Paul Rothman is Editor in Chief of Security Dealer & Integrator (SD&I) magazine. Connect with him on Linkedin at http://bit.ly/PaulRothmanSDI.
When SplashData announced its annual list of the 25 most common passwords found on the Internet, none of us in this industry were too surprised. Whoop-de-do, you said as you found out that "password" had lost its title as the most common and therefore worst password, and two-time runner-up "123456" took the honor ("password" fell to No. 2).
Rightfully so! I doubt many of us in the security industry use very many of these oft-deployed and hacked passwords, such as “qwerty” or “111111” or the long-popular “iloveyou”; however, there is one particular password that stands out on the list for me — it came in at No. 12 and it certainly has an impact on those of us who install and deploy security and home automation products.
If you hadn’t guessed it, that password is “admin.”
Often the default password on security cameras and home automation devices; not going in and changing this default password on certain home automation devices leaves them wide open to be hacked. At this year’s ESA Leadership Summit, I watched two experts hack into an unsecured camera network and actually look in on a lobby security camera.
Bjorn Jensen, current president of WhyReboot and frequent CEDIA instructor, and Peter Shipp, Principal of Technology at ZIO, an Orlando-based integrator, teamed up for the demonstration. You are probably thinking, “wow it must have been difficult to hack into some random camera system live on stage at an industry event.”
It wasn’t, of course. All they did was go to a website that listed suspected vulnerable IP addresses that support camera feeds (a simple Google search would reveal it); then they picked one and tried it out. After a couple of keystrokes, they were in…simple as that. As we looked at the feed on the big screen in front of the room, one of them said: “it’s so simple that my mother could do it — and that’s saying something.”
Jensen did offer one caveat, “I did have to crack the user name and password on this one,” he told the group of hundreds of alarm system dealers in Orlando. “It was ‘admin’ ‘admin.’”
As a security installer (or someone who oversees them), this is not something you should simply laugh off and say “it can’t happen to me (or my company).” Think again — it happens every day. And these hacks go beyond security cameras — there are as many or more vulnerabilities in home automation products as well. In fact, according to a recent CEDIA webinar I attended, “while remote access services are driving customer desire for connected home products, they can also be a primary cause of vulnerabilities on home networks.”
Why? Because many of these products that control garage doors, thermostats, lights and door locks don’t even have a password. And if they do, much like security cameras, the simple default user/password combination for the installer — generally ‘admin’/’admin’ — has not been disabled after the installation is completed. That’s an oversight that could cost your company both money and credibility.
Remember the TRENDnet camera case? A hacker discovered a flaw in the company’s IP cameras that allowed Internet users to easily gain access to live footage without a password. He posted the vulnerability on hundreds of message boards and sites just like the one that Jensen and Shipp used for the ESA Summit demonstration. SD&I legal expert Eric Pritchard outlined the impact of the decision on the security industry in our December 2013 issue. TRENDnet was forced to agree to a settlement with the FTC that restricted its ability to market its products, among other things.
If your installation teams forget to change the default password on a security camera or home automation device, you can expect fallout as well. Perhaps the government will not be coming down hard on your company, but your customers surely will. Make sure you are taking this critical step as part of your installation process!