Bit of a heads up about a bit of a disconcerting security issue in some ONVIF IP cameras.
I had my eye on some low cost, Chinese OEM IP cameras because they have good NAS compatibility (claimed Synology). They are branded as IPS, Uvision, Gsvision, Sunvision, Aote among others. I was willing to put up with the clunky ActiveX interface because I figured I'd only have to configure them once and would be viewing the video through the NAS/NVR interface.
Everything went fairly smoothly- I set the time, IP address, changed the password- and when I went to log back in it would not accept the same one copied and pasted. No problem- went for the old reset button and… no reset button.
So I emailed the Chinese manufacturer, they asked for me to give their technician access to my computer via TeamViewer so he could reset it- I said that was not really an acceptable solution. So they sent me the default, hard-written to firmware, root password for their cameras so I could just remotely log-in and hard-reset the camera over telnet.
That's right, there's a root user, but you can't change the password.
Yeah- not too happy about that.
I spent a few days going back and forth with them- explaining why, with these cameras in homes and businesses all over the world this was a Bad Thing. Either they were playing dumb and had to have it for the Powers That Be (as has been documented with other network products of similar origin), or else they truly think it's ok. Their attitude was basically that they had made a mistake in giving it to me- and not in having one in the first place. Their "fix" was a promise to change the hard-written root pass in future firmware revisions. Given that the password is sent to the camera in plaintext, it's hardly likely the new one would remain secret for long.
(In case you are wondering, even after a few hard reset cycles the camera would still not accept a new admin password but that is no longer really a concern for me.)
All this seems a bit insane. As we all know few LANs are very secure- wifi is not tough to crack, we all password protect our computers and NASs against this eventuality. As it stands, anyone with access to the LAN that these cameras are on can take them all offline with a few keystrokes, or reset the admin password, restore the original IP and leave anonymous access on- so the owner would never know they had been compromised. Or set them to forward images to an outside location.
As far as cameras that are accessible via the Internet, many people will not change the cameras default IP- which means that even on reset it won't lose its port mapping and video could be viewed by anyone, anywhere. At the very least they could still disable it. Other than that, root is root and someone with better Linux skills could probably make more of it.
I'm posting this because as we all know there is no security in obscurity- and if they could accidentally just email me the root pass this is far from obscure. People have these cameras pointed at playgrounds and in private homes- hoping they don't give the password to anyone else (or that it is not already being used) is not really an option in my opinion. I would never consider installing a camera with this kind of known backdoor- perhaps others feel differently.
If you'd like to check your camera, here is the information:
1. Telnet XXX.XXX.XXX.XXX (whatever IP address the camera has, there are
several tools to discover this)
username: root
password: rockTeco
2. Paste below info:
TMPCONF=$(sed '/conf/!d' /proc/mtd |awk -F':' '{print $1}')
/home/flash_eraseall /dev/$TMPCONF
rm -fr /etc/ui.conf
reboot
3. After the reboot the IP address will return to: 192.168.1.128
username: admin
password: admin
