Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Axis Network Camera known default password vulnerability
From: Joacim Tullberg <joacim () axis com>
Date: 6 Dec 2001 13:53:53 -0000


In-Reply-To: <3C0E5357.1080105 () realwarp net>

We have over the years tried many different methods 
to encourage users to change the default root 
password immediately after installation of an Axis 
Network Camera or Video Server. The majority of 
users obviously change their passwords but there 
are of course those that do not.

Below I have listed some of the things we have tried 
over the years:

- Force change of password prior to making the unit 
fully operational.
Result: Significant number of support requests due to 
forgotten passwords.

- Password protection enabled from start with default 
password, the most basic method, currently used in 
Axis 200+ & 200 Network Cameras. 
Result: Support calls requesting the default 
password. (Though clearly stated in the installation 
guide)

- An option worth considering is to have a unique 
default password for each device, printed on a 
sticker. We have not tried this in real life but I believe 
the result would be - Support requests for the default 
password, a question we would not be able to 
answer and worse, it would also mean that: a 
forgotten password and a lost sticker would make the 
unit useless.

We welcome all suggestions on how we may 
improve the default password handling procedure 
and increase the security of our Network Camera and 
Video Server product. If you have any suggestions, 
please tell us.

Best Regards,
Joacim Tullberg 
Product Group Manager, 
Network Cameras & Video Servers
Axis Communications


Axis Network Camera known default password 
vulnerability
by Chris Gragsone
Foot Clan

Date: November 17, 2001
Advisory ID: Foot-20011117
Impact of vulnerability: Default Password
Exploitable: Remotely
Maximum Risk: Moderate

Affected Software:
Axis Network Camera 2120
Axis Network Camera 2110
Axis Network Camera 2100
Axis Network Camera 200+
Axis Network Camera 200

Vulnerability Description:

Axis Network Camera is an embedded system that 
connects a camera 
directly to the network. With data rates up to 25 
frames a second and 
motion detection. It could be used as a web cam, or 
for security. This 
network camera could also be used as part of an IP-
Surveillance system, 
critical to a site's infrastructure.

During installation of Axis Network Camera, the 
administrator is not 
prompted for the password for the root account. If 
the camera is left 
improperly configured, the attacker could connect to 
the device remotely 
and obtain administrative access, and reconfigure 
or interrupt the camera.

Vulnerability:
Log into any Axis Network Camera via ftp, telnet, or 
http
Default account: root
Default password: pass

References:
http://www.axis.com/product/camera_servers/index.
html 
http://www.axis.com/solutions/cam_vid/surveillance/i
ndex.html
Contact:
http://footclan.realwarp.net Chris Gragsone 
(maetrics () realwarp net)

Disclaimer:
The contents of this advisory are copyright (c)2001 
Foot Clan and may be 
distributed freely provided that no fee is charged for 
this distribution 
and proper credit is given.




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault