Security camera installer reuses passwords

techguy505 · Sunday at 1:28 PM

So I recently discovered the outside contractor who installs and manages our security cameras and alarm systems has been reusing the same username "admin" and the same password on all of his NVR/DVR systems across all of his clients for years now. We have 7 NVR systems with him. Typically Dahua units and cams. Is this as bad as I think it is?

TonyR · Sunday at 2:40 PM

techguy505 said:
So I recently discovered the outside contractor who installs and manages our security cameras and alarm systems has been reusing the same username "admin" and the same password on all of his NVR/DVR systems across all of his clients for years now. We have 7 NVR systems with him. Typically Dahua units and cams. Is this as bad as I think it is?

Definitely not good.....although it could be worse if you find out even more similar no-no's...... :wtf:

Oneup · Sunday at 3:50 PM

Techguy, why don't you change the passwords?

techguy505 · Sunday at 3:54 PM

Oneup said:
Techguy, why don't you change the passwords?

I just figured out it was happening. The contracter and I are having an unrelated dispute and I came to the realization while reviewing past conversations. He'll likely be removed and upper management has been made aware of it but my hands are currently tied.

Oneup · Sunday at 3:57 PM

samplenhold · Sunday at 4:37 PM

He did that because he is lazy. He does not need to keep track of different credentials for each installation. This goes against the first rule of cyber security that has been told to everyone for decades.

This is almost like installing a back door. He or anyone working for him can access your system without your consent. This also means that any of his other clients can know your password to your system, and anyone that those clients share the password with can know your password also.

tigerwillow1 · Sunday at 4:47 PM

I would expect the user to change the passwords after the installation. One of the first things I did moving into the current house was re-key the locks because I knew at least the builder could get in.

alastairstevenson · Sunday at 5:17 PM

techguy505 said:
Is this as bad as I think it is?

Yes, because you should be changing and recording and protecting the passwords to your organisation's own standards after the system has been installed and tested and accepted from the installer.

techguy505 · Sunday at 5:21 PM

alastairstevenson said:
Yes, because you should be changing and recording and protecting the passwords to your organisation's own standards after the system has been installed and tested and accepted from the installer.

Unfortunately the installer also "manages" the cameras and the security systems.

tigerwillow1 · Sunday at 5:28 PM

techguy505 said:
Unfortunately the installer also "manages" the cameras and the security systems.

Knowing that might move me into the "lazy installer" camp.

Oneup · Sunday at 5:33 PM

What is a security system when everyone knows the password? Right now you do not have one.

TonyR · Sunday at 5:36 PM

IMHO, these are not "security systems", they are more accurately called "surveillance camera systems".

techguy505 · Sunday at 5:39 PM

TonyR said:
IMHO, these are not "security systems", they are "surveillance camera systems".

He "manages" our security systems as in alarm panels as well.

TonyR · Sunday at 5:40 PM

techguy505 said:
He "manages" our security systems as in alarm panels as well.

Then as stated by @Oneup it's not "secure", is it?

Oneup · Sunday at 5:57 PM

What is worse, is that the installer, that is Pissed Off at you, has access to your system. That would be my first thing to correct.

techguy505 · Sunday at 6:14 PM

Oneup said:
What is worse, is that the installer, that is Pissed Off at you, has access to your system. That would be my first thing to correct.

Yeah I'm hoping to have him removed next week. We're going to review his contracts but given that reusing passwords to the degree he has it wont he hard to claim negligence.

samplenhold · Sunday at 6:31 PM

If you can't remove him, then change the passwords and when he needs to "manage" the system, have someone enter the password without him seeing it. But if the management is remote, that will not work.

wittaj · Sunday at 6:33 PM

Blast company name here and on BBB and FB.

That sounds like the trunk slammer and has exposed many companies to vulnerability.

BobbyArcher · Sunday at 9:08 PM

techguy505 said:
Yeah I'm hoping to have him removed next week. We're going to review his contracts but given that reusing passwords to the degree he has it wont he hard to claim negligence.

I suggest that you change the passwords BEFORE you have him removed!

techguy505 · Sunday at 9:14 PM

BobbyArcher said:
I suggest that you change the passwords BEFORE you have him removed!

That's my plan. I could set them back up anyway but would prefer not to spend a day doing it. I have to check his configuration over anyway though.

Search

Security camera installer reuses passwords

techguy505

n3wb

TonyR

Oneup

Getting the hang of it

techguy505

n3wb

Oneup

Getting the hang of it

samplenhold

tigerwillow1

Known around here

alastairstevenson

techguy505

n3wb

tigerwillow1

Known around here

Oneup

Getting the hang of it

TonyR

techguy505

n3wb

TonyR

Oneup

Getting the hang of it

techguy505

n3wb

samplenhold

wittaj

BobbyArcher

Getting the hang of it

techguy505

n3wb