Security Risk Flaw needs REDRESS

see a device that we do not currently have and think we should research in to let us know here. The same goes for features on devices If there is a feature we don't have that you would like please request it here and it will be passed along to the R&D team.
Post Reply
User avatar
Revo2Maxx
Site Admin
Posts: 5804
Joined: Sat Jun 15, 2019 3:05 pm

Security Risk Flaw needs REDRESS

Post by Revo2Maxx »

Hello everyone. I was told this was the place for this and maybe it will be corrected in the future. I want to start out first of all by saying I personally don't like the idea of posting this information here as I feel this is a Security Risk and Software Flaw and not sure how far back this goes.. So I was told that we should never Tell anyone what the admin Password (Great Idea) However also told not to show people the Pattern either.. To be Honest that seems little bit messy.. I mean Told not to leave your System online either. Ok someone comes in you need to get to your system so you have your friends or family member behind you, now you have to stop and ask them to turn around so they don't see you put in your pattern Crazy... Or maybe your like me and have many PTZ cameras and would like the ability to see what is going on Click on Channel if you need to, ptz and go however now being told not to leave your system logged in so now you have to put in a password or (Pattern would be smarter) then click channel then ptz then what you wanted to see is already gone..

So what is the Flaw? Well not having to put in a Password to make a change in the devices Security settings. So let me break this down. I come into a Room and see a security system online, I know a good few of them and notice this is a Dahua or Amcrest in this case and I am like oh well I know how to work this. It is online already and I go to the security area for the admin and I see there is no Pattern setup so they use a password. Going to keep this simple lol. I had some really bad things wrote before thought na better not post that so lets say something like this.. lol.. So your leaving town for the week or weekend and asked your Children not to have the town over maybe 1 or 2 trusted kids you already know. However your kid wants a Boy or Girl that you have said they can't see over and know the cameras in the back yard are on motion only so you make a pattern that you will be using while your parents are gone so you can let your no longer allowed friend over. Parents don't have a pattern but have left the system on so you can keep an eye and they thought it was secure because system goes off then parents know. However making a pattern for you to turn off system, Let your friend sneak in and turn the system back on using the pattern to log back in then remove the pattern and now when parents return system still online so no motion to record friends coming over... Anyway you get the Picture...

So Yeah system logged in, you can make a Pattern without a Password to confirm that it is wanted by the ADMIN. Change the Security Questions (No Password needed) Change the Email to get a Reset Password Code no Password Needed...

2116-HS, 4116E-HS, 4216E-AI, 4108E-HS, 7108-AI and If I had to guess any other HS Model and any with 4.0 software this is going to be an issue... I mean I can't even Format my HDD on my 7108-AI DVR from Amcrest without putting in the Password Wait WHAT?

https://youtu.be/Q0dGPqdQUuI Unlisted Just under 15 min Video. I start by showing what should happen when someone wants to make changes to Security Questions or changing the Email for Password Reset...

Don't leave your system on in GUI or show anyone your pattern if you don't want a Bad Actor Hi-Jack your system...

Be Safe
Happy Holidays.
Here to help the best I can.
Be Safe
Post Reply