I have been working in the industry for fifteen years. During this time, I have made over eight hundred installations - from small shops to large warehouses and office buildings. And every time I come to a client who has already had someone before me, I check the same thing: the password to the recorder and cameras. Nine times out of ten it is admin/admin, admin/12345 or – even worse – the password field is completely blank.
This is not a minor oversight. It's an open door to the entire network.
Where do default passwords come from?
Manufacturers of IP cameras and NVR/DVR recorders set default login details at the production stage - so that the installer can quickly start the device. The problem is that many installers stop there. The camera works, the image is there - and that's it. The password remains as it was in the box.
He has been using Hikvision for years admin/12345. Dahua – admin/admin. Starsze modele Axis – root/pass. This data is publicly available in user manuals, forums and databases such as public default password databases. Anyone can check them within thirty seconds.
What can an attacker do with access to the camera?
More than you think. Taking over a camera is not just about viewing the image. Modern IP cameras are full-fledged computers with Linux, a processor and network access. The attacker can:
- view live images and historical recordings,
- turn off recording or overwrite evidence,
- use the camera as an entry point to the rest of the company network,
- include the camera in a botnet (this is how the famous Mirai botnet worked - it took over hundreds of thousands of cameras around the world and caused one of the largest DDoS attacks in history),
- install spyware or ransomware on devices on the same network.
In 2021, hackers took access to 150,000 Verkada cameras - in hospitals, prisons, schools and Tesla offices. All because of a hijacked administrative account with default permissions.
How to check if your cameras are vulnerable
Public search engines for devices connected to the Internet can index cameras and recorders exposed directly to the network. Therefore, in the audit we check whether the system is not visible to the public and whether remote access works through a secure channel, e.g. VPN, strong passwords and up-to-date software.
As part of the audit, we can check the local network and the list of active devices to detect old cameras, recorders or unnecessarily open services. We do this only with the consent of the infrastructure owner.
What to do – specific steps
1. Change your password immediately after installation. Each device – camera, recorder, PoE switch – should have a unique, strong password. Minimum of 12 characters, a mix of letters, numbers and special characters.
2. Enable two-factor authentication. Newer Hikvision and Dahua DVRs support 2FA via mobile app. It is worth using this, especially when accessing remotely.
3. Disable unused protocols. Telnet, UPnP, older versions of RTSP without encryption - if you don't need it, turn it off. Every open port is a potential attack vector.
4. Zaktualizuj firmware. Manufacturers regularly release security patches. CVE-2021-36260 - a critical vulnerability in Hikvision cameras allowing remote code execution without logging in - was patched by the manufacturer, but thousands of cameras still run on the old firmware.
5. Separate the cameras from the rest of the network. I write about network segmentation via VLAN in a separate article - this is one of the most important steps that you can do without replacing the equipment.
6. Disable external access if not needed. If remote viewing is not necessary, block access to the camera port from the Internet at the router level. If you need it, use a VPN instead of opening ports directly.
Podsumowanie
Changing your password takes three minutes. The effects of hacking into the monitoring system may cost the company tens of thousands of zlotys - not counting image and legal losses related to the leak of recordings. This is one of those things where the ratio of effort to effect is absolutely in favor of action.
If you don't know whether your system is properly secured, write or call. A security audit of CCTV installations is something I do regularly and can greatly surprise business owners who believe that everything is in order.