Thank you Milestone! You just set the bar for everyone else.
Milestone Entry Level Mobile Password Vulnerability Disclosed
While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has proactively identified and resolved a vulnerability that could allow unauthorized remote access to camera feeds. The company recently notified partners of a potential vulnerability in default installations, including how to close the vulnerability to prevent unauthorized camera viewing.
Additional details of the vulnerability, and mitigation steps, are in this report.
Vulnerability *******
*** ********* ******** ******* * ******* "admin" **** **** * ******* ******** that ** ******* ****** ************:
- ******** ******* *.** ** **** **
- ******** ********* *.** ** **** **
- ******** ** *** ******** (*** ************)
**** **** *** ****** *** ****** end ******** **** ** **********, *********, Advanced, ***.
*** ******* ******* *** ********* ******* to **** ** ****** *** ***** to *** ** *** *******, ********* to *********.
Milestone ************ *****
** *********** **** ***** ** ********, Milestone **** *** ********* ***** ********** the ************* ** ******:
Mobile ****** / ****** ****** ******* ******
**** ************* ** ************ ********** ** cases ***** *** ******** ****** *** remote ****** *******, ****** *** *********'* mobile ******, ** *** *** ******** SmartClient. ** ***** *********, * ****** person ***** ******* *** ******* *********** to **** **** ** ******** *****, potentially ******** ********* ****/******* ** *** location ** ************ *******.
Closing *** *************
********* ********** *** ********** ** ***** this *************:
- ****** *** ******* ***** **** ** change ******** ** ********* ******
- ****** ** **** ** *******, ***** removes *** ******* *******. **** ******* **** be ********* **** *, ****.
XProtect ************ / ********** ********* ** ** ********
******* ************* ** ***** ******** ** XProtect ** *** **** **** *****, according ** *********, *** ** ***** upgraded ** ******** ****** ** * higher *******, *** ******* **** ***** have ******** ** *****, ******** ***** upgraded ******* ** *** **** *************. In ***** *****, *** ******* ******* should ** ******* ** **** *** password *******.
Default **** ******* ******
********* ****** **** **** ******* **** has "*****" / ******* ******, *** would *** ** **** ** ********** the ***.
Severity ********
*** ************* ** ********** *** **** compared ** ***** ****** ************ ************* issues, **** ** ***** **** ****, *****, ******, ** *********. * ******* ********** ** **** this ************* ** ****** ****** ** deleting *** ******* ****, ** ******** its ********, ********* ***** **** ********-********* users **** ****** ******* ****, ** the ******* *** *** ****** ** secret ** *** ***. *******, **** account *** *** **** ***** ******, limiting ** ********* ** ******* *****, unable ** ***** ******** ** ****** malicious **** ** *** ******.
No ***** ***** ******* *********
***** *** ** ***** ***** ******* passwords ** ********* ******** ********* ** Milestone.
Proper ******** ** *********
*********** ********** **** *****, *** ******* communicating *** ****** *** ******* ** address *** *************, ****** ******* *************'* ******* ******** ********** ***** ***********.*** ********** ******* **** ********** ** an **** *************** ** ****:
**** ***** ** ** ***** ***** explains ****** ... *** ** ** the ***** ************ **** *** **** out *** **** *** ***** ** acknowledge * ********* ******* **** **** made.