You will find considerable differences in security policy across the product lines of some manufactures. For example, Optera may show different results than other cameras from that same manufacturer, given the camera's heritage. Not saying it'd be better or worse, but maybe different.
That implies a potential lack of consistency of non-functional attributes like security policy. Which is one thing you want to chase out if we're talking about manufacturers and their reputation for producing secure products. The most secure will be those that take a holistic approach to security across their entire product lines, not just individual products. If tomorrow they slam a cheap OEM camera into the line it could present unexpected risk, unless they're managing those policies across the board.
IT security in video surveillance can be tricky business because the products sometimes straddle the identity between a fully embedded product and that of software based on an open platform like Windows or Linux--this is especially true on the VMS side of course.
Is this referring to initial admin accounts assigned a password or hidden accounts that can be used? Are these used to access the camera through the web GUI or only telnet/ssh or ONVIF? For example Dahua had known hard coded accounts that couldn't be changed.
U1, I just added a note to the report for clarity. This is referring to the user accounts for the camera. Dauhua uses 'admin' and this can not be changed nor deleted, even after creating an alternate administrator level account and logging with this account. The image below shows that the default admin account is reserved.
The last time I tested (about 3 or 4 weeks ago), dahua still had the backdoor, OS root level account with hard coded, non-changeable password that was on the Mirai list. Although they disabled telnet access by default, a CGI string entered into a browser was able to re-enable telnet although it required an admin password to do so.
Correct, at least in my testing. I could open a browser session to the camera, issue the CGI string (which was provided by John or Jon on here I think in one of the Mirai threads) and it would prompt for username and password. Using the default admin/admin it returned with an "OK" screen and at that point telnet was open on default port 23 and I was able to log in as root using one of the passwords from the published Mirai list.
A good article! However, I have performed my own analysis of several manufacturers cameras and suspect your findings on Samsung regarding UPnP being off by default are wrong. Can you clarify how you determined if UPnP was enabled/disabled by default for these devices?
Note that in your nmap port scan for Samsung, port 49152 is open. For the two Samsung cameras I scanned, I also found this. It turned out this was part of their UPnP implementation, and when I went into the web interface and unchecked the box to turn off this service, and then rescanned with nmap, the port was no longer open. (The same port is open on your Axis camera for the same reason).
Of course it's possible the model you used (PNO-9080R) has different default behavior than mine (SND L5013 and SND 6083N) - except then there must be some other reason yours has port 49152 open. I doubt this - the simple explanation is that the device had UPnP running, and your chart for that is incorrect.
Samsung (and Axis) likewise had Bonjour enabled by default, which should be disabled if one is security focused.
Samsung/Hanwha uses UPnP for two different reasons.
UPnP & Bonjour are turned on by default in the cameras, but it is for discovery purposes. You can go to the Windows Network (the old Network Neighborhood) and see an icon of the camera, view basic info (model, IP, manufacturer), and then double click to open the web page, which you are then prompted to authenticate.
The use of UPnP to perform automatic port forwarding is a completely separate function, and is ONLY turned on when the built-in DDNS is used and the "Quick Connect" option is checked, which is not checked by default when DDNS is used.
I hope this helps clear this up. In my experience, the Cyber Security concern of UPnP is related to auto port forwarding. The camera discovery via UPnP 1) can be turned on, and 2) shouldn't be much of an issue as most cameras have their own manufacturer discovery protocol running as well as ONVIF discover methods.
Both UPnP & Bonjour can be turned on/off/verified indivudially or in bulk using the Wisenet Device Manager.
However I disagree re "the Cyber Security concern of UPnP is related to auto port forwarding". Invariably, my enterprise customers just perform nmap style port scans, and if they see an unexpected port open at all, it is of concern.
Of course, your experience may differ from mine.
Can you clarify where in wisenet one can change UPnP/Bonjour? I am having trouble finding it.
Likewise, if you happen to know, can users/passwords (besides the admin) be managed in bulk via wisenet?
EDIT - I have searched through the manual for this, but neither "pnp" nor "bonjour" occur, and "user" occurs to frequently to be useful. If there is some sort of online support forum for this app that you know of, feel free to point me to it. I appreciate your effort.
May sure your Device Manager is up to date. Screenshot below. It is in the "Device Setup" menu. It is fairly recent (last 2 versions of the utility).
Yes, in corporate environments UPnP discovery can be an issue hence why it can be turned off, but SO many devices have this on. Simply bringing a laptop from home and plugging in to work network - UPnP device displayed....
Currently only the admin user can be managed via the UI. Other users can be managed with the right CGI script, which can be configured via the "Advanced Setup" menu.
Let me know if you would like additional details on the CGI commands.
But the best way is to download just the online updater, and then let it download the latest version. If you run it now, it should tell you that there is a newer version.
See screenshot below.
Most settings are reserved for sending to 1 model at a time, but certain things, can be done to any/all at once, such as reports, IP addressing, password, backup/restore, NTP, SSL, 802.1x, log download, multicast, Open Platform, firmware upgrade.
First I'd like to thank you for your extensive help on this forum. You've really gone above and beyond. If there is a more official support channel please feel free to redirect me there.
You are correct re Bonjour/UPnP, my issue was resolved by installing auto updater and then letting it update my Wisenet.
I do disagree with regards to our other thread, it seems certain to me some current models within the lines you listed still seem to require a browser plugin even with current firmware (see screenshots in other thread).
One other note you may wish to pass on (or clarify if I'm wrong). With respect to the suggestion to use CGI script feature to manage non admin users, I just consider that too detailed for some of my other staff in the field. Also, even the webpage administration (/home/setup/basic_user.cgi->Current Users) is problematic because it seems to disallow pasting into the password field. Entry via typing strong passwords by hand for hundreds of cameras would just lead to excessive human error.
So at this point I consider the Samsung cameras to basically require using the admin password all over (whereas I prefer to put non admin password into whatever VMS software is connecting to cameras). I just last month had a large customer request to use non admin passwords on 1000+ (non Samsung) cameras as part of a security audit. This would not have been feasible to do one-by-one. So you may wish to consider adding that functionality to Wisenet.
With respect to "SO many devices have this on", most of the sorts of customers I have who care about this sort of thing don't allow unknown devices such as personal laptops to be attached to their network. Large/international banks, insurance, pharma, etc. This is why things like browser plugins are a no-no at such places as well.
I'm not saying I don't understand why the setting is on, just that I felt the article was misleading to say it was off by default when it was not, from the perspective of an IT person doing port scanning and such. I suspect most readers will not have performed their own port scans (also understand you are not the author).
I agree, probably for the majority of users/customers, they will not care about UPnP for discovery and it will make their lives easier. My particular needs are usually for large enterprise customers, who are rare, but have many cameras.
Yeah, the manual has not been updated yet for those features. We have been adding so many features constantly to the tool based on feedback. The first priority is the tool, and the manual comes later. Most of the features are add-on, so once you understand the methodology, you are good to go.
I would recommend that you check out the release notes. If you go to the Online Updater tool, you can see the release notes for new features, etc...
Beyond the default settings, have you looked at how feasible/easy it is to securely manage different manufacturers' cameras in large numbers?
For instance, I have found that, despite the fact Axis cameras tend to have ftp and other potentially insecure functionality turned on by default, I find them the "most secure" for the sole reason that their management software (Axis Camera Management Client) is the most useful of the manufacturers I have tried. So I can lock down large numbers of cameras rapidly. In particular, I can create a configuration XML file that disables everything I don't need (bonjour, UPnP, SNMP, ftp, etc) and apply it to hundreds of cameras at once. Likewise, I can manage passwords and users across multiple cameras en masse. The only problem I have managing these cameras in large groups is that the software tool does not yet handle https and certificates (Axis has said they intend to add this, but did not provide me an expected date).
For other manufacturers, so far I am finding their tools deficient. For some it seems certain settings on cameras must be changed one-by-one through their http config pages. For customers with hundreds of cameras, this is a big problem for my organization.
Likewise I have looked into whether their http config pages require a browser plugin or not. Samsung cameras seem to require this (even for configuration, not live viewing). This is also a potential security problem, plus a logistical problem, as some of our customers disallow installation of browser plugins within their enterprise.
So I am curious if you have any other security views along these lines.
While Hikvision and Dahua do have the ability to create backups of configs that can be applied to large groups of cameras, they aren't as capable as the Axis software at this time. You cannot look down a list of all settings as you described. But, it is easy to send a defined set of settings (except IP info and credentials) to many cameras. I don't know if there is a theoretical limit, as I have only tried up to about 80 at a time with the Dahua Config Tool and many less with Hik Tools.
All *new* models of Samsung/Hanwha cameras will work in a plug-in free mode, not requiring the installation of a plugin and will work in Edge, Chrome, Safari, IE, Firefox.
You can view live video as well as camera setup.
This applies to the Wisenet Q, Wisenet P, Wisenet Lite, & upcoming Wisenet X series.
The Wisenet Device Manager tool allows 1) Uploading of a configuration backup to many cameras. This will allow you to push a template of ALL camera settings, with the exception of IP address. Thus, if you have configured various cyber security settings, they will follow.
The tool also allows 2) easy configuration individually or in bulk settings such as 802.1x, SSL, SNMP, UPnP, Bonjour, & more. Most settings can be viewed as well as applied.
*Edited to include Wisenet Lite supporting plugin free mode*
For instance, the L5013 (one of two I tested) is currently listed under the Wisenet Lite series (https://www.hanwhasecurity.com/products/security-cameras/network-cameras/WiseNet-Lite.aspx) and Wisenet tells me I have the latest firmware (1.01_*). However, it still seems to require a plugin and I can't get it to work under Chrome, IE, or Edge on my Win10 box - I have Firefox installed just for that camera.
This applies to the Wisenet Q, Wisenet P, Wisenet Lite, & upcoming Wisenet X series.
I tested on SND-L6013R, firmware 1.01. I don't have a L5013 to test. Latest firmware for the L5013 is sndl5013_Series_1.01_150918. I tested Edge and Chrome, which don't support plugins. They display MJPEG video profile and allow access to live & setup.
Re "By new, I meant This applies to the Wisenet Q, Wisenet P, Wisenet Lite..."
However, I then found a current camera model listed in the "Wisenet Lite" line for which this does not appear true, so I asked for clarification.
See attached screenshots of L5013 running 1.01_150918 redirecting Chrome to a plugin download. Same results for IE and Edge. Can't get plugin to work for any of those despite tinkering with security settings per some instructions one of the redirect pages mentioned. Firefox also redirected, but plugin works there.
Also, note in the screenshot there is a bug in your FW upgrade dialog. The "File Open" button appears in the column header of "Mac Address". OS is latest patch of Win10.
Results are same for SND 6083 with latest firmware, but this does not appear in the product lines you listed, so makes more sense here.