Milestone Entry Level Mobile Password Vulnerability Disclosed

By Brian Karas, Published on May 24, 2017

While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has proactively identified and resolved a vulnerability that could allow unauthorized remote access to camera feeds. The company recently notified partners of a potential vulnerability in default installations, including how to close the vulnerability to prevent unauthorized camera viewing.

Additional details of the vulnerability, and mitigation steps, are in this report.

Vulnerability *******

*** ********* ******** ******* a ******* "*****" **** with * ******* ******** that ** ******* ****** installation:

  • ******** ******* *.** ** 2017 **
  • ******** ********* *.** ** 2017 **
  • ******** ** *** ******** (all ************)

**** **** *** ****** the ****** *** ******** such ** **********, *********, Advanced, ***.

*** ******* ******* *** initially ******* ** **** it ****** *** ***** to *** ** *** running, ********* ** *********.

Milestone ************ *****

** *********** **** ***** to ********, ********* **** the ********* ***** ********** the ************* ** ******:

Mobile ****** / ****** ****** ******* ****** 

**** ************* ** ************ applicable ** ***** ***** the ******** ****** *** remote ****** *******, ****** via *********'* ****** ******, or *** *** ******** SmartClient. ** ***** *********, a ****** ****** ***** utilize *** ******* *********** to **** **** ** recorded *****, *********** ******** sensitive ****/******* ** *** location ** ************ *******.

Closing *** *************

********* ********** *** ********** to ***** **** *************:

  • ****** *** ******* ***** user ** ****** ******** to ********* ******
  • ****** ** **** ** release, ***** ******* *** default *******. **** ******* **** be ********* **** *, 2017. 

XProtect ************ / ********** ********* ** ** ********

******* ************* ** ***** versions ** ******** ** not **** **** *****, according ** *********, *** if ***** ******** ** affected ****** ** * higher *******, *** ******* user ***** **** ******** in *****, ******** ***** upgraded ******* ** *** same *************. ** ***** cases, *** ******* ******* should ** ******* ** have *** ******** *******.

Default **** ******* ******

********* ****** **** **** default **** *** "*****" / ******* ******, *** would *** ** **** to ********** *** ***.

Severity ********

*** ************* ** ********** low **** ******** ** other ****** ************ ************* issues, **** ** ***** from ***************, ** *********. * ******* ********** is **** **** ************* is ****** ****** ** deleting *** ******* ****, or ******** *** ********, something ***** **** ********-********* users **** ****** ******* done, ** *** ******* was *** ****** ** secret ** *** ***. Further, **** ******* *** not **** ***** ******, limiting ** ********* ** viewing *****, ****** ** alter ******** ** ****** malicious **** ** *** system.

No ***** ***** ******* *********

***** *** ** ***** known ******* ********* ** Milestone ******** ********* ** Milestone.

Proper ******** ** *********

*********** ********** **** *****, and ******* ************* *** impact *** ******* ** address *** *************, ****** further *************'* ******* ******** ********** among ***********.*** ********** ******* **** disclosure ** ** **** discussion***** ** ****:

**** ***** ** ** inbox ***** ******** ****** ... *** ** ** the ***** ************ **** has **** *** *** been *** ***** ** acknowledge * ********* ******* that **** ****.

Comments (1)

Thank you Milestone!  You just set the bar for everyone else.

Read this IPVM report for free.

This article is part of IPVM's 6,592 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Access Control Levels and Schedules Tutorial on Sep 29, 2020
Configuring access levels and setting up schedules is central to maintaining...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Access Visitor Management Systems Guide on Jul 22, 2020
"Who are you, and why are you here?" Facilities that implement Visitor...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...

Recent Reports

ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...