How is ODM able to bypass my pass; and how to disable it?

[aforum]

I just learned about ODM. Loaded and it shows all my IP cams: the live view and able to change settings WITHOUT my edited password.

1. How is this possible?
2. And what setting [per cam] turns this off? (Restrict feed and settings view to password only)

In ODM, Is it "ONVIF discovery mode?" (and what is the name of it in the camera's page?)

• If yes, I thought that Onvif was only the protocol for sending the video/settings feed to my NVR, and not an OPEN door for anyone on the network to see the feed/settings without entering the pass.
• In SmartPSS, I setup the [non Dahua] cams using Onvif protocol, to get them to work (so I thought the ONVIF checkmark/whatever was required to be on). But in [SmartPSS > camera channel setup], I entered the new pass for the NVR to see, thus I thought that access was password locked (and then viewing the feed/settings on the NVR was restricted behind a User pass). The cams no longer have the default pass, so how is ODM able to get into the settings/feed merely by being on the same network?

Im alarmed because Im on a home network, but dont trust the other people.

 

[alastairstevenson]

If yes, I thought that Onvif was only the protocol for sending the video/settings feed to my NVR, and not an OPEN door for anyone on the network to see the feed/settings without entering the pass.

Yes, that's correct,. but the security flaw is in the firmware implementation or configuration settings of the camera, not because ODM can do something to bypass security.

What are the brands / models of the (unspecified) camera?

 

[aforum]

not because ODM

Correct. I dont mean ODM can bypass. But I mean which [surprise] camera setting is wrong that allows [ODM type programs] to bypass my view password?
In my picture, are any of those checkmarks the fix?

I dont know the exact brands of the cams, from China (not Dahua), IP cams, some PTZ, some bullet.
I can DM you the model #s of the PTZs if that helps?

Also in ODM, at Network tab > ONVIF discovery mode, I have the option to set that to Non discoverable. (I havent tried yet in case it locks me out.)
But is that the setting I need to turn off? Ty.

 

[alastairstevenson]

I can DM you the model #s of the PTZs if that helps?

No need for that - model numbers are not sensitive.
Generic chinese camera brands are riddled with very poor security implementations. And even the big brands have had many embarrassing security failures.

 

[aforum]

It's not related to [any of you guys], but I might have a hostile relative on my network who might be at this forum (and messing with my cameras). Thus I dont want to give out identifiable info (that only they would know if they see it posted).
So if you give me permission to DM the model, I will.

But my setup of the cams is probably unfinished. I turned off auto IP (after I got them setup). But unsure if I need to turn off P2P and the Onvif discovery checkmarks in my picture. So please clarify, ty.

 

[samplenhold]

I am fairly certain if you check Onvif Authentication on, that will require the password.

 

[aforum]

I am fairly certain if you check Onvif Authentication on, that will require the password.

Thank you! That worked (and I assumed it was related to that, but didn't want to try without confirm). So the goal of restricting view and settings, has been met

I have 2 of these cameras, tested on one > Auth = checked (at the cam's webpage, not in ODM). And now all view feeds (from ODM) and these settings - are locked (ODM doesnt even give me the option to input password to change these settings).

• After I checked 'Onvif Authentication on' (at the camera's webpage), then SmartPSS (.exe) > PTZ control wasnt working, but cam feed was still on. So I went to cam list > re-entered the pass for that cam, and now PTZ control works.

But two remaining questions:

1. After the Auth lock (on) > in ODM, I click Maintenance > I see Reboot button (I clicked and it correctly denies access). But when I click Upgrade, it does [let me] open Window's 'choose file window.' Can anyone confirm that [if I chose an upgrade file and clicked Ok], that ODM would correctly deny the final operation?
2. And in my original pic > "Control protocol" (with the warning that if unchecked then camera cant be "discovered by search tool"). Anyone know what happens if I check that? And whos search tool they refer to (like their own search program or do they refer to Onvif scanners like ODM)? I would like the cams to not show in ODM listing, if possible.

 

[Mike A.]

1. You'd have to try it but to that point ODM is just working on the PC side so the cam isn't involved and no surprise that it lets you do that independent of the cam setting.

2. Various camera makers use a control protocol that lets their tools find and control their cams over the network via certain ports. e.g., Dahua's Config Tool. That's what that is. ODM likely is just scanning for and testing response from common ONVIF ports. It may know how to scan for Dahua/HiKvision's management ports since they're well known. Not sure, haven't tried it. You can test that by checking the box off without hurting anything. Might need a cam restart and if ODM has already found the IP it may still show it in the list and since it knows where to look already. i.e., that doesn't hide it from something that knows where it is, just doesn't show response on that control port when scanning the network and shouldn't allow control. Will still stream video and can access settings via the IP address.