Pelco Fixes Hard Coded Credential Vulnerability

Author: Brian Karas, Published on Jul 19, 2016

One dirty secret in the industry is that many devices have unpublished manufacturer admin accounts.  While useful to support techs, these accounts can pose huge security risks, and open systems up to abuse.

Pelco recently disclosed that their Digital Sentry product line had a hard-coded secret admin account, which they removed in their latest firmware.

We received information from Pelco about this vulnerability, what other platforms are affected, and provide details in this report.

*** ***** ****** ** *** ******** ** **** **** ******* **** unpublished ************ ***** ********.  ***** ****** ** ******* *****, ***** accounts *** **** **** ******** *****, *** **** ******* ** to *****.

***** ******** ********* **** ***** ******* ****** ******* **** *** a ****-***** ****** ***** *******, ***** **** ******* ** ***** latest ********.

** ******** *********** **** ***** ***** **** *************, **** ***** platforms *** ********, *** ******* ******* ** **** ******.

[***************]

Vulnerability *******

**** ******** ********* *** ************* ** * ****-***** ***** ***** ******* *** lists *** ********* ** ******** ** *** ********** ** ********** this *************:

"** ******** **** * *** ***** ***** ** **** ** exploit **** *************."

*** ***** *** ******** **** ** ******** ******* *.**.**, *** the ******* ************** **** ***** ** *** ***** ** ******* version *.**, ***** ** ******** **** *** ******* ****** ******* ****.

********* ** *** ********, ********* ********* *** ********* ** **** account ** ***** ***, ** **** *** ****** ** **** been ************* ********** ** ********* (***).

Pelco's ********

***** **** **** **** ******* ************* *** ******* ** ***** ********* ******** *** **** **** ********* ****** *** ***** ********** customers. ***** ********* *** *****-***** ******* ***** ** **** ******** *** allowed **** ****** ** ******** *****.

*****'* ***** ******* ***, ********** *** **** ** *** **** * ******* ****-***** *******.

Hard ***** ******** *** *******

************ ******* ********* ***** **** ** *** ****** ****** ** a ****** *** ***************, ******* ** ******* ******* *** ******* means ********* ** *** ***-**** ** ********** ****.  ****-***** *****-***** accounts ******* ***** ******* ***** * ********** *** ** *** into *** ** ** *** ****** *** **** ****** ********, or ******* ***** ********* **** ***** * ********* ***** ********.

*** ******* ** ********* ******* **** "*****'* *********** **** ****** *** **** * ****** ******" *******, ** ******* **** ********* *** ***** ** * device, **** ***** ******** ****** ******** ** ******* ***** **** want ** ***** ******* ******* *** ***********.  ***** ************ ******* tech ****** *** * ***** ***** *** **** **** * hard-coded ***** ******* ** ******* ** ***** *******, ** ****** they *** *** **** **** *******.

Impossible ** **** ******

***** ****-***** ******** *** ******** ** ******* *****, **** **** ********* of ***** ******** ***** ***, ****** ** *** **** ** the **** ***********, ** **** ********* **** **** ** ******* level ******. ** ***** **** **** *** ** ***, **** take **** ******** ********* **** ****, ********** *** ******* ** is *** *** **** ** ******* * ********'* ******.

Can ***** ******* ***** ** ********** *********

********** ********* ***** **** ****** **** ****-***** "******" ********, *** for **** ******.  ***** ******** *** ****** ****** ***** ****** to * ******, **** ***** ** * ****** **** ***** not **** ** ** ******** ****, ******** ****** *** ***** the ******* *********** ** ******** **** ***** ** ********* *****, or *** *** *********** ****** ** * ********* **** ** the *******.  

****** ********** ********* **** ***** ******* **** ******* ****** ******** full ******* ** ***** ********, ** ******* ******* ** ******* a ***** **** ** **** ****-***** ******** ***** ** *** software.  ** ******* **** ** **** *** **** *** ** Pelco ******** * ****-***** ******* **** ****** ******* ** *** product *** ******* *****. 

Practical Alternatives ** **** ***** ********

***** *** **** ****** **** ** **** ***** *****-***-**** ****** **** ********** the **** ***** *********** ** **** ** ********* ** *****. **** examples:

  • ******* ***** ******* ** * **** ** ******-******** ****, **** as * ******'* ****** ******. **** ** *** ****** ********* uses, ***** ********* ** ***** ******** **** ** **** ** the ******'* ****** ******, *** **** *** **** (** *** admin ******** ******* ******* ***** ***).  ****** *** ********* *** figuring *** *** ***** ******** *** ** ****** (** ******** ** ********* ** ****), ** *** ******'* ****** ****** ** *** ******** ******** this ******** ** ********** ******.
  • ******* *** **** ** ****** ****** ******* ****** ** ******* on * ******** ********, ******* * ****** ** *** ******, or ******* ******.  **** ******** ******* ***** **** ********* *** unit ******* *** ******** ***** ***** *** ********** ******** **** access, *** *** *** ******** ** ********* *** **** ** enable *** ********, ***** *** *** ** ******** ** *** user ********* ** ****, ** ** *** **** ** ****** out.  *********, ******* * ****** ** ****** **** ******** ***** at *** ****** *** ****** *************** ** *** ****** ** at * ******/******** ****.
  • *** ***-****** **************, ***** *** ******* **** ***** ******** **** piece ** **** **** ** ****** ********** ****** ** *** manufacturer's **.  **** ****** *** *** ******* ** ***** **** to *** *** ********* ****** ** * ***** ****, *** when, ********* ** ***** *** ** ***** *****.

Pelco *** ***** - ***** **** ***** ******** *****

**** ***** ************* ********* **** ****** ********. *********** *** ***-***** should *** ************* ***** *********, ****** ********, ***** **** ** access ******* **** *** *** ********* ** ******** *************.

Comments (9)

I am torn between having the Hik/Dahua methods of using an algorithm to unlock a device and forcing users to factory restore a device if the credentials are lost.

It has come in handy to have a "password of the day" to service customer's devices that I didn't have credentials for, but the flip side is that anyone else with the same info could potentially do the same.

At least with a factory default, you would certainly know someone had access to your device when your current credentials no longer work.

I agree with your perspective on this. It's nice to be able to reset a device without having to climb a ladder (or get a bucket truck), but there are inherent weaknesses in that approach.

Personally, I like a method that requires direct physical access to the device (a reset button, but not something you need to disassemble the device to get at).

IMO, the reset should wipe ALL data, not just user accounts, or static IPs. That way, if someone gets access to the unit, but cannot get into it, they are forced to wipe out all identifying information from the unit (this would including wiping an SD-card if so equipped).

Technically though what we are talking about here is something separate from the tech support back-door that Pelco had in place. You, as the integrator or customer, are made aware of admin accounts and the standard method(s) of reset/compromise. But in this case there was an admin-level account that was not disclosed to users, and was consistent across all devices. In this scenario, once you knew the details of the account you could access any unit you had network connectivity to.

Just to clarify, the Dahua admin "password of the day" requires local access to the device. It will not work through any app or webpage.

Same for the 888888 and 666666 accounts. Local access only. Just in case anyone was concerned about those.

666666 account can be used for remote viewing, but it's not an admin account anyways.

I have been working with Dahua products for more than 5 years, and have yet to come across a system that allows for remote access using either 888888 or 666666. As far as I know, those have always been local only accounts.

Either way, if you have a Dahua device that is having this issue, my primary concern is to get the issue resolved. Please PM me the model of the device, and I can get you a firmware update that will address this.

I just checked a few locations and some of the early units (2012-2013 era) still work with the 666666 accounts remotely (via PSS and iDMSS). I also checked a more recent install, an HDCVI DVR, and that one did not work remotely.

I guess the reason we never knew of the change is that we now delete the built in 888888 and 666666 accounts upon initial install, for security purposes. That was not possible with the older units. They could not be removed, so we just made as obscure of a password as the units allowed.

Also, there isn't a PM feature here (ahem, John), so you will have to ask John to send me your info. If you are a Dahua employee, I have another, much more important issue at hand.

(ahem, Jon)

Lol, I've honestly never paid attention to that feature. My B.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

AI Startup Anyvision Raises $28 Million Led By Bosch on Jul 20, 2018
Anyvision is the most ambitious heavy-spending video surveillance startup in many years. And, now, the startup has raised $28 million led by...
Fail: Dahua "Didn't Check The Lux Levels but It Was Dark" on Jul 20, 2018
Dahua UK has been promoting their camera quality on LinkedIn: I, and others, asked what the lux level of the scene was. (background: Lux Rating...
Free 100+ Manufacturer-Customized Camera Calculator Released on Jul 19, 2018
Now, any manufacturer has a customized IPVM Camera Calculator, free. The goal is to make it easier for companies to help their customers better...
Improved Security And Surveillance Bidding - 2018 MasterFormat Divisions Examined) on Jul 19, 2018
Navigating the world of system specifications and bidding work can be complex and confusing, but a standard format exists, and understanding it...
Last Chance - Security Sales Course Summer 2018 on Jul 19, 2018
Today is the last day to register. Based on member's interest, IPVM is offering a security sales course this summer. Register Now - IPVM Security...
Directory of Video Surveillance Startups on Jul 18, 2018
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known entity...
Ladder Lockdown and Ladder Levelizer Tested on Jul 18, 2018
Ladders are a daily necessity for surveillance and security installers, but working on an unstable surface can be extremely dangerous. In addition...
FST Fails on Jul 17, 2018
FST was one of the hottest startups of the decade, selected as the best new product at ISC West 2011 and backed with tens of millions in...
Axis ~$100 Camera Tested on Jul 17, 2018
Axis has released their lowest cost camera ever, the Companion Eye Mini L, setting their sights on a market dominated by Hikvision and Dahua. Can...
Amazon Ring Alarm System Tested on Jul 16, 2018
Amazon Ring is going to hurt traditional dealers, and especially ADT, new IPVM test results of Ring's Alarm system underscore. IPVM found that...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact