Firmware/Security bug regarding ONVIF?

[chadbaldwin]

Okay...either I don't understand how ONVIF works...or there is some sort of weird bug going on here.

I've just finished upgrading firmware, factory resetting and re-configuring all 4 of my cameras.

I have:
2 x IP3M-HX2W
2 x IP2M-841B

All 4 cameras have ONVIF disabled.

When adding the cameras to any software that supports ONVIF authentication...no username or password is needed. Or if I do provide one, it is ignored. And I am able to view the video feed even though I have provided zero or completely wrong credentials.

The viewing software I am using is:
PC: Deskshare IP Camera Viewer 4.08
Android: TinyCam Pro

If I enable ONVIF on the cameras...then I am only able to log in via ONVIF by providing the admin credentials...any other credentials do not work.

Can someone please explain to me what is going on here? Cause this makes zero sense.

[Revo2Maxx]

Ok that is strange and I will do some testing.. However sadly I am not going to use a 3rd party viewer because I don't trust apps of not leaking my log in info

SO are you saying on the New FW from 2019 that you are able to access your camera over viewer without giving Login info?

Or is this on Older FW? Back in 2017 or older? As there was a time where there was some issues that was fixed from a Update to the cameras... I think that might have been the 2.420 from 2017 that was before the 2.520 in 2017? Can you confirm what FW your on?

Thanks

[chadbaldwin]

@Revo2Maxx I just upgraded all 4 cameras to the latest firmware.

Here's the versions for the camera I am currently testing with
Camera Model: IP3M-HX2W
Software version: V2.620.00AC00.3.R, Build Date: 2019-12-18
ONVIF Version: 16.12(V2.4.1.513183)

However, even when I was on the firmware release that I had prior to this (which I believe was 2018-ish release date), I was noticing some ONVIF issues, but I never bothered digging into it. So I can't say for certain if this was an issue before as well.

[chadbaldwin]

Oh, to answer your question.

Yes, I am saying that I can access the cameras feed via the viewer without giving login info. As long as the camera has ONVIF authentication set to "Disabled" and I have the viewing software set to use ONVIF.

[Revo2Maxx]

Ok Thank you for helping me understand better.. I will pass this onto the Support Staff at Amcrest...

[chadbaldwin]

However sadly I am not going to use a 3rd party viewer because I don't trust apps of not leaking my log in info

I'm not too worried about it. None of my cameras are accessible outside of my network. I have P2P and UPnP disabled. And I have rules on my router set to block traffic to/from them outside of the network. To access them, I use a VPN.

[jack7]

I tested with TinyCam and it did what you said. I can't think of a reason to turn off onvif. There are probably very few Amcrest cameras set up with onvif off. But it's a bug.

[jack7]

Update to previous post where I used LAN. I tested it again with cell network and port forwarding. TinyCam had to use correct id/pw to log in.

[Revo2Maxx]

Ok well talking with Support and with them going to the R&D about making sure what was understood by them to be correct that isn't a bug.. The words to the left says what this is... It is turning off the Auth to the ONVIF.. With this off you don't have to put in a Pass or the right pass to get the camera to come online... So that is how it was designed I guess for systems that were having Password issues this allows a user to test that the system is working after all.. Just need right password with it on...

[jack7]

OK, it's a feature, but would be considered a security issue by camera security parinoids.