Milestone Entry Level Mobile Password Vulnerability Disclosed

By: Brian Karas, Published on May 24, 2017

While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has proactively identified and resolved a vulnerability that could allow unauthorized remote access to camera feeds. The company recently notified partners of a potential vulnerability in default installations, including how to close the vulnerability to prevent unauthorized camera viewing.

Additional details of the vulnerability, and mitigation steps, are in this report.

***** **** ************* **** **** addressed ************* *************** ***** public *********** **** **** (or **********), ********* *** proactively ********** *** ******** a ************* **** ***** allow ************ ****** ****** ** camera *****. *** ******* recently ******** ******** ** a ********* ************* ** default *************, ********* *** to ***** *** ************* to ******* ************ ****** viewing.

********** ******* ** *** vulnerability, *** ********** *****, are ** **** ******.

[***************]

Vulnerability *******

*** ********* ******** ******* a ******* "*****" **** with * ******* ******** that ** ******* ****** installation:

  • ******** ******* *.** ** 2017 **
  • ******** ********* *.** ** 2017 **
  • ******** ** *** ******** (all ************)

**** **** *** ****** the ****** *** ******** such ** **********, *********, Advanced, ***.

*** ******* ******* *** initially ******* ** **** it ****** *** ***** to *** ** *** running, ********* ** *********.

Milestone ************ *****

** *********** **** ***** to ********, ********* **** the ********* ***** ********** the ************* ** ******:

Mobile ****** / ****** ****** ******* ****** 

**** ************* ** ************ applicable ** ***** ***** the ******** ****** *** remote ****** *******, ****** via *********'* ****** ******, or *** *** ******** SmartClient. ** ***** *********, a ****** ****** ***** utilize *** ******* *********** to **** **** ** recorded *****, *********** ******** sensitive ****/******* ** *** location ** ************ *******.

Closing *** *************

********* ********** *** ********** to ***** **** *************:

  • ****** *** ******* ***** user ** ****** ******** to ********* ******
  • ****** ** **** ** release, ***** ******* *** default *******. **** ******* **** be ********* **** *, 2017. 

XProtect ************ / ********** ********* ** ** ********

******* ************* ** ***** versions ** ******** ** not **** **** *****, according ** *********, *** if ***** ******** ** affected ****** ** * higher *******, *** ******* user ***** **** ******** in *****, ******** ***** upgraded ******* ** *** same *************. ** ***** cases, *** ******* ******* should ** ******* ** have *** ******** *******.

Default **** ******* ******

********* ****** **** **** default **** *** "*****" / ******* ******, *** would *** ** **** to ********** *** ***.

Severity ********

*** ************* ** ********** low **** ******** ** other ****** ************ ************* issues, **** ** ***** from ***************, ** *********. * ******* ********** is **** **** ************* is ****** ****** ** deleting *** ******* ****, or ******** *** ********, something ***** **** ********-********* users **** ****** ******* done, ** *** ******* was *** ****** ** secret ** *** ***. Further, **** ******* *** not **** ***** ******, limiting ** ********* ** viewing *****, ****** ** alter ******** ** ****** malicious **** ** *** system.

No ***** ***** ******* *********

***** *** ** ***** known ******* ********* ** Milestone ******** ********* ** Milestone.

Proper ******** ** *********

*********** ********** **** *****, and ******* ************* *** impact *** ******* ** address *** *************, ****** further *************'* ******* ******** ********** among ***********.*** ********** ******* **** disclosure ** ** **** discussion***** ** ****:

**** ***** ** ** inbox ***** ******** ****** ... *** ** ** the ***** ************ **** has **** *** *** been *** ***** ** acknowledge * ********* ******* that **** ****.

Comments (1)

Michael Miller

05/24/17 07:40pm

Thank you Milestone!  You just set the bar for everyone else.

Login to read this IPVM report.

Related Reports

Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Resideo AlarmNet Has Major Outage on Mar 12, 2020
AlarmNet suffered a major outage yesterday, impacting Total Connect, Resideo,...
Anyvision Layoffs on Mar 19, 2020
Anyvision has conducted a layoff, citing the impact of coronavirus, joining a...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Help Security End Users Facing Coronavirus Improve Remote Access on Mar 24, 2020
Many end-users and integrators are struggling with the impact of coronavirus...
Genetec Security Center 5.9 Release Examined on Feb 06, 2020
Genetec released the next major version of Security Center, less than a year...
Convergint Coronavirus Cuts on Mar 25, 2020
One of the world's largest security integrators, Convergint, has made a major...
ZKTeco Presents SpeedFace Recognition + Body Temperature Detection on Apr 21, 2020
ZKTeco presented its SF1008+ reader with body temperature and face mask...
Camio Presents Coronavirus Social Distancing Analytics on Apr 20, 2020
Camio presented its social distancing analytics for responding to coronavirus...
Surveillance Storage 101 on Mar 23, 2020
This guide teaches the fundamentals of video surveillance...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
30 Million Criminal Face Database Tested (Captis Intelligence) on Apr 27, 2020
30 million criminal mugshots are now available for facial recognition...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...