10 Manufacturer Cyber Security Compared

By: John Scanlan, Published on Dec 13, 2016

With the rise in exploits and growing awareness of cyber security issues in video surveillance, we tested ten different manufacturer's cameras. The verification and discovery in this test answers the following questions:

  • Positive: Are you required to create a password?
  • Positive: Are strong passwords enforced?
  • Positive: Do user accounts auto lock after repeated failed logins?
  • Negative: Are there hardcoded accounts?
  • Positive: Is HTTPS support provided?
  • Negative: Is the Telnet port defaulted open?
  • Negative: Is the SSH port defaulted open?
  • Negative: Is UPnP enabled by default?
  • Does the camera phone home by default or by user option?
  • What other ports are open?

 The manufacturers in this test are:

  • Arecont Vision 
  • Avigilon 
  • Axis
  • Bosch
  • Dahua 
  • Hikvision 
  • Panasonic
  • Pelco 
  • Samsung / Hanwha
  • Vivotek 

Inside we take a look at how each performed.

Key ********

**** ******** *****:

  • **** ** *** ************* now ***** *** *** Telnet ****, * ***** though ********* **** *******, given *** ***** ******* use ** ******
  • ******* *** *** ***** password ******** **********, **** no ************** ** *******, no ********* ** ****** passwords, ** **** ******* lock *** ****** ******** plus *** **** ************ not ** ******* *****
  • ********* *** *** ********* password ******** **********, ********* strong *********, ********** **** lock *** *** ****** attempts *** ******* ********* accounts.
  • ********* ** *** **** manufacturer ** *** ***** that ********* ***** **** access ***** ** * convenience ******* *** **** a ********* ******** ****
  • ******* ******** **** ****** logins ** ***** ******** with **** * ** the ** ********** ** (Dahua, ********* *** *******) despite **** ***** * ****** practice *** *** ************** to ****************** *******

Password ********/**********

*** ***** ***** ***** password ******** ******** *** each ************. ** *** ten *************, **** (*******, Avigilon, *****, *** *******) do *** ******* ********* at ***. **** ******** a ********, *** ****** character ********* *** ***** old ******* ** "****" are ********, **** ** strength *****. ** ********, *********, Panasonic *** ******* ******* strong ********* ** ** created ****** ******* *****. In *** ***** ***** a ********* ******* ** a **** ******* **** can ** ******* *** deleted *.*. ***** **** Admin *** * *** not ****** **** ******** to **** *** ****** the ******* **** ** * have ******* ** ********* adminstrator ***** *******.

*** *** ****** ** ****** ********* *** **** *********** ** some ** ***** ********, and ****** ** ******* ***** Passwords ** ** ******* On ***** *****? *** ********** ** ****** password ********. 

Open *****

***** ****, ** ******* ***** ports ******* ****** ** default, ********** ******* ** Telnet, ***, *** *** ports ** **** **** been **** ******** ******** via ******* (**** ** the ***** ******).

***** ************ ****** ****** both ****** *** ***, though *** *** **** in **** *** *******. Both ***** *** ********* (Value ****** **** ***** enabled) **** ****** * total ** ***** ***** for ******* ******** *** control *****, ***** **** others ****** * ******* of ****, *** ** which **** **** ***** HTTP/HTTPS. ********* *** ***** opened **** ******* *****, HTTP *** ****.

*** ******* ***** *** ** Video ************ ******** *** **** *********** ** common ***** *** *** risks ********, *** ******* ** ******* *** *** ** ***** cameras ***** **** ****** port *******.

Phone ****/****

***** *********, ** ******* ******* manufacturers "****** ****" ** cloud ********, **** *** without ***** ******** *** feature. ** *** *** manufacturers, **** *********'******/***** ********** **** ** ******* (but *** ***** ***** camera ****), ** **********/***-******* ***** ******** (*** our ****). ****** ***** **** feature ** ** ******* (**** ****,***** *******, ************ **********).

************, ** ******* ******* cameras ******* **** *** attempted ** **** ****** ports ** *******, ***** Axis, *****, *** ********* did.

*** *** ****** ******* ****** *** Video ************ *** **** *********** ** cloud ******** *** ****, as **** ** *** report **** ********.

Manufacturer ******** ********* 

*****, ** ******* ******** requirements *** ********* ** each ************:

******* ******

** ******** ********, *** suggested, **** * ********* '*****' button **** ******* *** password **** *** ******. The ******* **** ******** are ***** *** ****** and ****** ** *******.  


** ******** ********, *** suggested. ******* ******** ** Administrator **** ** ********. ** a ******** ** *******, there *** ** ************ nor *********** *** ******** a ****** ********.



**** ******** * ******** to ** ******* **** login, *** ***** *** set ***** ******** ******* "pass" ** *** ********. Additionally, ***** *** ** password ******** ************, **** even ****** ********** *******.

**** **** ***** ** setting *** **** ********, the ****** *** ** accessed ***** *** ******* of **** / **** via *****. ******* *** root ******** ******** **** feature *** ** **** be **-******* ********.


** ******** ********, *** "strongly ***********" *** ***** on *****. *** ******** "service", "****", *** "****" may *** ** *******, but *** ********* ***** other ******** ** ** created ** ********.



***** / ***** *** *** ******* credentials *** *** ****** prompts for, *** **** *** require *** **** ** change *** ******** ** first *****. ***** *** firmware ******** * ******** strength *****, ***** *** no ******** ************, **** even *** ********* ********* allowed. ************, ***** **** not ***** **** ******* characters (**** ** ~).



* ******** ** ******** to ** ******* ** first *****, ********* ** least * **********, ***** two ***** ** ********** (uppercase, *********, *******, ******* characters).



****** **** ***** *** "admin" ******* ******* ** most *******, ********* ******** both username *** ******** ** be ******* ****** ******* setup.



********* **** ** * minimum ** **** **********, but **** ** ***** strength *****. *** ***** account *** *** ** renamed ** *******.



* ****** ******** ** required ** ** ******* for *** ***** ******* at ******* *****, **** highly ******** ******** ************. Admin *** *** ** renamed ** *******, *** other ***** *** ** created.



*** ****** ******* ***** for * ****** ********, but **** *** ******* it. ************, **** ****** a ******* ** ********, no ******** ** ******** for *** **** *******.


Test *******

******* ****** ****** **** **** manufacturer **** ****. *** cameras **** ******* **** the ****** ******** *** reset ** ******* ******* prior ** *******.

*** ********* ******** ******** were ****:

  • ******* ****** *********-*: *****.*
  • ******** *.*-***-***-**: *.**.*.***
  • **** *****-*: **.**.*.*
  • ***** ***-*****-**: *.**.****
  • ***** **-***-**********: *.***.****.**.*
  • ********* **-*******-***: **.*.* ***** 160421
  • ********* **-*********-*:**.*.* ***** ****** 
  • ********* **-*******: *.**
  • ***** ********: *.*.*.*.****-**.*
  • ******* ***-*****: *.*********
  • ******* ******-**: *****

Comments (36)

You will find considerable differences in security policy across the product lines of some manufactures. For example, Optera may show different results than other cameras from that same manufacturer, given the camera's heritage. Not saying it'd be better or worse, but maybe different.

That implies a potential lack of consistency of non-functional attributes like security policy. Which is one thing you want to chase out if we're talking about manufacturers and their reputation for producing secure products. The most secure will be those that take a holistic approach to security across their entire product lines, not just individual products. If tomorrow they slam a cheap OEM camera into the line it could present unexpected risk, unless they're managing those policies across the board.

IT security in video surveillance can be tricky business because the products sometimes straddle the identity between a fully embedded product and that of software based on an open platform like Windows or Linux--this is especially true on the VMS side of course.

Steve - True and related: evidenced above, the Hik Value/Value Plus gear (convenience trumps security) phoning home compared to the Hik Smart Series which does not.

What kind of hard coded accounts are present?

Is this referring to initial admin accounts assigned a password or hidden accounts that can be used? Are these used to access the camera through the web GUI or only telnet/ssh or ONVIF? For example Dahua had known hard coded accounts that couldn't be changed.

U1, I just added a note to the report for clarity. This is referring to the user accounts for the camera. Dauhua uses 'admin' and this can not be changed nor deleted, even after creating an alternate administrator level account and logging with this account. The image below shows that the default admin account is reserved.

Thanks for clarifying that.

What about hidden hard coded accounts on these devices? Is anything know about if they still exist or not?

Dahua still supports the password of the day. This is well documented, but only works locally.

Hikvision allows you to use their SADP utility to download and send to them the config data, on which they will change your password and return to you to upload back to the device.

The last time I tested (about 3 or 4 weeks ago), dahua still had the backdoor, OS root level account with hard coded, non-changeable password that was on the Mirai list. Although they disabled telnet access by default, a CGI string entered into a browser was able to re-enable telnet although it required an admin password to do so.

So you are saying that if you enable telnet as admin, you can log in as root?

Correct, at least in my testing. I could open a browser session to the camera, issue the CGI string (which was provided by John or Jon on here I think in one of the Mirai threads) and it would prompt for username and password. Using the default admin/admin it returned with an "OK" screen and at that point telnet was open on default port 23 and I was able to log in as root using one of the passwords from the published Mirai list.

Just a comment about the charts.

I think it might be easier to parse if the label on the left was rewritten so that the always refers to a more secure condition than the . Like in the case of "hard coded accounts".

Thank you, good observation and the chart has been changed.

Anyone able to root one of the cameras? Thoughts?

U3 - this was not a penetration test / we were not trying hack any of the cameras, rather we were analyzing their fundamental security features.

From this report show that IPVM do not do a good research enough, why do not compare the encryption, and others more important cyber security?

Just another comment about the charts.

Below chart, 'UPnP enabled by default?' is negative question and the 'X' represents positive result. But this may raise mis-understanding that the test result is negative.

So, could you change the question text to 'UPnP disabled by defaults' for easy understaning? And also the result to 'V'.


Thanks in advance.

Thank you HyuckRae - this has been updated.

About Key Findings, it seems the Hikvision is the only one that had strong password security management which Samsung/Hanwha also had.

Is there any other factors for comparison that you didn't mentioned?

A good article! However, I have performed my own analysis of several manufacturers cameras and suspect your findings on Samsung regarding UPnP being off by default are wrong. Can you clarify how you determined if UPnP was enabled/disabled by default for these devices?

Note that in your nmap port scan for Samsung, port 49152 is open. For the two Samsung cameras I scanned, I also found this. It turned out this was part of their UPnP implementation, and when I went into the web interface and unchecked the box to turn off this service, and then rescanned with nmap, the port was no longer open. (The same port is open on your Axis camera for the same reason).

Of course it's possible the model you used (PNO-9080R) has different default behavior than mine (SND L5013 and SND 6083N) - except then there must be some other reason yours has port 49152 open. I doubt this - the simple explanation is that the device had UPnP running, and your chart for that is incorrect.

Samsung (and Axis) likewise had Bonjour enabled by default, which should be disabled if one is security focused.

Samsung/Hanwha uses UPnP for two different reasons.

UPnP & Bonjour are turned on by default in the cameras, but it is for discovery purposes.  You can go to the Windows Network (the old Network Neighborhood) and see an icon of the camera, view basic info (model, IP, manufacturer), and then double click to open the web page, which you are then prompted to authenticate.


The use of UPnP to perform automatic port forwarding is a completely separate function, and is ONLY turned on when the built-in DDNS is used and the "Quick Connect" option is checked, which is not checked by default when DDNS is used.

I hope this helps clear this up.  In my experience, the Cyber Security concern of UPnP is related to auto port forwarding.  The camera discovery via UPnP 1) can be turned on, and 2) shouldn't be much of an issue as most cameras have their own manufacturer discovery protocol running as well as ONVIF discover methods.

Both UPnP & Bonjour can be turned on/off/verified indivudially or in bulk using the Wisenet Device Manager.

Thank you for your post and the info!

However I disagree re "the Cyber Security concern of UPnP is related to auto port forwarding". Invariably, my enterprise customers just perform nmap style port scans, and if they see an unexpected port open at all, it is of concern.

Of course, your experience may differ from mine.

Can you clarify where in wisenet one can change UPnP/Bonjour? I am having trouble finding it.

Likewise, if you happen to know, can users/passwords (besides the admin) be managed in bulk via wisenet?

EDIT - I have searched through the manual for this, but neither "pnp" nor "bonjour" occur, and "user" occurs to frequently to be useful. If there is some sort of online support forum for this app that you know of, feel free to point me to it. I appreciate your effort.

May sure your Device Manager is up to date.  Screenshot below.  It is in the "Device Setup" menu.  It is fairly recent (last 2 versions of the utility).  


Yes, in corporate environments UPnP discovery can be an issue hence why it can be turned off, but SO many devices have this on.  Simply bringing a laptop from home and plugging in to work network - UPnP device displayed....

Currently only the admin user can be managed via the UI.  Other users can be managed with the right CGI script, which can be configured via the "Advanced Setup" menu.

Let me know if you would like additional details on the CGI commands.

I just downloaded & installed it last week and am using 1.19.13 which is the latest version per https://www.hanwhasecurity.com/en/Tools/device-manager.aspx.

When I look at that screen for the two cameras I have in my test lab (SND-6083, SND-L5013) most of those settings are missing. See attached.

Can cgi commands be sent to multiple cameras of the same model at once?

It seems from my experimentation, no sort of setting can be send en masse to multiple cameras of different model - is that correct?

The website you went to is the US site, which won't have the most up to date versions...

The HQ site in Korea is the most up to date.

You can download from: http://hanwha-security.com/support/sw/install.do?menuCd=MN000173

But the best way is to download just the online updater, and then let it download the latest version.  If you run it now, it should tell you that there is a newer version. 

See screenshot below.

Most settings are reserved for sending to 1 model at a time, but certain things, can be done to any/all at once, such as reports, IP addressing, password, backup/restore, NTP, SSL, 802.1x, log download, multicast, Open Platform, firmware upgrade.

First I'd like to thank you for your extensive help on this forum. You've really gone above and beyond. If there is a more official support channel please feel free to redirect me there.

You are correct re Bonjour/UPnP, my issue was resolved by installing auto updater and then letting it update my Wisenet.

I do disagree with regards to our other thread, it seems certain to me some current models within the lines you listed still seem to require a browser plugin even with current firmware (see screenshots in other thread).

One other note you may wish to pass on (or clarify if I'm wrong). With respect to the suggestion to use CGI script feature to manage non admin users, I just consider that too detailed for some of my other staff in the field. Also, even the webpage administration (/home/setup/basic_user.cgi->Current Users) is problematic because it seems to disallow pasting into the password field. Entry via typing strong passwords by hand for hundreds of cameras would just lead to excessive human error.

So at this point I consider the Samsung cameras to basically require using the admin password all over (whereas I prefer to put non admin password into whatever VMS software is connecting to cameras). I just last month had a large customer request to use non admin passwords on 1000+ (non Samsung) cameras as part of a security audit. This would not have been feasible to do one-by-one. So you may wish to consider adding that functionality to Wisenet.

Again, I do appreciate all the help.

With respect to "SO many devices have this on", most of the sorts of customers I have who care about this sort of thing don't allow unknown devices such as personal laptops to be attached to their network. Large/international banks, insurance, pharma, etc. This is why things like browser plugins are a no-no at such places as well.

I'm not saying I don't understand why the setting is on, just that I felt the article was misleading to say it was off by default when it was not, from the perspective of an IT person doing port scanning and such. I suspect most readers will not have performed their own port scans (also understand you are not the author).

I agree, probably for the majority of users/customers, they will not care about UPnP for discovery and it will make their lives easier. My particular needs are usually for large enterprise customers, who are rare, but have many cameras.

Yeah, the manual has not been updated yet for those features.  We have been adding so many features constantly to the tool based on feedback. The first priority is the tool, and the manual comes later.  Most of the features are add-on, so once you understand the methodology, you are good to go.


I would recommend that you check out the release notes.  If you go to the Online Updater tool, you can see the release notes for new features, etc...

Beyond the default settings, have you looked at how feasible/easy it is to securely manage different manufacturers' cameras in large numbers?

For instance, I have found that, despite the fact Axis cameras tend to have ftp and other potentially insecure functionality turned on by default, I find them the "most secure" for the sole reason that their management software (Axis Camera Management Client) is the most useful of the manufacturers I have tried. So I can lock down large numbers of cameras rapidly. In particular, I can create a configuration XML file that disables everything I don't need (bonjour, UPnP, SNMP, ftp, etc) and apply it to hundreds of cameras at once. Likewise, I can manage passwords and users across multiple cameras en masse. The only problem I have managing these cameras in large groups is that the software tool does not yet handle https and certificates (Axis has said they intend to add this, but did not provide me an expected date).

For other manufacturers, so far I am finding their tools deficient. For some it seems certain settings on cameras must be changed one-by-one through their http config pages. For customers with hundreds of cameras, this is a big problem for my organization. 

Likewise I have looked into whether their http config pages require a browser plugin or not. Samsung cameras seem to require this (even for configuration, not live viewing). This is also a potential security problem, plus a logistical problem, as some of our customers disallow installation of browser plugins within their enterprise.

So I am curious if you have any other security views along these lines.

While Hikvision and Dahua do have the ability to create backups of configs that can be applied to large groups of cameras, they aren't as capable as the Axis software at this time. You cannot look down a list of all settings as you described. But, it is easy to send a defined set of settings (except IP info and credentials) to many cameras. I don't know if there is a theoretical limit, as I have only tried up to about 80 at a time with the Dahua Config Tool and many less with Hik Tools. 

Am I correct in interpreting "and credentials" that user names and passwords must be set one at a time for Hikvision and Dahua in your experience?

Axis tool allows this (not via settings XML file, but multiselect/right-click menu option). 

Thank you!

All *new* models of Samsung/Hanwha cameras will work in a plug-in free mode, not requiring the installation of a plugin and will work in Edge, Chrome, Safari, IE, Firefox.

You can view live video as well as camera setup.

This applies to the Wisenet Q, Wisenet P, Wisenet Lite, & upcoming Wisenet X series.

The Wisenet Device Manager tool allows 1) Uploading of a configuration backup to many cameras.  This will allow you to push a template of ALL camera settings, with the exception of IP address.  Thus, if you have configured various cyber security settings, they will follow.

The tool also allows 2) easy configuration individually or in bulk settings such as 802.1x, SSL, SNMP, UPnP, Bonjour, & more.  Most settings can be viewed as well as applied.

*Edited to include Wisenet Lite supporting plugin free mode*

Can you clarify what you mean by *new*?

For instance, the L5013 (one of two I tested) is currently listed under the Wisenet Lite series (https://www.hanwhasecurity.com/products/security-cameras/network-cameras/WiseNet-Lite.aspx) and Wisenet tells me I have the latest firmware (1.01_*). However, it still seems to require a plugin and I can't get it to work under Chrome, IE, or Edge on my Win10 box - I have Firefox installed just for that camera.

By new, I meant 

This applies to the Wisenet Q, Wisenet P, Wisenet Lite, & upcoming Wisenet X series.


I tested on SND-L6013R, firmware 1.01.  I don't have a L5013 to test.  Latest firmware for the L5013 is sndl5013_Series_1.01_150918.  I tested Edge and Chrome, which don't support plugins.  They display MJPEG video profile and allow access to live & setup.

Here is Edge:


Hope this helps.

Re "By new, I meant This applies to the Wisenet Q, Wisenet P, Wisenet Lite..."

However, I then found a current camera model listed in the "Wisenet Lite" line for which this does not appear true, so I asked for clarification.

See attached screenshots of L5013 running 1.01_150918 redirecting Chrome to a plugin download. Same results for IE and Edge. Can't get plugin to work for any of those despite tinkering with security settings per some instructions one of the redirect pages mentioned. Firefox also redirected, but plugin works there.

Also, note in the screenshot there is a bug in your FW upgrade dialog. The "File Open" button appears in the column header of "Mac Address". OS is latest patch of Win10.

Results are same for SND 6083 with latest firmware, but this does not appear in the product lines you listed, so makes more sense here.

"Phone home" checking of Samsung/Hanwha cameras is changed from initial version.

What was happened?


Setting password could be rather daunting. many times I have set and reset so many passwords that my mortal brain can't even remember.

Read this IPVM report for free.

This article is part of IPVM's 6,536 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
30 Million Criminal Face Database Tested (Captis Intelligence) on Apr 27, 2020
30 million criminal mugshots are now available for facial recognition...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Dotty "Hot Or Not" Elevated Body Temperature App Tested on Jun 01, 2020
What if you could take an existing phone or tablet and transform it into...
Herta Facial Recognition Plus Masks Tested on Aug 19, 2020
Masks increase face recognition errors, but facial recognition developer...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Camera Course Summer 2020 - Last Chance on Jul 18, 2020
This is your last chance to register for the Summer 2020 Camera Course. This...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Hanwha 8K / 33MP Camera Tested on Sep 14, 2020
Hanwha Techwin has released an 8K / 33MP resolution camera, the TNB-9000 with...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
FLIR Screen-EST Screening Software Tested on Jun 30, 2020
In our FLIR A Series Test, the cameras' biggest drawback was their lack of...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...