagree re "the Cyber Security concern of UPnP is related to auto port forwarding". Invariably, my enterprise customers just perform nmap style port scans, and if they see an unexpected port open at all, it is of concern.

Of course, your experience may differ from mine.

Can you clarify where in wisenet one can change UPnP/Bonjour? I am having trouble finding it.

Likewise, if you happen to know, can users/passwords (besides the admin) be managed in bulk via wisenet?

EDIT - I have searched through the manual for this, but neither "pnp" nor "bonjour" occur, and "user" occurs to frequently to be useful. If there is some sort of online support forum for this app that you know of, feel free to point me to it. I appreciate your effort.

May sure your Device Manager is up to date. Screenshot below. It is in the "Device Setup" menu. It is fairly recent (last 2 versions of the utility).

Yes, in corporate environments UPnP discovery can be an issue hence why it can be turned off, but SO many devices have this on. Simply bringing a laptop from home and plugging in to work network - UPnP device displayed....

Currently only the admin user can be managed via the UI. Other users can be managed with the right CGI script, which can be configured via the "Advanced Setup" menu.

Let me know if you would like additional details on the CGI commands.

I just downloaded & installed it last week and am using 1.19.13 which is the latest version per https://www.hanwhasecurity.com/en/Tools/device-manager.aspx.

When I look at that screen for the two cameras I have in my test lab (SND-6083, SND-L5013) most of those settings are missing. See attached.

Can cgi commands be sent to multiple cameras of the same model at once?

It seems from my experimentation, no sort of setting can be send en masse to multiple cameras of different model - is that correct?

The website you went to is the US site, which won't have the most up to date versions...

The HQ site in Korea is the most up to date.

You can download from: http://hanwha-security.com/support/sw/install.do?menuCd=MN000173

But the best way is to download just the online updater, and then let it download the latest version. If you run it now, it should tell you that there is a newer version.

See screenshot below.

Most settings are reserved for sending to 1 model at a time, but certain things, can be done to any/all at once, such as reports, IP addressing, password, backup/restore, NTP, SSL, 802.1x, log download, multicast, Open Platform, firmware upgrade.

First I'd like to thank you for your extensive help on this forum. You've really gone above and beyond. If there is a more official support channel please feel free to redirect me there.

You are correct re Bonjour/UPnP, my issue was resolved by installing auto updater and then letting it update my Wisenet.

I do disagree with regards to our other thread, it seems certain to me some current models within the lines you listed still seem to require a browser plugin even with current firmware (see screenshots in other thread).

One other note you may wish to pass on (or clarify if I'm wrong). With respect to the suggestion to use CGI script feature to manage non admin users, I just consider that too detailed for some of my other staff in the field. Also, even the webpage administration (/home/setup/basic_user.cgi->Current Users) is problematic because it seems to disallow pasting into the password field. Entry via typing strong passwords by hand for hundreds of cameras would just lead to excessive human error.

So at this point I consider the Samsung cameras to basically require using the admin password all over (whereas I prefer to put non admin password into whatever VMS software is connecting to cameras). I just last month had a large customer request to use non admin passwords on 1000+ (non Samsung) cameras as part of a security audit. This would not have been feasible to do one-by-one. So you may wish to consider adding that functionality to Wisenet.

Again, I do appreciate all the help.

With respect to "SO many devices have this on", most of the sorts of customers I have who care about this sort of thing don't allow unknown devices such as personal laptops to be attached to their network. Large/international banks, insurance, pharma, etc. This is why things like browser plugins are a no-no at such places as well.

I'm not saying I don't understand why the setting is on, just that I felt the article was misleading to say it was off by default when it was not, from the perspective of an IT person doing port scanning and such. I suspect most readers will not have performed their own port scans (also understand you are not the author).

I agree, probably for the majority of users/customers, they will not care about UPnP for discovery and it will make their lives easier. My particular needs are usually for large enterprise customers, who are rare, but have many cameras.

Yeah, the manual has not been updated yet for those features. We have been adding so many features constantly to the tool based on feedback. The first priority is the tool, and the manual comes later. Most of the features are add-on, so once you understand the methodology, you are good to go.

I would recommend that you check out the release notes. If you go to the Online Updater tool, you can see the release notes for new features, etc...

Beyond the default settings, have you looked at how feasible/easy it is to securely manage different manufacturers' cameras in large numbers?

For instance, I have found that, despite the fact Axis cameras tend to have ftp and other potentially insecure functionality turned on by default, I find them the "most secure" for the sole reason that their management software (Axis Camera Management Client) is the most useful of the manufacturers I have tried. So I can lock down large numbers of cameras rapidly. In particular, I can create a configuration XML file that disables everything I don't need (bonjour, UPnP, SNMP, ftp, etc) and apply it to hundreds of cameras at once. Likewise, I can manage passwords and users across multiple cameras en masse. The only problem I have managing these cameras in large groups is that the software tool does not yet handle https and certificates (Axis has said they intend to add this, but did not provide me an expected date).

For other manufacturers, so far I am finding their tools deficient. For some it seems certain settings on cameras must be changed one-by-one through their http config pages. For customers with hundreds of cameras, this is a big problem for my organization.

Likewise I have looked into whether their http config pages require a browser plugin or not. Samsung cameras seem to require this (even for configuration, not live viewing). This is also a potential security problem, plus a logistical problem, as some of our customers disallow installation of browser plugins within their enterprise.

So I am curious if you have any other security views along these lines.

While Hikvision and Dahua do have the ability to create backups of configs that can be applied to large groups of cameras, they aren't as capable as the Axis software at this time. You cannot look down a list of all settings as you described. But, it is easy to send a defined set of settings (except IP info and credentials) to many cameras. I don't know if there is a theoretical limit, as I have only tried up to about 80 at a time with the Dahua Config Tool and many less with Hik Tools.

Am I correct in interpreting "and credentials" that user names and passwords must be set one at a time for Hikvision and Dahua in your experience?

Axis tool allows this (not via settings XML file, but multiselect/right-click menu option).

Thank you!

All *new* models of Samsung/Hanwha cameras will work in a plug-in free mode, not requiring the installation of a plugin and will work in Edge, Chrome, Safari, IE, Firefox.

You can view live video as well as camera setup.

This applies to the Wisenet Q, Wisenet P, Wisenet Lite, & upcoming Wisenet X series.

The Wisenet Device Manager tool allows 1) Uploading of a configuration backup to many cameras. This will allow you to push a template of ALL camera settings, with the exception of IP address. Thus, if you have configured various cyber security settings, they will follow.

The tool also allows 2) easy configuration individually or in bulk settings such as 802.1x, SSL, SNMP, UPnP, Bonjour, & more. Most settings can be viewed as well as applied.

*Edited to include Wisenet Lite supporting plugin free mode*

Can you clarify what you mean by *new*?

For instance, the L5013 (one of two I tested) is currently listed under the Wisenet Lite series (https://www.hanwhasecurity.com/products/security-cameras/network-cameras/WiseNet-Lite.aspx) and Wisenet tells me I have the latest firmware (1.01_*). However, it still seems to require a plugin and I can't get it to work under Chrome, IE, or Edge on my Win10 box - I have Firefox installed just for that camera.

By new, I meant

This applies to the Wisenet Q, Wisenet P, Wisenet Lite, & upcoming Wisenet X series.

I tested on SND-L6013R, firmware 1.01. I don't have a L5013 to test. Latest firmware for the L5013 is sndl5013_Series_1.01_150918. I tested Edge and Chrome, which don't support plugins. They display MJPEG video profile and allow access to live & setup.

Here is Edge:

Chrome:

Hope this helps.

Re "By new, I meant This applies to the Wisenet Q, Wisenet P, Wisenet Lite..."

However, I then found a current camera model listed in the "Wisenet Lite" line for which this does not appear true, so I asked for clarification.

See attached screenshots of L5013 running 1.01_150918 redirecting Chrome to a plugin download. Same results for IE and Edge. Can't get plugin to work for any of those despite tinkering with security settings per some instructions one of the redirect pages mentioned. Firefox also redirected, but plugin works there.

Also, note in the screenshot there is a bug in your FW upgrade dialog. The "File Open" button appears in the column header of "Mac Address". OS is latest patch of Win10.

Results are same for SND 6083 with latest firmware, but this does not appear in the product lines you listed, so makes more sense here.

"Phone home" checking of Samsung/Hanwha cameras is changed from initial version.

What was happened?

Setting password could be rather daunting. many times I have set and reset so many passwords that my mortal brain can't even remember.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Imperial Capital Security Investor Conference 2018 Review - ADT, Resideo, Alarm.com, Arlo, Eagle Eye, ACRE, More on Dec 14, 2018
Imperial Capital Security Investor Conference is an event matching industry executives with financiers that frequently leads to future funding...
Cisco Meraki New Cameras and AI Analytics on Dec 14, 2018
Meraki has released their second generation of video surveillance with 3 new cameras, AI-based video analytics, and 2 cloud-based storage...
Foolish Strategy: OEMing Facial Recognition on Dec 13, 2018
Almost as 'hot' as face recognition marketing right now is OEMing facial recognition. Last year, they were a who's who of company's with...
DVR Examiner - Video Recovery from Recorder Hard Drives on Dec 13, 2018
Bypassing passwords and long download times on-site, DVR Examiner collects and organizes video evidence directly from a hard drive extracted from...
2019 Access Control Book Released on Dec 12, 2018
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Huawei Hisilicon Quietly Powering Tens of Millions of Western IoT Devices on Dec 12, 2018
Huawei Hisilicon chips are powering, at least, tens of millions of Western IoT devices, such as IP cameras and surveillance recorders, a fact that...
FLIR Launches Body Cameras Unified With VMS (TruWitness) on Dec 11, 2018
While FLIR is best known for their thermal cameras, now they have expanded into body cameras, launching TruWITNESS, a public safety focused body...
Startup Sunflower Labs' Autonomous Drone Security System on Dec 11, 2018
Startup Sunflower Labs is claiming a unique design on a home security system, combining autonomous drones and 'Sunflower' sensors. Imagine an...
The 2019 Video Surveillance Industry Guide on Dec 10, 2018
The 300 page, 2019 Video Surveillance Industry Guide, covers the key events and the future of the video surveillance market, is now available,...
Multi-Factor Access Control Authentication Guide on Dec 10, 2018
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact