Pelco Fixes Hard Coded Credential Vulnerability

Author: Brian Karas, Published on Jul 19, 2016

One dirty secret in the industry is that many devices have unpublished manufacturer admin accounts.  While useful to support techs, these accounts can pose huge security risks, and open systems up to abuse.

Pelco recently disclosed that their Digital Sentry product line had a hard-coded secret admin account, which they removed in their latest firmware.

We received information from Pelco about this vulnerability, what other platforms are affected, and provide details in this report.

*** ***** ****** ** *** ******** ** **** **** ******* **** unpublished ************ ***** ********.  ***** ****** ** ******* *****, ***** accounts *** **** **** ******** *****, *** **** ******* ** to *****.

***** ******** ********* **** ***** ******* ****** ******* **** *** a ****-***** ****** ***** *******, ***** **** ******* ** ***** latest ********.

** ******** *********** **** ***** ***** **** *************, **** ***** platforms *** ********, *** ******* ******* ** **** ******.

[***************]

Vulnerability *******

**** ******** ********* *** ************* ** * ****-***** ***** ***** ******* *** lists *** ********* ** ******** ** *** ********** ** ********** this *************:

"** ******** **** * *** ***** ***** ** **** ** exploit **** *************."

*** ***** *** ******** **** ** ******** ******* *.**.**, *** the ******* ************** **** ***** ** *** ***** ** ******* version *.**, ***** ** ******** **** *** ******* ****** ******* ****.

********* ** *** ********, ********* ********* *** ********* ** **** account ** ***** ***, ** **** *** ****** ** **** been ************* ********** ** ********* (***).

Pelco's ********

***** **** **** **** ******* ************* *** ******* ** ***** ********* ******** *** **** **** ********* ****** *** ***** ********** customers. ***** ********* *** *****-***** ******* ***** ** **** ******** *** allowed **** ****** ** ******** *****.

*****'* ***** ******* ***, ********** *** **** ** *** **** * ******* ****-***** *******.

Hard ***** ******** *** *******

************ ******* ********* ***** **** ** *** ****** ****** ** a ****** *** ***************, ******* ** ******* ******* *** ******* means ********* ** *** ***-**** ** ********** ****.  ****-***** *****-***** accounts ******* ***** ******* ***** * ********** *** ** *** into *** ** ** *** ****** *** **** ****** ********, or ******* ***** ********* **** ***** * ********* ***** ********.

*** ******* ** ********* ******* **** "*****'* *********** **** ****** *** **** * ****** ******" *******, ** ******* **** ********* *** ***** ** * device, **** ***** ******** ****** ******** ** ******* ***** **** want ** ***** ******* ******* *** ***********.  ***** ************ ******* tech ****** *** * ***** ***** *** **** **** * hard-coded ***** ******* ** ******* ** ***** *******, ** ****** they *** *** **** **** *******.

Impossible ** **** ******

***** ****-***** ******** *** ******** ** ******* *****, **** **** ********* of ***** ******** ***** ***, ****** ** *** **** ** the **** ***********, ** **** ********* **** **** ** ******* level ******. ** ***** **** **** *** ** ***, **** take **** ******** ********* **** ****, ********** *** ******* ** is *** *** **** ** ******* * ********'* ******.

Can ***** ******* ***** ** ********** *********

********** ********* ***** **** ****** **** ****-***** "******" ********, *** for **** ******.  ***** ******** *** ****** ****** ***** ****** to * ******, **** ***** ** * ****** **** ***** not **** ** ** ******** ****, ******** ****** *** ***** the ******* *********** ** ******** **** ***** ** ********* *****, or *** *** *********** ****** ** * ********* **** ** the *******.  

****** ********** ********* **** ***** ******* **** ******* ****** ******** full ******* ** ***** ********, ** ******* ******* ** ******* a ***** **** ** **** ****-***** ******** ***** ** *** software.  ** ******* **** ** **** *** **** *** ** Pelco ******** * ****-***** ******* **** ****** ******* ** *** product *** ******* *****. 

Practical Alternatives ** **** ***** ********

***** *** **** ****** **** ** **** ***** *****-***-**** ****** **** ********** the **** ***** *********** ** **** ** ********* ** *****. **** examples:

  • ******* ***** ******* ** * **** ** ******-******** ****, **** as * ******'* ****** ******. **** ** *** ****** ********* uses, ***** ********* ** ***** ******** **** ** **** ** the ******'* ****** ******, *** **** *** **** (** *** admin ******** ******* ******* ***** ***).  ****** *** ********* *** figuring *** *** ***** ******** *** ** ****** (** ******** ** ********* ** ****), ** *** ******'* ****** ****** ** *** ******** ******** this ******** ** ********** ******.
  • ******* *** **** ** ****** ****** ******* ****** ** ******* on * ******** ********, ******* * ****** ** *** ******, or ******* ******.  **** ******** ******* ***** **** ********* *** unit ******* *** ******** ***** ***** *** ********** ******** **** access, *** *** *** ******** ** ********* *** **** ** enable *** ********, ***** *** *** ** ******** ** *** user ********* ** ****, ** ** *** **** ** ****** out.  *********, ******* * ****** ** ****** **** ******** ***** at *** ****** *** ****** *************** ** *** ****** ** at * ******/******** ****.
  • *** ***-****** **************, ***** *** ******* **** ***** ******** **** piece ** **** **** ** ****** ********** ****** ** *** manufacturer's **.  **** ****** *** *** ******* ** ***** **** to *** *** ********* ****** ** * ***** ****, *** when, ********* ** ***** *** ** ***** *****.

Pelco *** ***** - ***** **** ***** ******** *****

**** ***** ************* ********* **** ****** ********. *********** *** ***-***** should *** ************* ***** *********, ****** ********, ***** **** ** access ******* **** *** *** ********* ** ******** *************.

Comments (9)

* ** **** ******* ****** *** ***/***** ******* ** ***** an ********* ** ****** * ****** *** ******* ***** ** factory ******* * ****** ** *** *********** *** ****.

** *** **** ** ***** ** **** * "******** ** the ***" ** ******* ********'* ******* **** * ****'* **** credentials ***, *** *** **** **** ** **** ****** **** with *** **** **** ***** *********** ** *** ****.

** ***** **** * ******* *******, *** ***** ********* **** someone *** ****** ** **** ****** **** **** ******* *********** no ****** ****.

* ***** **** **** *********** ** ****. **'* **** ** be **** ** ***** * ****** ******* ****** ** ***** a ****** (** *** * ****** *****), *** ***** *** inherent ********** ** **** ********.

**********, * **** * ****** **** ******** ****** ******** ****** to *** ****** (* ***** ******, *** *** ********* *** need ** *********** *** ****** ** *** **).

***, *** ***** ****** **** *** ****, *** **** **** accounts, ** ****** ***. **** ***, ** ******* **** ****** to *** ****, *** ****** *** **** **, **** *** forced ** **** *** *** *********** *********** **** *** **** (this ***** ********* ****** ** **-**** ** ** ********).

*********** ****** **** ** *** ******* ***** **** ** ********* separate **** *** **** ******* ****-**** **** ***** *** ** place. ***, ** *** ********** ** ********, *** **** ***** of ***** ******** *** *** ******** ******(*) ** *****/**********. *** in **** **** ***** *** ** *****-***** ******* **** *** not ********* ** *****, *** *** ********** ****** *** *******. In **** ********, **** *** **** *** ******* ** *** account *** ***** ****** *** **** *** *** ******* ************ to.

**** ** *******, *** ***** ***** "******** ** *** ***" requires ***** ****** ** *** ******. ** **** *** **** through *** *** ** *******.

**** *** *** ****** *** ****** ********. ***** ****** ****. Just ** **** ****** *** ********* ***** *****.

****** ******* *** ** **** *** ****** *******, *** **'* not ** ***** ******* *******.

* **** **** ******* **** ***** ******** *** **** **** 5 *****, *** **** *** ** **** ****** * ****** that ****** *** ****** ****** ***** ****** ****** ** ******. As *** ** * ****, ***** **** ****** **** ***** only ********.

****** ***, ** *** **** * ***** ****** **** ** having **** *****, ** ******* ******* ** ** *** *** issue ********. ****** ** ** *** ***** ** *** ******, and * *** *** *** * ******** ****** **** **** address ****.

* **** ******* * *** ********* *** **** ** *** early ***** (****-**** ***) ***** **** **** *** ****** ******** remotely (*** *** *** *****). * **** ******* * **** recent *******, ** ***** ***, *** **** *** *** *** work ********.

* ***** *** ****** ** ***** **** ** *** ****** is **** ** *** ****** *** ***** ** ****** *** 666666 ******** **** ******* *******, *** ******** ********. **** *** not ******** **** *** ***** *****. **** ***** *** ** removed, ** ** **** **** ** ******* ** * ******** as *** ***** *******.

****, ***** ***'* * ** ******* **** (****, ****), ** you **** **** ** *** **** ** **** ** **** info. ** *** *** * ***** ********, * **** *******, much **** **************** ****.

(****, ***)

***, *'** ******** ***** **** ********* ** **** *******. ** B.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Milestone Entry Level Mobile Password Vulnerability Disclosed on May 24, 2017
While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has...
How Integrators Use IPVM on May 24, 2017
150 integrators explained how they use IPVM and how it helps them stay informed and improve their business.  The 4 main uses integrators cited for...
Alarm Supervision Guide on May 24, 2017
Burglar alarms can constantly monitor the health of attached circuits, sensors, and devices to ensure that they remain operational. This is known...
Arlo Go Cellular Cloud Camera Tested on May 23, 2017
Totally wireless surveillance cameras are growing but almost all typically depend on a hub and local Internet access. However, many outdoor...
Avigilon New COO James Henderson Profile on May 23, 2017
It has been nearly 2 years since the infamous Bryan Schmode 'resigned' as Avigilon COO. Now, Avigilon once again has a COO, promoting James...
Hikvision Marketer Caught Spamming, Fails at Coverup, Fired on May 23, 2017
A Hikvision marketing employee was caught by IPCamTalk trying to surreptitiously disparage IPVM and IPCamTalk. This is an outgrowth of Hikvision's...
Aura's 'Invisible Ripple' Next Gen Intrusion Detection Tested on May 23, 2017
Aura Home is a startup intrusion detection system, but it claims new, high-tech sensing that monitors the 'invisible ripples' movement creates,...
Pelco Shutting Down Clovis Line, Laying Off 200 on May 22, 2017
Pelco's Clovis facility once turned out some of the industry's most popular products. Now, the facility is mostly building "obsolete" equipment,...
IP Camera - 15 Year Shootout on May 22, 2017
How far have IP cameras come? We bought and tested 4 cameras across the past 15 years to understand how much and where performance has...
Remote Video Monitoring Providers Directory on May 21, 2017
Remote video monitoring can help integrators generate RMR plus end users lower their security costs and/or improve response to critical...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact