Sign in / up

back to article 519070 or blank: The PINs that can pwn 80k online security cams

Researchers say up to 80,000 digital video recorders (DVRs) used to record footage from surveillance cameras employ hardcoded passwords - or don't use one at all - opening avenues for attackers to breach home and business networks and compromise privacy. In one examination, at least 46,000 DVRs were found open to remote …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    This is one of the many reasons I automatically turn uPNP off on my home router. If I have a service (and there are many) that needs to be connected to the internet then it's me that specifies the port number, it's not an ideal solution but it at least offers a little protection.

    8 0 Reply
  2. Hans Neeson-Bumpsadese Silver badge

    To much information?

    I appreciate that it's useful to bring things like this to peoples' attention, but do you really think it helps when you publish specific details, including the exact user/PIN required?

    0 15 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: To much information?

      It doesn't do any harm, since it takes only a few seconds to find out the information from elsewhere on the web.

      And being this in-your-face about it may embarrass the manufacturer enough to issue a fix. I wonder how many purchase orders for their products have been cancelled even in the time that it takes to type this.

      9 0 Reply
      1. Pascal Monett Silver badge
        Reply Icon

        Re: I wonder how many purchase orders for their products have been cancelled

        Maybe none. Probably none, even, if the amount of people handing over their privacy to Facebook is any indication.

        But seriously, this hack can only take place if the camera is connected to the network. That means all CCTV purchases are not at risk from the Internet. Of course, they are perfectly at risk from physical tampering, but if your threat is already that close, it's not the camera that will deter him.

        As for me, I'm done even thinking about buying security cameras until an official rating has been created, implemented and can be verified stating that the hardware is secure and as tamper-proof as possible without any backdoors or root access or hardware-coded passwords.

        I'm not holding my breath.

        2 0 Reply
        1. Down not across
          Reply Icon

          Re: I wonder how many purchase orders for their products have been cancelled

          As for me, I'm done even thinking about buying security cameras until an official rating has been created, implemented and can be verified stating that the hardware is secure and as tamper-proof as possible without any backdoors or root access or hardware-coded passwords.

          Mine are on a VLAN all by themselves with no route to the internet and only have firewalled, inbound access from select IP addresses and a box running zoneminder.

          Not perfect, but they're not phoning home nor have access to probe the network.

          1 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: To much information?

      Yes because although some devices have been identified as having this security problem there may be many others.

      An example is my storage options IPcam, I've checked it and this pin doesn't work but if I didn't have the pin how would I ever know? The article also makes me quite curious about a "root" user so I've just created one to see if it will allow it and it does hopefully indicating there isn't a hidden "root" user though without picking it apart I wouldn't know but as it's just a door motion email cam I'm not really that bothered if someone wants to watch the back of my front door all day.

      2 0 Reply
    3. Nicocys
      Reply Icon

      Re: To much information?

      Not sure it would change anything, the report is public anyway...

      Nice stuff too: 519070 on google returns it as a postal code for Xiangzhou, Zhuhai, Guangdong in China. Basically the postal code of where they are located... Talk about random !

      2 0 Reply
      1. ABehrens
        Reply Icon

        Re: Too much information?

        Specifically, if's the postal code for the Zhuhai Science & Technology Industrial Park.

        1 0 Reply
    4. Michael Wojcik Silver badge
      Reply Icon

      Re: To much information?

      As is well known, blackhats come to the Reg first for all their 0-day needs.

      Ah, well. The security-by-obscurity crowd will always be with us, a constant but annoying companion.

      0 0 Reply
  3. Haku
    Facepalm

    1 2 3 4 5

    5 0 Reply
  4. Tim J

    The Internet of Things is going to be great, isn't it!

    5 0 Reply
    1. Mark 85
      Reply Icon

      It already is. This crap has been going on long before some marketing dweeb coined "the Internet of Things".

      4 0 Reply
      1. Oengus
        Reply Icon

        Of course the marketing dweebs had to come up with a "catchy" name or bright and flashy packaging. The you need to get some celeb to "Like on Facebook" (not that they will use it themselves). How else are they going to attract the iGen (Generation Z) and get them to buy.

        0 0 Reply
    2. Crazy Operations Guy
      Reply Icon

      "The Internet of Things is going to be great, isn't it!"

      For me it will be. Before, I needed to pay out the nose for a machine elsewhere on the internet so I can test what external users see of my network. Now its just a quick trip over to Shodan, and away I go...

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like