It’s a horrible practice for IP-enabled device manufacturers to ship products with default passwords because users often don’t change them. Yet, 44 of the top 50 CCTV manufacturers do exactly that. We’re talking “root/root” and “admin/1234.” Unbelievable? Here’s the list.
While CCTV cameras may not store valuable data, they’re useful to hackers. Two security mitigation companies, Securi and Imperva, were recently called to mitigate rather massive DDoS attacks originating from CCTV-based botnets. The hackers used the default logins to compromise the Linux devices SSH server and install the botnet malware.
CCTV cameras and other IoT devices can also be used by hackers as a beach head onto the network and used to gain access to valuable data.
The 6 manufacturers whose products require a new password to be generated on boot-up should be applauded. They are Axis, Cisco, Hikvision, Northern, Panasonic and Samsung.
While password replacement is an improvement, it’s no panacea. SSH servers on IoT devices are subject to a host of attack methods that every device owner and administrator should understand. Read about them in SSH: The Achilleas Heal of Linux Systems — 4 SSH Exploits Every Linux Administrator Should Understand.