Pelco Fixes Hard Coded Credential Vulnerability

By: Brian Karas, Published on Jul 19, 2016

One dirty secret in the industry is that many devices have unpublished manufacturer admin accounts.  While useful to support techs, these accounts can pose huge security risks, and open systems up to abuse.

Pelco recently disclosed that their Digital Sentry product line had a hard-coded secret admin account, which they removed in their latest firmware.

We received information from Pelco about this vulnerability, what other platforms are affected, and provide details in this report.

Vulnerability *******

**** ******** ********* *** ************* ** a ****-***** ***** ***** account *** ***** *** following ** ******** ** the ********** ** ********** this *************:

"** ******** **** * low ***** ***** ** able ** ******* **** vulnerability."

*** ***** *** ******** with ** ******** ******* 7.13.84, *** *** ******* recommendation **** ***** ** for ***** ** ******* version *.**, ***** ** obtained **** *** ******* ****** ******* ****.

********* ** *** ********, Schneider ********* *** ********* of **** ******* ** their ***, ** **** not ****** ** **** been ************* ********** ** exploited (***).

Pelco's ********

***** **** **** **** ******* vulnerability *** ******* ** order ********* ******** *** **** more ********* ****** *** their ********** *********. ***** confirmed *** *****-***** ******* ***** be **** ******** *** allowed **** ****** ** affected *****.

*****'* ***** ******* ***, ********** *** **** ** *** have * ******* ****-***** account.

Hard ***** ******** *** *******

************ ******* ********* ***** like ** *** ****** access ** * ****** for ***************, ******* ** working ******* *** ******* means ********* ** *** end-user ** ********** ****.  Hard-coded *****-***** ******** ******* these ******* ***** * consistent *** ** *** into *** ** ** the ****** *** **** around ********, ** ******* admin ********* **** ***** a ********* ***** ********.

*** ******* ** ********* fiascos **** "*****'* *********** **** ****** and **** * ****** button" *******, ** ******* live ********* *** ***** on * ******, **** these ******** ****** ******** to ******* ***** **** want ** ***** ******* quickly *** ***********.  ***** manufacturer ******* **** ****** has * ***** ***** how **** **** * hard-coded ***** ******* ** resolve ** ***** *******, or ****** **** *** one **** **** *******.

Impossible ** **** ******

***** ****-***** ******** *** valuable ** ******* *****, **** time ********* ** ***** accounts ***** ***, ****** in *** **** ** the **** ***********, ** just ********* **** **** an ******* ***** ******. As ***** **** **** job ** ***, **** take **** ******** ********* with ****, ********** *** chances ** ** *** day **** ** ******* a ********'* ******.

Can ***** ******* ***** ** ********** *********

********** ********* ***** **** issues **** ****-***** "******" accounts, *** *** **** reason.  ***** ******** *** enable ****** ***** ****** to * ******, **** times ** * ****** that ***** *** **** up ** ******** ****, allowing ****** *** ***** the ******* *********** ** possible **** ***** ** sensitive *****, ** *** the *********** ****** ** a ********* **** ** the *******.  

****** ********** ********* **** often ******* **** ******* either ******** **** ******* of ***** ********, ** require ******* ** ******* a ***** **** ** such ****-***** ******** ***** in *** ********.  ** suspect **** ** **** may **** *** ** Pelco ******** * ****-***** account **** ****** ******* in *** ******* *** several *****. 

Practical Alternatives ** **** ***** ********

***** *** **** ****** ways ** **** ***** *****-***-**** access than ********** *** **** fixed *********** ** **** of ********* ** *****. **** examples:

  • ******* ***** ******* ** a **** ** ******-******** data, **** ** * camera's ****** ******. **** is *** ****** ********* uses, ***** ********* ** admin ******** **** ** tied ** *** ******'* serial ******, *** **** the **** (** *** admin ******** ******* ******* after ***).  ****** *** algorithm *** ******** *** the ***** ******** *** be ****** (** ******** ** ********* in ****), ** *** ******'* serial ****** ** *** remotely ******** **** ******** is ********** ******.
  • ******* *** **** ** enable ****** ******* ****** by ******* ** * software ********, ******* * button ** *** ******, or ******* ******.  **** prevents ******* ***** **** accessing *** **** ******* the ******** ***** ***** and ********** ******** **** access, *** *** *** downside ** ********* *** user ** ****** *** function, ***** *** *** be ******** ** *** user ********* ** ****, or ** *** **** is ****** ***.  *********, pushing * ****** ** action **** ******** ***** at *** ****** *** hinder *************** ** *** device ** ** * remote/unmanned ****.
  • *** ***-****** **************, ***** the ******* **** ***** retrieve **** ***** ** data **** ** ****** management ****** ** *** manufacturer's **.  **** ****** has *** ******* ** being **** ** *** who ********* ****** ** a ***** ****, *** when, ********* ** ***** log ** ***** *****.

Pelco *** ***** - ***** **** ***** ******** *****

**** ***** ************* ********* have ****** ********. *********** and ***-***** ****** *** manufacturers ***** *********, ****** accounts, ***** **** ** access ******* **** *** not ********* ** ******** documentation.

Comments (9)

I am torn between having the Hik/Dahua methods of using an algorithm to unlock a device and forcing users to factory restore a device if the credentials are lost.

It has come in handy to have a "password of the day" to service customer's devices that I didn't have credentials for, but the flip side is that anyone else with the same info could potentially do the same.

At least with a factory default, you would certainly know someone had access to your device when your current credentials no longer work.

I agree with your perspective on this. It's nice to be able to reset a device without having to climb a ladder (or get a bucket truck), but there are inherent weaknesses in that approach.

Personally, I like a method that requires direct physical access to the device (a reset button, but not something you need to disassemble the device to get at).

IMO, the reset should wipe ALL data, not just user accounts, or static IPs. That way, if someone gets access to the unit, but cannot get into it, they are forced to wipe out all identifying information from the unit (this would including wiping an SD-card if so equipped).

Technically though what we are talking about here is something separate from the tech support back-door that Pelco had in place. You, as the integrator or customer, are made aware of admin accounts and the standard method(s) of reset/compromise. But in this case there was an admin-level account that was not disclosed to users, and was consistent across all devices. In this scenario, once you knew the details of the account you could access any unit you had network connectivity to.

Just to clarify, the Dahua admin "password of the day" requires local access to the device. It will not work through any app or webpage.

Same for the 888888 and 666666 accounts. Local access only. Just in case anyone was concerned about those.

666666 account can be used for remote viewing, but it's not an admin account anyways.

I have been working with Dahua products for more than 5 years, and have yet to come across a system that allows for remote access using either 888888 or 666666. As far as I know, those have always been local only accounts.

Either way, if you have a Dahua device that is having this issue, my primary concern is to get the issue resolved. Please PM me the model of the device, and I can get you a firmware update that will address this.

I just checked a few locations and some of the early units (2012-2013 era) still work with the 666666 accounts remotely (via PSS and iDMSS). I also checked a more recent install, an HDCVI DVR, and that one did not work remotely.

I guess the reason we never knew of the change is that we now delete the built in 888888 and 666666 accounts upon initial install, for security purposes. That was not possible with the older units. They could not be removed, so we just made as obscure of a password as the units allowed.

Also, there isn't a PM feature here (ahem, John), so you will have to ask John to send me your info. If you are a Dahua employee, I have another, much more important issue at hand.

(ahem, Jon)

Lol, I've honestly never paid attention to that feature. My B.

Read this IPVM report for free.

This article is part of IPVM's 6,534 reports, 880 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Forced Door Alarms For Access Control Tutorial on Aug 17, 2020
One of the most important access control alarms is also often ignored....
FLIR Markets Windows Temperature Screening, Violates IEC And Causes Performance Problems on Jul 17, 2020
FLIR, one of the largest thermal screening manufacturers, is marketing...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Anixter Runs Fake Coronavirus Marketing Using Shutterstock Watermarked Images on Jul 24, 2020
Coronavirus faked marketing is regrettably commonplace right now but Anixter...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
Don't Deceive. Lessons From Scott Schafer on Mar 20, 2020
Deception is bad. We can learn some important lessons from Scott Schafer, a...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Verkada Falsely Claims "First Native Cloud-based Access Control and Video Security Solution" on Jun 18, 2020
Verkada's false claims continue, this time to be the first native cloud-based...
ZKTeco Presents SpeedFace Recognition + Body Temperature Detection on Apr 21, 2020
ZKTeco presented its SF1008+ reader with body temperature and face mask...

Recent Reports

OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...