Pelco Fixes Hard Coded Credential Vulnerability

By: Brian Karas, Published on Jul 19, 2016

One dirty secret in the industry is that many devices have unpublished manufacturer admin accounts.  While useful to support techs, these accounts can pose huge security risks, and open systems up to abuse.

Pelco recently disclosed that their Digital Sentry product line had a hard-coded secret admin account, which they removed in their latest firmware.

We received information from Pelco about this vulnerability, what other platforms are affected, and provide details in this report.

*** ***** ****** ** *** industry ** **** **** devices **** *********** ************ admin ********.  ***** ****** to ******* *****, ***** accounts *** **** **** security *****, *** **** systems ** ** *****.

***** ******** ********* **** their ******* ****** ******* line *** * ****-***** secret ***** *******, ***** they ******* ** ***** latest ********.

** ******** *********** **** Pelco ***** **** *************, what ***** ********* *** affected, *** ******* ******* in **** ******.

[***************]

Vulnerability *******

**** ******** ********* *** ************* ** a ****-***** ***** ***** account *** ***** *** following ** ******** ** the ********** ** ********** this *************:

"** ******** **** * low ***** ***** ** able ** ******* **** vulnerability."

*** ***** *** ******** with ** ******** ******* 7.13.84, *** *** ******* recommendation **** ***** ** for ***** ** ******* version *.**, ***** ** obtained **** *** ******* ****** ******* ****.

********* ** *** ********, Schneider ********* *** ********* of **** ******* ** their ***, ** **** not ****** ** **** been ************* ********** ** exploited (***).

Pelco's ********

***** **** **** **** ******* vulnerability *** ******* ** order ********* ******** *** **** more ********* ****** *** their ********** *********. ***** confirmed *** *****-***** ******* ***** be **** ******** *** allowed **** ****** ** affected *****.

*****'* ***** ******* ***, ********** *** **** ** *** have * ******* ****-***** account.

Hard ***** ******** *** *******

************ ******* ********* ***** like ** *** ****** access ** * ****** for ***************, ******* ** working ******* *** ******* means ********* ** *** end-user ** ********** ****.  Hard-coded *****-***** ******** ******* these ******* ***** * consistent *** ** *** into *** ** ** the ****** *** **** around ********, ** ******* admin ********* **** ***** a ********* ***** ********.

*** ******* ** ********* fiascos **** "*****'* *********** **** ****** and **** * ****** button" *******, ** ******* live ********* *** ***** on * ******, **** these ******** ****** ******** to ******* ***** **** want ** ***** ******* quickly *** ***********.  ***** manufacturer ******* **** ****** has * ***** ***** how **** **** * hard-coded ***** ******* ** resolve ** ***** *******, or ****** **** *** one **** **** *******.

Impossible ** **** ******

***** ****-***** ******** *** valuable ** ******* *****, **** time ********* ** ***** accounts ***** ***, ****** in *** **** ** the **** ***********, ** just ********* **** **** an ******* ***** ******. As ***** **** **** job ** ***, **** take **** ******** ********* with ****, ********** *** chances ** ** *** day **** ** ******* a ********'* ******.

Can ***** ******* ***** ** ********** *********

********** ********* ***** **** issues **** ****-***** "******" accounts, *** *** **** reason.  ***** ******** *** enable ****** ***** ****** to * ******, **** times ** * ****** that ***** *** **** up ** ******** ****, allowing ****** *** ***** the ******* *********** ** possible **** ***** ** sensitive *****, ** *** the *********** ****** ** a ********* **** ** the *******.  

****** ********** ********* **** often ******* **** ******* either ******** **** ******* of ***** ********, ** require ******* ** ******* a ***** **** ** such ****-***** ******** ***** in *** ********.  ** suspect **** ** **** may **** *** ** Pelco ******** * ****-***** account **** ****** ******* in *** ******* *** several *****. 

Practical Alternatives ** **** ***** ********

***** *** **** ****** ways ** **** ***** *****-***-**** access than ********** *** **** fixed *********** ** **** of ********* ** *****. **** examples:

  • ******* ***** ******* ** a **** ** ******-******** data, **** ** * camera's ****** ******. **** is *** ****** ********* uses, ***** ********* ** admin ******** **** ** tied ** *** ******'* serial ******, *** **** the **** (** *** admin ******** ******* ******* after ***).  ****** *** algorithm *** ******** *** the ***** ******** *** be ****** (** ******** ** ********* in ****), ** *** ******'* serial ****** ** *** remotely ******** **** ******** is ********** ******.
  • ******* *** **** ** enable ****** ******* ****** by ******* ** * software ********, ******* * button ** *** ******, or ******* ******.  **** prevents ******* ***** **** accessing *** **** ******* the ******** ***** ***** and ********** ******** **** access, *** *** *** downside ** ********* *** user ** ****** *** function, ***** *** *** be ******** ** *** user ********* ** ****, or ** *** **** is ****** ***.  *********, pushing * ****** ** action **** ******** ***** at *** ****** *** hinder *************** ** *** device ** ** * remote/unmanned ****.
  • *** ***-****** **************, ***** the ******* **** ***** retrieve **** ***** ** data **** ** ****** management ****** ** *** manufacturer's **.  **** ****** has *** ******* ** being **** ** *** who ********* ****** ** a ***** ****, *** when, ********* ** ***** log ** ***** *****.

Pelco *** ***** - ***** **** ***** ******** *****

**** ***** ************* ********* have ****** ********. *********** and ***-***** ****** *** manufacturers ***** *********, ****** accounts, ***** **** ** access ******* **** *** not ********* ** ******** documentation.

Comments (9)

I am torn between having the Hik/Dahua methods of using an algorithm to unlock a device and forcing users to factory restore a device if the credentials are lost.

It has come in handy to have a "password of the day" to service customer's devices that I didn't have credentials for, but the flip side is that anyone else with the same info could potentially do the same.

At least with a factory default, you would certainly know someone had access to your device when your current credentials no longer work.

I agree with your perspective on this. It's nice to be able to reset a device without having to climb a ladder (or get a bucket truck), but there are inherent weaknesses in that approach.

Personally, I like a method that requires direct physical access to the device (a reset button, but not something you need to disassemble the device to get at).

IMO, the reset should wipe ALL data, not just user accounts, or static IPs. That way, if someone gets access to the unit, but cannot get into it, they are forced to wipe out all identifying information from the unit (this would including wiping an SD-card if so equipped).

Technically though what we are talking about here is something separate from the tech support back-door that Pelco had in place. You, as the integrator or customer, are made aware of admin accounts and the standard method(s) of reset/compromise. But in this case there was an admin-level account that was not disclosed to users, and was consistent across all devices. In this scenario, once you knew the details of the account you could access any unit you had network connectivity to.

Just to clarify, the Dahua admin "password of the day" requires local access to the device. It will not work through any app or webpage.

Same for the 888888 and 666666 accounts. Local access only. Just in case anyone was concerned about those.

666666 account can be used for remote viewing, but it's not an admin account anyways.

I have been working with Dahua products for more than 5 years, and have yet to come across a system that allows for remote access using either 888888 or 666666. As far as I know, those have always been local only accounts.

Either way, if you have a Dahua device that is having this issue, my primary concern is to get the issue resolved. Please PM me the model of the device, and I can get you a firmware update that will address this.

I just checked a few locations and some of the early units (2012-2013 era) still work with the 666666 accounts remotely (via PSS and iDMSS). I also checked a more recent install, an HDCVI DVR, and that one did not work remotely.

I guess the reason we never knew of the change is that we now delete the built in 888888 and 666666 accounts upon initial install, for security purposes. That was not possible with the older units. They could not be removed, so we just made as obscure of a password as the units allowed.

Also, there isn't a PM feature here (ahem, John), so you will have to ask John to send me your info. If you are a Dahua employee, I have another, much more important issue at hand.

(ahem, Jon)

Lol, I've honestly never paid attention to that feature. My B.

Read this IPVM report for free.

This article is part of IPVM's 6,362 reports, 854 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Genetec Self-Discloses Critical Vulnerability on Jul 31, 2018
In an unprecedented move for the video surveillance industry, Genetec has self-disclosed a critical software vulnerability across Security Center...
Hikvision Critical Cloud Vulnerability Disclosed on Apr 25, 2018
Security researchers Vangelis Stykas [link no longer available] and George Lavdanis [link no longer available] discovered a vulnerability in...
TVT Backdoor Disclosed on Apr 09, 2018
Security researcher Bashis has disclosed a backdoor in TVT video surveillance products, with TVT issuing its own 'Notification of Critical...
Hikvision Backdoor Exploit on Sep 03, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...
Milestone Entry Level Mobile Password Vulnerability Disclosed on May 24, 2017
While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has...
Hanwha Recorder Vulnerability Analyzed on May 18, 2017
ICS-CERT has released a vulnerability notice for Hanwha SRN-4000 recorders.  Hanwha provided additional information to IPVM about this issue,...
Axis Camera Vulnerabilities From Google Researcher Analyzed on Mar 23, 2017
A Google security researcher has reported 6 vulnerabilities for Axis cameras, affecting multiple models and firmware versions. In this report, we...
Uniview Weak Local / Strong Remote Password Policy Tested on Mar 14, 2017
With the continuing onslaught of cyber-security breaches (see Dahua backdoor recently discovered, Hikvision defaulted devices getting hacked)...
Sony Misleading Marketing Hides Cracked Backdoor on Jan 25, 2017
Sony is attempting to deemphasize the severity of the backdoor uncovered in Ipela cameras. Meanwhile, IPVM has verified that the root password for...
Sony IP Camera Backdoor Uncovered on Dec 06, 2016
A backdoor has been uncovered in ~80 Sony IP camera models, attackers can remotely enable telnet on the camera, and then potentially login as root,...

Most Recent Industry Reports

Access Control Online Show - July 2020 - With 40+ Manufacturers - Register Now on Jul 01, 2020
IPVM is excited to announce our July 2020 Access Control Show. With 40+ companies presenting across 4 days, this is a unique opportunity to hear...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an expanding offering in the midst of coronavirus. Hanwha in partnership...
UK Government Says Fever Cameras "Unsuitable" on Jul 01, 2020
The UK government's medical device regulator, MHRA, told IPVM that fever-seeking thermal cameras are "unsuitable for this purpose" and recommends...
Camera Course Summer 2020 on Jun 30, 2020
This is the only independent surveillance camera course, based on in-depth product and technology testing. Lots of manufacturer training...
Worst Over But Integrators Still Dealing With Coronavirus Problems (June Statistics) on Jun 30, 2020
While numbers of integrators very impacted by Coronavirus continue to drop, most are still moderately dealing with the pandemic's problems, June...
FLIR Screen-EST Screening Software Tested on Jun 30, 2020
In our FLIR A Series Test, the cameras' biggest drawback was their lack of face detection, requiring manual adjustment when screening each...
Dahua Buenos Aires Bus Screening Violates IEC Standards and Dahua's Own Instructions on Jun 30, 2020
Dahua has promoted Buenos Aires bus deployments as "solutions that facilitate community safety". However, they violate IEC standards and,...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could be used for "accurately detecting fever in any person", even claiming...
Industry Study: 83% of US Temperature Screening Sellers Falsely Say Not Medical Devices on Jun 29, 2020
83% of US companies selling temperature screening devices, aka 'fever' detectors, claim they are not medical devices, contrary to FDA definition,...
Manufacturers on Virtual 'ISC West' 2020 and Potential ISC West 2021 on Jun 29, 2020
With the 2020 ISC West show now officially canceled, attention turns to Reed's new "ISC West 2020 Virtual Event" planned for October and for the...