ONVIF Profile Q Aims To Change Discovery and Default PasswordsBy: John Honovich, Published on Jan 13, 2015
ONVIF is gearing up to release a new profile, called Q.
They market it as providing "quick configuration and installation, providing innate discoverability and reliable device monitoring and event management capabilities."
- How is Profile Q different than the current Profile S?
- What are the big changes / additions in Profile Q?
- How will requirements in discovery and default passwords impact manufacturers and systems?
Inside, we answer these questions based on a discussion with the engineers contributing to this upcoming Profile.
Profile Q Vs Profile S and G
Profile Q is new and independent of Profile S (streaming) and G (recording). One might theoretically just support Q but we would expect most every device that supports Q to also support S.
Q is narrowly focused on the discovery, installation and monitoring. It does not address streaming, camera configuration, motion detection, PTZ, i/o, etc. All of that remains in Profile S. To that end, Profile Q is better thought of as an enhancement to Profile S.
For those who want to read the actual spec, the Profile Q Release Candidate 1.0 specification is available here. We will discuss the key elements below.
Today, IP camera manufacturers choose from a wide variety of ways to be discovered, with different discovery protocols and even some that set a fixed IP address. Because of that, it can be difficult to initially find different cameras and, at least, requires the VMS to implement / know how each manufacturer goes about being discovered or getting started.
Profile Q will now require conformant devices to support ZeroConfig, aka Zero Configuration Networking, which is best known for assigning a 169.x.x.x address if a dynamic address can not be assigned by a DHCP server.
If many manufacturers adopt Profile Q, and all thereby use the same discovery protocol, it should simplify and increase the probability of finding all IP cameras / devices on a local network. However, if manufacturers currently use a different approach, it would require them to change it to comply with Profile Q.
Requires No Default Password
Most IP cameras today have hard-coded default IP passwords, e.g., admin/admin or admin/1234, etc. (see the IP camera default password directory).
Profile Q requires eliminating this. With Profile Q, a device will not have any default password and when one first connects, in a default state, you are then required to setup a password. For those familiar with Axis, this is how they do it (see: IP Camera Passwords - Axis, Dahua, Samsung).
Since most manufacturers today have a default password, this would require them to change their fundamental password approach.
Since so many people never change passwords, ONVIF hopes that this will decrease security risks of an adversary just entering in the default password and gaining full access.
Other Profile Q Notable Requirements
The above two have the broadest potential impacts. There are a few other requirements / elements worth noting:
- Adds basic monitoring capabilities such as processor usage, time of last reset and last reboot and last time synchronization.
- Eliminates requirement of time synchronization which has caused connectivity issues.
- Once the password has been set, Profile Q more tightly restricts what user levels can make changes to camera features / settings.
Impact of ONVIF Profile Q
The big two elements of Profile Q could address 2 notable pain points in using IP cameras. However, this will require manufacturers opting into Profile Q and, in doing so, changing some of their basic operations.
We expect Profile Q to be official before the end of 2015 and to take a few years for adoption to spread.
Profile Q has failed to garner significant support. As a point of fact, only 166 cameras currently support ONVIF Profile Q, including none from Avigilon, Axis, Dahua, Hanwha, Hikvision.