Original URL: http://www.theregister.co.uk/2013/05/01/ip_cameras_with_dumb_vulns/

Cameras leak credentials, live video

D-Link scrambles upgrade, Vivotek silent says Core Sec

By Richard Chirgwin

Posted in Security, 1st May 2013 01:51 GMT

D-Link and Vivotek have submitted their entries for “dumbest security vulnerability of 2013”, with Core Security turning up a variety of daft bugs in their IP cameras, including hard-coded backdoor passwords.

The advisories are here for Vivotek and here for D-Link. D-Link has told Core Security it is preparing a fix, but the researchers were unable to elicit a response from Vivotek.

The D-Link vulnerabilities include:

Vivotek's blunders include:

Unless users get busy with upgrading their firmware, The Register imagines all kinds of unwanted “private” videos will start turning up. More seriously, however, it's also likely – knowing the bad habits not just of users, but of many sysadmins – that leaked credentials will be replicated on other bits of network infrastructure.

Core Security's advisories include a full list of devices confirmed as vulnerable.®