Most CCTV Systems Come With Trivial Exploits

An anonymous reader writes "The use of CCTV cameras for physical surveillance of all kinds of environments has become so pervasive that most of us don't give the devices a second thought anymore. But, those individuals and organizations who actually use and control them should be aware that most of them come with default settings that make them vulnerable to outside attacks. According to Gotham Digital Science researcher Justin Cacak, standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and many other rebranded devices are not only shipped with remote access enabled by default, but also with preconfigured default accounts and passwords that are banal and easy to guess."

Also in the news

[Chrisq]

Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box", allowing you to configure them securely if needed. If they didn't they would get a lot of returns and support calls from people who didn't read the manual.

Re:so?

[lorenlal]

I wish I didn't knee-jerk my reply... Your point is exactly what I'm thinking.

Umm... Yea. I heard that corporate routers and switches come with really weak default protection! Your server will let anyone fire it up and login out of the box!

The horrors... This story is a non-story. If you go buy hardware for some purpose, make sure you configure it. If the story said most CCTV configurations have backdoors, or are easily exploitable even after prescribed lockdown, then we'd have something to work with.

What does CC mean?

[Infiniti2000]

Are they taking the CC out of CCTV? What am I not understanding about this term? I guess it may have evolved to not be closed circuit any more, but then it should be called something else. Regardless, a "default" with gaping vulnerabilities should not surprise anyone.

Re:Are we surprised?

[fuzzyfuzzyfungus]

I suspect that there are (at least) two distinct schools of utter fail:

The professionals, with a legacy in CCTV-as-in-actual-closed-circuit-running-on-private-coax, probably have an attitude much as you describe. The classic CCTV systems were dumb as bricks(not that their designers necessarily were, making largely analog, reasonably high bandwidth systems actually work in practice isn't trivial); but that lack of sophistication served as a strong defense against anybody without a physical tap shoved right into the coax. You just don't develop a very strong culture of caring about remote exploits if your engineering history is almost entirely concerned with systems that are incapable of remote anything, whether you like it or not.

Then you have the upstarts(either new companies, or rebadged ODM crap sold by existing ones), who design CCTV systems on the premise that a CCTV camera is basically just an embedded linux board with a camera interface, and a record/playback system is basically just an x86 with some sort of h264 hardware and a lousy frontend. These assumptions are not false, and advances in silicon sensors and cheap embedded computers definitely mean that the price is right; but the standards of security excellence in low-cost embedded gear are absolutely fucking dire... These guys should know better, since their designs are 100% post-ubiquitous-networking in concept; but they just don't get paid enough, or enjoy long enough development cycles, to give a damn.

Re:Also in the news

[RawsonDR]

Most routers/web tv boxes/digital photo frames/wifi dildos come with trivial exploits. People sell things configured to work "out of the box"

Not Wifi dildos...

Re:This again?

[Baloroth]

Or he knew what was going on because it happened all the time and didn't give a shit because he wasn't paid to care (quite likely).