Uniview Weak Local / Strong Remote Password Policy Tested

Author: Ethan Ace, Published on Mar 14, 2017

With the continuing onslaught of cyber-security breaches (see Dahua backdoor recently discovered, Hikvision defaulted devices getting hacked) making devices accessible via the public Internet is risky, especially when many users fail to change default passwords or use weak passwords.

However, many users and integrators prefer to leave default passwords to simplify local setup, troubleshooting and access.

Uniview has added a feature that aims to have it both ways by blocking remote access for weak passwords. In this report, we look at this feature and analyze how well it works and what its impact could be.

**** *** ********** ********* ** *****-******** ******** (******** ******** ******** **********,********* ********* ******* ******* ******) ****** ******* ********** *** *** ****** ******** ** *****, especially **** **** ***** **** ** ****** ******* ********* ** use **** *********.

*******, **** ***** *** *********** ****** ** ***** ******* ********* to ******** ***** *****, *************** *** ******.

******* *** ***** * ******* **** **** ** **** ** both **** ** ******** ****** ****** *** **** *********. ** this ******, ** **** ** **** ******* *** ******* *** well ** ***** *** **** *** ****** ***** **.

[***************]

Summary ****

** **** ****, *** ******* **** **********; **** ********* *** be **** **** *** ***, *** ****** ********* *** ******** when ******** ********* **** *** ***.

Device ************

**** ******* ** ******** ** *** ************** ** **************.

Required / ****** ** ********

**** **** ** ** ******* ** *******, **** ** *** to ******* **. ***** ****** **** *** ****** ********* ** remote ****** ** *******.

Blocked: ****** ****** **** **** *********

**** ********** ** *** ** ** * ******* ****** **** outside *** ***** ******* ***** * ******* ** **** ******** (see ***** *****), ***** ******* **** *******:

*** **** ** **** ******* *** *** *** *********, ****** application, ** ****** (*****).

Login **** ****** ******** **

*******, **** ******* ** **** * **** **** ****** ***********, the *** *** ********* ***** ** ******, ***** **** **** live ***** ********* **** *** ***. *** ******** ** **** case *** * ********** ****, **** ***** *** ***** **** letters, *******, *** ******* **********.

Password *****

** *******'* *****, * "******" ******** ******** ** ***** * characters, **** ***** ** *** *********: ********* *******, ********* *******, numbers, *** ******* **********. ********* *** ** *******, ** **** blank, *** ****** ****** **** ** ******** ***** **** ******* if **.

Vote / ****

Test *****

*** ******* *** *** ***** ** * ****** ******** **** port ********** ********** *** ****** ******. ** ****** ************ **** our ****** *** *** ***** ****** ******** **** **** *** web ********* ** **** ** ******.

********:

  • ******-***-**: ********

Comments (3)

**** ***'* *** *** *** *** * **** ****** ****** passwords **********. *** * ****** ******* * ********* **** ***** as ****.

** *********** **** *** * ****** ****** ******** **********, *** we **** ** **** ** **** *** ***** **** **** final *****, ** **** ******** ***** ***** ****** *** **** of **** ** *** *** ***** ***** ******.

**,** ******* ******, *** *** ***?

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Hacking

Broken Hikvision App Exposes Hypocrisy on Dec 06, 2017
While Hikvision talks about a commitment to cybersecurity, their broken app and their insecure 'solution' exposes not only their engineering...
Hikvision UPnP Hacking Risk on Dec 04, 2017
Hikvision IP cameras are being hacked even for end users who had not set up port forwarding and believed their cameras were 'safe' behind...
Dahua Forbes 'Next Web Crisis' Vulnerability Dispute on Nov 16, 2017
The buffer overflow vulnerability in Dahua products is not in dispute, in fact we covered it when it was first published. What is in dispute is...
Vivotek Remote Stack Overflow Vulnerability on Nov 14, 2017
A stack overflow vulnerability in Vivotek cameras has been discovered by bashis, the security researcher who has also found vulnerabilities in...
WSJ Investigates Hikvision on Nov 13, 2017
The Wall Street Journal (WSJ) has released a detailed investigation into Hikvision's government ownership and cybersecurity problems, hitting the...
Hikvision Admits Backdoor 'PR Issue' on Oct 24, 2017
Hikvision is admitting a problem. The backdoor itself is evidently not the problem for them. The problem, according to Hikvision, is a public...
Uniview Recorder Backdoor Examined on Oct 20, 2017
A Chinese research group has identified a vulnerability in Uniview recorders that allows backdoor access in a method similar to the Dahua...
Dahua Trying, Struggling To Respond To Hacking Attacks on Oct 04, 2017
Now, 2 weeks since large-scale hacking attacks commenced against Dahua vulnerable devices, we analyze Dahua's response. On the positive side,...
Hikvision USA Misleads Dealers On Backdoor on Oct 03, 2017
Hikvision USA emailed their dealers overnight with their 5th cyber security 'special bulletin' of the year. Misleading Unfortunately, they...
FLIR Thermal Camera Multiple Vulnerabilities, Patch Released on Oct 03, 2017
Multiple cyber security vulnerabilities exist in FLIR thermal cameras, which have not been fixed, despite being reported months ago. In this note,...

Most Recent Industry Reports

Imperial Capital Security Investor Conference Review on Dec 08, 2017
Investment bank Imperial Capital holds an annual Security Investor Conference where 60+ companies present, including this year: IPVM bought a...
Integrator GPS Vehicle Tracking Statistics and Success Examined on Dec 08, 2017
GPS vehicle tracking is a growing but somewhat controversial topic. On the plus side, tracking may increases productivity by providing greater...
Hikvision NA Biggest Sale of 2017 on Dec 07, 2017
Hikvision North America has been relatively disciplined the past 5 months, reducing the number of sales and the breadth of what is on sale. No...
Security Integrator IT Expertise Statistics on Dec 07, 2017
20 years ago, putting physical security systems on IP networks was just emerging. Today, almost every system is networked in some way, IP cameras...
Lighthouse Deep Learning Camera Tested on Dec 07, 2017
A Silicon Valley startup, Lighthouse, with a Stanford PhD CTO, has released a deep learning AI camera with 3D sensors for just $300. The company...
Access Control Course Winter 2018 on Dec 07, 2017
Learn more below about the Winter 2018 IPVM Access Control Course. Register here. IPVM offers the most comprehensive access control course in...
Broken Hikvision App Exposes Hypocrisy on Dec 06, 2017
While Hikvision talks about a commitment to cybersecurity, their broken app and their insecure 'solution' exposes not only their engineering...
'Catastrophic Problem' For Videofied App on Dec 06, 2017
Less than 2 months after closing their DIY division DragonFly, Videofied has been hit with a problem the company calls 'catastrophic'. Now the...
ASIS Dumps 'ASIS' For Show on Dec 06, 2017
After 60+ years, ASIS is dumping its eponymous show name and replacing it with 'GSX'. This is a classic marketing mistake. For a show struggling...
Risks Of Managing End User Passwords (Statistics) on Dec 05, 2017
Integrators know admin passwords for nearly all end-user systems, according to IPVM statistics. But how do they manage them? How do they ensure...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact