Thank you Milestone! You just set the bar for everyone else.
Milestone Entry Level Mobile Password Vulnerability Disclosed
Published May 24, 2017 17:45 PM
While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has proactively identified and resolved a vulnerability that could allow unauthorized remote access to camera feeds. The company recently notified partners of a potential vulnerability in default installations, including how to close the vulnerability to prevent unauthorized camera viewing.
Additional details of the vulnerability, and mitigation steps, are in this report.
Vulnerability *******
*** ********* ******** ******* * ******* "admin" **** **** * ******* ******** that ** ******* ****** ************:
- ******** ******* *.** ** **** **
- ******** ********* *.** ** **** **
- ******** ** *** ******** (*** ************)
**** **** *** ****** *** ****** end ******** **** ** **********, *********, Advanced, ***.
*** ******* ******* *** ********* ******* to **** ** ****** *** ***** to *** ** *** *******, ********* to *********.
Milestone ************ *****
** *********** **** ***** ** ********, Milestone **** *** ********* ***** ********** the ************* ** ******:
Mobile ****** / ****** ****** ******* ******
**** ************* ** ************ ********** ** cases ***** *** ******** ****** *** remote ****** *******, ****** *** *********'* mobile ******, ** *** *** ******** SmartClient. ** ***** *********, * ****** person ***** ******* *** ******* *********** to **** **** ** ******** *****, potentially ******** ********* ****/******* ** *** location ** ************ *******.
Closing *** *************
********* ********** *** ********** ** ***** this *************:
- ****** *** ******* ***** **** ** change ******** ** ********* ******
- ****** ** **** ** *******, ***** removes *** ******* *******. **** ******* **** be ********* **** *, ****.
XProtect ************ / ********** ********* ** ** ********
******* ************* ** ***** ******** ** XProtect ** *** **** **** *****, according ** *********, *** ** ***** upgraded ** ******** ****** ** * higher *******, *** ******* **** ***** have ******** ** *****, ******** ***** upgraded ******* ** *** **** *************. In ***** *****, *** ******* ******* should ** ******* ** **** *** password *******.
Default **** ******* ******
********* ****** **** **** ******* **** has "*****" / ******* ******, *** would *** ** **** ** ********** the ***.
Severity ********
*** ************* ** ********** *** **** compared ** ***** ****** ************ ************* issues, **** ** ***** **** ****, *****, ******, ** *********. * ******* ********** ** **** this ************* ** ****** ****** ** deleting *** ******* ****, ** ******** its ********, ********* ***** **** ********-********* users **** ****** ******* ****, ** the ******* *** *** ****** ** secret ** *** ***. *******, **** account *** *** **** ***** ******, limiting ** ********* ** ******* *****, unable ** ***** ******** ** ****** malicious **** ** *** ******.
No ***** ***** ******* *********
***** *** ** ***** ***** ******* passwords ** ********* ******** ********* ** Milestone.
Proper ******** ** *********
*********** ********** **** *****, *** ******* communicating *** ****** *** ******* ** address *** *************, ****** ******* *************'* ******* ******** ********** ***** ***********.*** ********** ******* **** ********** ** an **** *************** ** ****:
**** ***** ** ** ***** ***** explains ****** ... *** ** ** the ***** ************ **** *** **** out *** **** *** ***** ** acknowledge * ********* ******* **** **** made.
Comments (1)
MM
Michael Miller
May 24, 2017