Milestone Entry Level Mobile Password Vulnerability Disclosed

By Brian Karas, Published May 24, 2017, 01:45pm EDT

While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has proactively identified and resolved a vulnerability that could allow unauthorized remote access to camera feeds. The company recently notified partners of a potential vulnerability in default installations, including how to close the vulnerability to prevent unauthorized camera viewing.

Additional details of the vulnerability, and mitigation steps, are in this report.

Vulnerability *******

*** ********* ******** ******* a ******* "*****" **** with * ******* ******** that ** ******* ****** installation:

  • ******** ******* *.** ** 2017 **
  • ******** ********* *.** ** 2017 **
  • ******** ** *** ******** (all ************)

**** **** *** ****** the ****** *** ******** such ** **********, *********, Advanced, ***.

*** ******* ******* *** initially ******* ** **** it ****** *** ***** to *** ** *** running, ********* ** *********.

Milestone ************ *****

** *********** **** ***** to ********, ********* **** the ********* ***** ********** the ************* ** ******:

Mobile ****** / ****** ****** ******* ****** 

**** ************* ** ************ applicable ** ***** ***** the ******** ****** *** remote ****** *******, ****** via *********'* ****** ******, or *** *** ******** SmartClient. ** ***** *********, a ****** ****** ***** utilize *** ******* *********** to **** **** ** recorded *****, *********** ******** sensitive ****/******* ** *** location ** ************ *******.

Closing *** *************

********* ********** *** ********** to ***** **** *************:

  • ****** *** ******* ***** user ** ****** ******** to ********* ******
  • ****** ** **** ** release, ***** ******* *** default *******. **** ******* **** be ********* **** *, 2017. 

XProtect ************ / ********** ********* ** ** ********

******* ************* ** ***** versions ** ******** ** not **** **** *****, according ** *********, *** if ***** ******** ** affected ****** ** * higher *******, *** ******* user ***** **** ******** in *****, ******** ***** upgraded ******* ** *** same *************. ** ***** cases, *** ******* ******* should ** ******* ** have *** ******** *******.

Default **** ******* ******

********* ****** **** **** default **** *** "*****" / ******* ******, *** would *** ** **** to ********** *** ***.

Severity ********

*** ************* ** ********** low **** ******** ** other ****** ************ ************* issues, **** ** ***** from ***************, ** *********. * ******* ********** is **** **** ************* is ****** ****** ** deleting *** ******* ****, or ******** *** ********, something ***** **** ********-********* users **** ****** ******* done, ** *** ******* was *** ****** ** secret ** *** ***. Further, **** ******* *** not **** ***** ******, limiting ** ********* ** viewing *****, ****** ** alter ******** ** ****** malicious **** ** *** system.

No ***** ***** ******* *********

***** *** ** ***** known ******* ********* ** Milestone ******** ********* ** Milestone.

Proper ******** ** *********

*********** ********** **** *****, and ******* ************* *** impact *** ******* ** address *** *************, ****** further *************'* ******* ******** ********** among ***********.*** ********** ******* **** disclosure ** ** **** discussion***** ** ****:

**** ***** ** ** inbox ***** ******** ****** ... *** ** ** the ***** ************ **** has **** *** *** been *** ***** ** acknowledge * ********* ******* that **** ****.

Comments (1)

Michael Miller

05/24/17 07:40pm

Thank you Milestone!  You just set the bar for everyone else.

Read this IPVM report for free.

This article is part of IPVM's 6,817 reports, 914 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports