Cisco sneaks hardcoded secret root backdoor into vid surveillance kit If you run Cisco's video surveillance kit, hop over to Switchzilla's support site and download the latest version of its management software. Late last week, the networking giant admitted that its Cisco Video Surveillance Manager Appliance has an undocumented root account with static hard-coded credentials. Reading between …
"One has to ask, are there any Hardware products without hardcoded admin level accounts on them?"
Looking at the stuff on my computer desk, my other glasses, the analogue thermometer, the stand I use for my phone, the Leatherman, the desk itself, I'm fairly sure none of that hardware has any sort of admin account on them. The TV remote control I'm not so sure about, it IS a smart TV after all.
"someone created the “secret” account during product development, and forgot about it".
Maybe it was that nice government agent guy that came in to do an audit ? These things happen you know, on a surprisingly frequent basis.
And this is professional gear, imagine how many "absent-minded" mistakes will remain when all that IOT shit hits the mass market.... ( On saying that, some of it is already there)
Having been in this industry, time-to-market pressures and lack of experienced developers on what sounds like an embedded Linux device makes it likely this was a simple mistake. Cisco probably acquired the system or implemented it from scratch without adequate resourcing and review/oversight...it's common for developers to set a trivial root password to simplifiy development and testing. It's very easy to imagine that being overlooked when it came to release time.
Not that this is any excuse for operating in that way. But Cisco is so oversized at present that the left hand certainly don't know what the right hand is doing. I doubt they have any rigorourous and effective dedicated IoT security function that applies consistently and effectively aross their diverse product lines, some developed originally in-house and some acquired.
Believe me, this happens every day, not out of malice (though I don't rule that out) but simply because of organizational inertia.
A thumb down for not reading up on governments and their latest spy efforts. Then again no need to read material from this decade. Way back in the 1990's officials in the U.S. government officials were being assured that people using commercially available encryption was not a threat.
But still best to read up on what has been revealed in this last decade. I'd suggest starting by searching Snowden as that will give one many rabbit holes including an idea of how extensive the cooperation between business and governments is.
"A thumb down for not reading up on governments and their latest spy efforts."
The government efforts have generally been more sophisticated than "use a static password for the root account when the device is sent from the factory".
a) its fairly easy to discover
b) its fairly easy to fix
There has been a long running history of manufacturers assuming that nobody will know the root/superuser password AND having no sensible precautions to prevent it being exploited (i.e. locking it down to console access only).
And these methods are routinely used by support techs to troubleshoot issues...
I worked for the company that developed the Cisco NMS, and we used to test the hell out of their routers. The best minds of my generation, plus me and one or two other duffers, never found one backdoor or deliberate security issue. That was two decades ago though, I'm a bit dismayed Cisco have lowered themselves to making crap like this.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
