Slashdot Mirror

← Back to Stories (view on slashdot.org)

Most CCTV Systems Come With Trivial Exploits

Posted by timothy on from the peek-a-boo dept.

An anonymous reader writes "The use of CCTV cameras for physical surveillance of all kinds of environments has become so pervasive that most of us don't give the devices a second thought anymore. But, those individuals and organizations who actually use and control them should be aware that most of them come with default settings that make them vulnerable to outside attacks. According to Gotham Digital Science researcher Justin Cacak, standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and many other rebranded devices are not only shipped with remote access enabled by default, but also with preconfigured default accounts and passwords that are banal and easy to guess."

59 of 89 comments (clear)

  1. Are we surprised? by lorenlal · · Score: 1

    I mean, really? I guess when the designers think of Closed Circuit TV, they're thinking that extends to the management network too eh?

    1. Re:Are we surprised? by fuzzyfuzzyfungus · · Score: 4, Insightful

      I suspect that there are (at least) two distinct schools of utter fail:

      The professionals, with a legacy in CCTV-as-in-actual-closed-circuit-running-on-private-coax, probably have an attitude much as you describe. The classic CCTV systems were dumb as bricks(not that their designers necessarily were, making largely analog, reasonably high bandwidth systems actually work in practice isn't trivial); but that lack of sophistication served as a strong defense against anybody without a physical tap shoved right into the coax. You just don't develop a very strong culture of caring about remote exploits if your engineering history is almost entirely concerned with systems that are incapable of remote anything, whether you like it or not.

      Then you have the upstarts(either new companies, or rebadged ODM crap sold by existing ones), who design CCTV systems on the premise that a CCTV camera is basically just an embedded linux board with a camera interface, and a record/playback system is basically just an x86 with some sort of h264 hardware and a lousy frontend. These assumptions are not false, and advances in silicon sensors and cheap embedded computers definitely mean that the price is right; but the standards of security excellence in low-cost embedded gear are absolutely fucking dire... These guys should know better, since their designs are 100% post-ubiquitous-networking in concept; but they just don't get paid enough, or enjoy long enough development cycles, to give a damn.

    2. Re:Are we surprised? by adolf · · Score: 1

      Interesting perspective.

      I guess that's why I've been installing IP cameras on physically separate networks for all these years.

      --
      Kid-proof tablet..
  2. so? by gandhi_2 · · Score: 4, Interesting

    preconfigured default accounts and passwords

    Really? This is supposed to be an issue?

    Most of the default user/pass settings are publicly available on manufacturers websites, documentation pamphlets, and 3rd party sites just for that purpose.

    Buffer overflow or sql injection? Ok...
    Default passwords are weak? So what?

    --
    THL phish sticks
    1. Re:so? by lorenlal · · Score: 3, Insightful

      I wish I didn't knee-jerk my reply... Your point is exactly what I'm thinking.

      Umm... Yea. I heard that corporate routers and switches come with really weak default protection! Your server will let anyone fire it up and login out of the box!

      The horrors... This story is a non-story. If you go buy hardware for some purpose, make sure you configure it. If the story said most CCTV configurations have backdoors, or are easily exploitable even after prescribed lockdown, then we'd have something to work with.

    2. Re:so? by Anonymous Coward · · Score: 5, Interesting

      Actually, it's kind of sad that it's had to come to this, but most corporate routers and switches no longer have weak default protection. For example, new Cisco switches and routers now ship with a one time use password, so you have to create an account on them when configuring, or you'll never be able to log in again. This really shouldn't be necessary, but we live in a world where there are a lot of people implementing security who don't understand it. Even home routers now often force you to create your own password during setup and disable remote access by default. You could make a pretty convincing argument that the CCTV industry has fallen pretty far behind the times.

      Minor side point, but there's a jewelry store below my apartment that uses wireless CCTV cameras... on a WEP protected network... with no logon required to view the stream. I feel bad when I do it, but it's hard not to look.

    3. Re:so? by EvilBudMan · · Score: 2

      On problem is all of those X10 cameras installed back in the day in God only knows where that have been long forgotten about. There is no security at all with some devices like this placed in illegal places like motel bathrooms and such.

      But the corporate stuff at let's say Walmart, wouldn't have that problem if someone did access the data. What would they see exactly that is of any importance? I would be much more worried about identity theft through servers that have your life history on it like possibly Facebook's.

      Security CCTV my not be run by the IT guy though and may be left to the security people, I dunno? Maybe someone could explain exactly what type of scenario could happen where this would be an actual problem as mentioned in the article?

    4. Re:so? by peragrin · · Score: 2

      It isn't that they come configured that way it are never changed.

      You can literally google model numbers and pull up camera feeds.

      How much harder will it be to disable the cameras while you rob a place?

      --
      i thought once I was found, but it was only a dream.
    5. Re:so? by cusco · · Score: 4, Interesting

      I do this for a living, and have been screaming about this to anyone who would listen ever since I got into the physical security field six years ago. I've convinced my company that ALL default passwords on ALL security devices have to be changed if at all possible (on some, like Trango wireless relays, they cant be changed). We are the only company in the Pacific Northwest that does this consistently. I know this for a fact, since I often have to work on systems installed by our competitors.

      This is not only an issue on cameras, either. Access control systems, intrusion systems, fire systems, and building control systems all have the same issue. You asked for an example, and here's one that I used to convince our installers that we absolutely HAD to start paying attention to this.

      Hospital X has a state-of-the-art security system installed, but default passwords on everything, running on the corporate backbone. Joe Psycho wants to steal his newborn baby from the maternity ward where his ex has just given birth. He can plug into an unattended network port, maybe in a conference room, exam room, or an unoccupied office somewhere on that floor, do a port scan and find everything running on Port 80, scan the ports that the two main infant abduction systems use, and any of the various ports that the major access control systems run on. He has now found every security camera on that subnet, the controller for the access control system, the PLC for the infant abduction system's annunciator, and the communication devices for that system's RFID monitors.

      First he logs into the PLC and disables it. Next he can log into the IAS's comm devices and simply change their IP address and it drops offline. Unless the nursing staff just happens to be looking at that screen at that moment they won't know that everything is offline since the annunciator won't raise an alarm. Now to the access control system's ISC, changing the administrator password and the IP address, but not hitting Accept yet. Opening a tab in his browser he can access all of the cameras for that area, again changing the root/admin password and IP address. In a quick cascade of clicking OK he will take every camera and the access control system offline, and leave it in a state where each device has to be physically touched to reset back to the factory defaults. The guard staff will assume that this is probably a network issue, since it's a whole bunch of devices in the same area, and call IT, and by the time they figure out it's an actual attack the baby's in the next county.

      Scary enough?

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    6. Re:so? by cusco · · Score: 1

      Horsepuckey. This wouldn't work at our customers (at least not any more), but it certainly would at scores if not hundreds of hospitals around the country. There are only a limited number of players in the security game and many of the components are common to multiple systems (such as Lantronix IP/serial converters), so the knowledge necessary is not an insurmountable hurdle. That knowledge by the way is held by every one of the tens of thousands of guys who have worked installing these systems. I didn't even bother to go into what can be done by someone with actual in-depth knowledge of any of the products, because the threat of one guy with a netbook and a port scanner should have been obvious enough. The security industry's greatest strength is that most people are honest, and the ones who aren't tend to be stupid.

      Nurses aren't security guards, and shouldn't be expected to serve as such. They're overworked as it is, and don't have time to examine the credentials of everyone on the floor. Even if they did the nurse who will stand up to someone armed with a knife or other weapon is very rare, in fact they're trained not to. If the system has been disabled there is nothing to stop the attacker from walking out with a kid under each arm, except perhaps other patients and their families.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    7. Re:so? by tibit · · Score: 3

      You are under a mistaken assumption that people who know their shit don't go apeshit. Reiser, anyone? So there you go. There's no security through obscurity in those systems. Nurses in the ward? Ha ha. If you look like you belong, you can do anything you please. Good old social engineering. Yeah, I know, nerds usually aren't born with it, but don't count on them never learning. Not if your kid's safety depends on it, yaknow.

      --
      A successful API design takes a mixture of software design and pedagogy.
    8. Re:so? by tibit · · Score: 1

      Oh Lantronix, with firmware so fragile it seems like they had to sprinkle fairy dust on the flash chips just to make it not crumble under its own weight. Agreed.

      --
      A successful API design takes a mixture of software design and pedagogy.
    9. Re:so? by EvilBudMan · · Score: 1

      Yep, that gives me some other scenarios, since of course they are not going to keep the corporate backbone separate from the cameras, so that convinces me too. I personally would want to keep that separate at least for a small business. In other words don't give all the power to one person as well as setting the passwords and of course even in a tiny business the boss is going to want to watch everything from the internet even if you have dvr's recording every single thing.

      I guess most cameras are for theft prevention but OK it could be theft of more than what you might think like an employees user password while someone has hacked into the camera watching them. So whether connected or not, this could be serious.

    10. Re:so? by EvilBudMan · · Score: 1

      Yes, and as I said before older security systems with a 4 digit pin code without authentication is still in wide use. Simple as heck for anyone to break. Also, cameras with now way to lock them down are everywhere.

      Hospitals with all of the ER visits without insurance are strained too with much less security than let's say a WalMart which is wired up like a Vegas casino.

    11. Re:so? by cusco · · Score: 2

      Prevention? No, security video is for forensics. When a simple grocery store might have 20-50 cameras no human being is going to be able to watch any appreciable percentage of them. I forget the exact numbers, but a single human being can actually pay attention to something like 12 cameras for 15 minutes before their brain turns to mush and they need a 5 minute break. Even in a grocery store the security video is more for insurance purposes than anything else, catching the slip/fall con artists, the workers comp scammers, and the like.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    12. Re:so? by cusco · · Score: 1

      Oh, and no, it's not normally a seperate network unless it's a really large installation. At best the cameras might be on their own VLAN, but that's to segregate the traffic rather than as a security measure. It's too damn expensive to pull CAT6/fiber and install and configure a switch just for the three cameras that you might have in one area. Even when it is a seperate network the switches are almost never configured securely, with every open port unlocked and available for anyone to plug into and sniff.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    13. Re:so? by berlinerkindl · · Score: 1

      While I agree changing the passwords is the first step in deployment, but (as to your example) why would you install your security devices on the same network as the rest of the building? A little network isolation goes a long way, restrict access to that network to your security personnel. Running an entire hospital on a flat network topology would seem to me to be fairly retarded on the part of whoever is engineering your deployments.

    14. Re:so? by 19thNervousBreakdown · · Score: 1

      No, it's not. I've made the exact same case--an exploit that is trivially discoverable is a big exploit.

      I'm not saying people who aren't network administrator-turned developer or security guys would do it this way, but I am one, and there's a bunch of us out there. If I wanted to steal a baby, or do anything illegal in a place with computers, plugging into a network jack and running nmap would be the first thing I'd do. Run the scan with paranoid timings, fingerprint every service, pipe the software name + version number through google along with things like "exploit", "default password", "root", "escalation", etc. (5 minutes with sed + wget/curl), and unless your place has exceptional security or very few computers, I'm in. I have yet to see the network running without vulnerabilities, and I've seen what security audit companies miss (they miss practically everything).

      Since people think security by obscurity is okay, they justify not fixing these problems. Since nobody fixes these problems, you can be nearly certain they'll exist in whatever you're trying to attack. The very ease of the attack guarantees that anyone in the know will go for it first. Unless there was an even easier way, I'd probably follow the exact path the GP posted.

      --
      <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
    15. Re:so? by 19thNervousBreakdown · · Score: 1

      The thing people seem to forget about security by obscurity is that we have computers.

      --
      <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
    16. Re:so? by EvilBudMan · · Score: 1

      What is wrong with just using wireless instead of dragging more cable? Of course you are talking to a small business person. I'm just wondering why an N-based wireless system couldn't be just as secure in a small place if configured properly or is this not yet possible? If jamming is an issue, I think there are products out there but I am not sure? I know the old ones are still around and not secure at all but it seems like they could be.

      http://www.cisco.com/en/US/products/ps9948/index.html

      Just a dumb question I guess.

    17. Re:so? by DarwinSurvivor · · Score: 1

      Just hit the first one in the lense with a paintball gun (or slingshot for the hardcore guys), then take a 10-pack of AA's in series and hook that to the ethernet port connected to the back, that ought to take care of the rest of them (or at the VERY least the switch they all connect to.

    18. Re:so? by DarwinSurvivor · · Score: 1

      I've honestly never heard of that, do you have a link of some kind I could use to research this further?

  3. Also in the news by Chrisq · · Score: 3, Insightful

    Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box", allowing you to configure them securely if needed. If they didn't they would get a lot of returns and support calls from people who didn't read the manual.

    1. Re:Also in the news by RawsonDR · · Score: 2, Insightful

      Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box"

      Not Wifi dildos...

  4. What does CC mean? by Infiniti2000 · · Score: 4, Insightful

    Are they taking the CC out of CCTV? What am I not understanding about this term? I guess it may have evolved to not be closed circuit any more, but then it should be called something else. Regardless, a "default" with gaping vulnerabilities should not surprise anyone.

    1. Re:What does CC mean? by Anonymous Coward · · Score: 4, Interesting

      CCTV, like the rest of the electronic security biz, is going IP based in a big way now. Keep in mind most people involved with security are, pardon the expression, "hairy arsed" blue collar electrician types. They can do physical wiring ok, but do not have the aptitude for "IT" stuff, which they are positively phobic to.

      As you can imagine, they can't even do the basics. Most of that stuff ends up on unfirewalled networks with the default passwords. They see it as 'if it works leave it alone', don't touch anything which might break it. If you're lucky it's a separate security network from the rest of the company, but not always.

      I used to work for a company that made a particular PC-based security product (hence posting AC) and for pretty much every system we sold nobody bothered to change the default p/w. Our product was multi user, but they would only use the one default account (with the default p/w) which had engineer access rights for reconfiguring the entire system. The people who bought and installed our system just let the operators (who have no business changing settings) use that account.

      Security is moving towards being more of an IT field now, but I wouldn't advise that the /. crowd look for a job there. They won't pay you an IT salary and the people you have to work with will drive you mad (ok, that last bit is true of IT in general!), which is why I no longer work there.

    2. Re:What does CC mean? by cusco · · Score: 2

      I came to the physical security field after ten years of server/desktop administration, and can completely confirm what the AC just posted. Our company makes a point of changing default logins for all devices, **IF** we can get the customer to agree. It's distressing to see how many of them will take that password and changed it BACK to the factory default.

      Out of all the IP camera manufacturers only Axis seems to get the idea that a security camera should be at least minimally secure. They are the only ones that will force an installer to change the password at first login (although they do allow the "new" password to be the same as the original). Many of the other manufacturers only allow one user account (root or admin), some don't allow you to change the password on that account, and a couple don't even have passwords at all. More than one only allow a maximum 8 character lower case alpha-only password. There is one supposed IP "security" camera system that has one user, admin, and no password for the cameras, the recorder and the configuration tool. Amusingly enough they claim to be an "ENTERPRISE" system, and a national accounting firm has that atrocity installed in all their offices.

      I'm pleased that my employer is the only one in the region that seems to actually understand that the days of the "hairy arsed" blue collar electrician types" is over. It means though that we can't compete on price with the likes of Convergint or Niscaya, but that's OK with me since it seems to attract a better quality of customer.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  5. This again? by Dunbal · · Score: 2

    Did someone else just learn how to google for CCTV feeds? Best one I ever found was at a dog shelter or animal hospital. Cute little doggies 24/7, and none of the smell. Of course I have more fun with my own dog, but it was a good find.

    --
    Seven puppies were harmed during the making of this post.
    1. Re:This again? by metalgamer84 · · Score: 3, Informative

      Just wait till someone stumbles onto the many webpages hosting hundreds of Trendnet CCTV IP addresses.

      http://pastebin.com/sSs79RTd

      Hey look at that, I even made it easy for you...

    2. Re:This again? by YouWantFriesWithThat · · Score: 2

      i once found a harbor in some asian city, wooden fishing skiffs intermingled with heavy cargo ships. they were using an off-the-shelf camera to monitor traffic from a bridge, no passwords, and pan/tilt/zoom were enabled. i moved the camera over to watch people on the bridge, and the actual operator kept moving it back. he/she must have thought the thing was possessed.

    3. Re:This again? by Baloroth · · Score: 3, Insightful

      Or he knew what was going on because it happened all the time and didn't give a shit because he wasn't paid to care (quite likely).

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    4. Re:This again? by imcdona · · Score: 1

      There is always public webcam sites where a simple right click copy image source will glean countless unprotected camera's.

    5. Re:This again? by lomedhi · · Score: 1

      I disagree. It makes a good point. Your comment, however....

      --
      Did you say "insightful" or "inciteful"?
    6. Re:This again? by imcdona · · Score: 1

      There is always opentopia.com where a simple right click, view source on the camera image will glean many unprotected webcams.

  6. Only a problem to dumb IT. by Lumpy · · Score: 3, Informative

    If your Security CCTV system is on the net or has the ports open to the net, then your IT guy is a moron and needs to be fired.

    VPN in then connect to the Security cameras.. Yes it even works with the iPhone apps for the CCTV systems. Anything else is just proof of incompetence.

    --
    Do not look at laser with remaining good eye.
    1. Re:Only a problem to dumb IT. by drinkypoo · · Score: 2

      Closing the doors to the world because you are using an inferior product or because your IT people is retarded is not a solution.

      It is a fact that disabling front-facing ports reduces attack surface. You ain't perfect, you could make a mistake. Clearly you knew what you were saying was nonsense, because you left your comment anonymously. I'd be afraid to have my name associated with that statement too, if I ever exercised any restraint on slashdot beyond not breaching NDAs.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Only a problem to dumb IT. by Lumpy · · Score: 2

      And a free software package, Zoneminder, is still 800% better than any product your company makes. Why? Because I can base it on a secure BSD or linux distro that will get updates for security holes on a regular basis. Your product, being china made will never have security releases to fix holes in the underlying Linux OS.

      I have seen and dealt with the junk companies like yours make, Running incredibly old kernels and TCP stacks that have known exploits. The tip off that a CCTV recorder is junk? IT requires Active X to view the web view. That means its based on the old china OS image that has been floating around for well over 6 years now that is so full of holes it's not funny.

      --
      Do not look at laser with remaining good eye.
  7. Re:Banal? by kermidge · · Score: 3, Interesting

    banal - with a small "b": lacking originality, freshness, or novelty

    Using most generic search engines with "define:banal" with or without the colon shoulda pulled that up for you. I think I last used it in conversation a year or two ago. If you like banal, you should check out "jejune."

  8. Of course they do by queequeg1 · · Score: 1

    How else could the IMF team snap a little doodad on the cable and magically get a high-def feed to the most sensitive parts of every building? Duh.

  9. Re:Banal? by arth1 · · Score: 1, Offtopic

    Out of curiosity, where are you? "Banal" is a common enough word in English.
    I would also recommend that you look up words in Wiktionary instead of Wikipedia. Not even a small fraction of English words warrant a Wikipedia article, and if you limit your vocabulary to those words, it will be arrant uneath to converse you.

  10. a lot of security installers are not IT techs by Joe_Dragon · · Score: 1

    a lot of security installers are not IT techs
    http://thedailywtf.com/Comments/Just-One-Port.aspx

  11. Re:Er by NatasRevol · · Score: 1

    They're not new...

    --
    There are two types of people in the world: Those who crave closure
  12. Re:Banal? by alphax45 · · Score: 1

    Out of curiosity, where are you?

    I work in Toronto, live in the town of Ajax just east of there.

    --
    K Man
  13. Just "Exploited" It Last Night by clam666 · · Score: 5, Interesting

    I noticed this just last night.

    I live in one of those large, over-priced "planned communities" with the town centre, the gym/tennis courts/water park area, etc. They offer free, open WiFi for people in the gym area, so I was checking some mail and decided to do a little network port scanning and saw a couple dozen systems, printers, routers and such on the network, which I thought was odd, as usually those kind of things aren't on the same network as all the free WiFi junk.

    I'm just idly curious as to what is around, and came across some unusually named servers (ie: default out of the box) and was just connected via web and it brought up the entire security camera console.

    Now there was no "exploiting" going on at all. I just connected to a publically accessible (and offerred) free WiFi point, and browsed a computer name using HTTP, and there I was looking at 4 streaming cameras through a web console, at the gym. Another server (just sitting on the network as well) had all the external cameras for the doors and walkways.

    Now this wasn't just a monitoring console, but the full record/stop recording, pan, zoom, admin console. Sitting out completely available, for anyone to just ping and do whatever they wanted.

    I've honestly never seen anything like it. There wasn't even a password or any security. Not even a "you shouldn't be here" pop up or anything.

    Has anyone ever seen a situation like this? Where a security console wasn't at least locked down to a particular MAC address for monitoring or IP restricted or, God forbid, not on the same network as your customers to randomly browse to?

    --
    I'm a satanic clam.
    1. Re:Just "Exploited" It Last Night by cusco · · Score: 1

      I may well be able to guess what the manufacturer's name is, we were forced to install one of those abortions at a customer site. We complained every step of the way, but they said that this was their nationwide corporate standard. It's very likely that the property managment company your community uses installs the exact same system the exact same way at every site they manage. Property management companies tend to be really cheap (the majority, not all of course). They probably have some underpaid kid just out of school running around plugging this stuff in according to directions scrawled on a piece of notebook paper left behind by the last underpaid kid who held the job.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  14. Re:Banal? by bmo · · Score: 1

    >Who uses this word?

    Plenty of people.

    Look out for the anthropophage behind you.

    --
    BMO

  15. Re:Er by camperdave · · Score: 1

    They're not new...

    These days they're not even closed circuit.

    --
    When our name is on the back of your car, we're behind you all the way!
  16. Re:After all those years by bmo · · Score: 1

    After years of Not believing movies where the CCTV was so easily manipulated, you are telling me I was ignoring a training course in burglary?

    It's been this way for 10 years or more. Seriously, I forgot the first time I found a list of these. It's been this way ever since they put apache web servers on "CCTV" cameras and stuck them on the Internet. With PNP settings on your router turned on, you don't even have to open the port manually.

    This is a non-story and is obvious to fucking everyone who has so much opened a quckstart guide to a CCTV camera.

    --
    BMO

  17. Re:Banal? by hoggoth · · Score: 1

    I just had to look up Ajax.
    Apparently he is a Greek hero. Fancy pseudo-intellectual sprinkling Greek mythology into your conversations...

    --
    - For the complete works of Shakespeare: cat /dev/random (may take some time)
  18. Re:Banal? by AliasMarlowe · · Score: 1

    Out of curiosity, where are you?

    I work in Toronto, live in the town of Ajax just east of there.

    I used the word "banal" on numerous occasions (spoken and in email or documents) when I lived in Toronto, and the permanent residents seemed to understand it. Other people even used the word in my hearing, and used it correctly. Their vocabulary was not too bad for that side of the Atlantic. Of course, most of us lived in the Western and Northern suburbs rather than in Ajax...

    --
    Those who can make you believe absurdities can make you commit atrocities. - Voltaire
  19. Re:Banal? by camperdave · · Score: 1

    Hi fellow GTA-ian. I live out by the zoo: Meadowvale and Sheppard area.

    --
    When our name is on the back of your car, we're behind you all the way!
  20. Exploits != Vulnerabilities by Shad0wFyr3 · · Score: 1

    These systems come with vulnerabilities, not exploits. Exploits are the things you throw at a vulnerability to make the device bend to the your will.

    1. Re:Exploits != Vulnerabilities by 0123456 · · Score: 1

      My IP camera came with an undocument passwordless root login if you telnet to a particular port. Does that count as an exploit or a vulnerability?

      Certainly someone must have pointed out it because it was removed in the firmware update.

    2. Re:Exploits != Vulnerabilities by Shad0wFyr3 · · Score: 1

      That's still a vulnerability. In that case, the exploit is merely your keyboard where you log in to that paswordless root account through that particular port. The exploit is the way that you leverage an existing vulnerability (the vulnerability, in your case, being the manufacturer-provided backdoor).

  21. How else... by vanyel · · Score: 1

    ...are the heroes and villains in the movies supposed to keep an eye on each other?

  22. Re: Zoneminder by drainbramage · · Score: 1

    Pretty much spot on.
    Also not that the china turnkey systems run Linux but do not allow you to view them on Linux.
    However, why no audio support in Zoneminder?

    --
    No brain, no pain.
  23. Re: Zoneminder by Lumpy · · Score: 1

    There is audio support in zoneminder,. It is currently a early beta plug in. but very very few security installs use audio because of state wiretapping laws prohibit it so it was not a priority of the developers.

    --
    Do not look at laser with remaining good eye.
  24. Unnecessary by Anonymous Coward · · Score: 1

    Interesting perspective.

    I guess that's why I've been installing IP cameras on physically separate networks for all these years.

    No need to physically separate any more. VLAN's, VRF's, MPLS & Remote Access with VPN's. Easy to maintain and scales nicely up to as many cameras, video-servers etc. you will ever need.

  25. Default Password List by IPCamera · · Score: 1

    Yes,you are right! Many ip cameras all have default passwords.If consumers didn't change the passwords,that's very dangerous! Here is a default password list of some kinds of ip cameras.