Monday, January 5, 2015

ZModo SPoE IP NVR ZP-NE14-S, not exactly secure

For various reasons I found myself in need of some outdoor surveillance recording; places too far for reliable wifi, and no power, but where I could run gel-filled cat6 back to a place with power.   That got me looking at power-over-ethernet systems, and I ended up with a Zmodo 4-channel system.  I had some spare drives lying around, so got the naked version.

It's cheap, it works well enough, I guess.   The software is awkward on first encounter, but I'm sure I'll figure it out eventually.   Discovery that works in the host application doesn't work from a phone, so you need to enter things in by hand.   Awkward, but workable.

It is not very secure, which means it is not secure.  So I probably won't punch holes in my firewalls to allow remote access.  And it should be on it's own network without access to everything else.

Here's a few things that just hit you in the face.
  1. All communication is using unencrypted plain-old HTTP, including the administrative login to both the recorder and the cameras.   This means that anyone with sniff-access to the network can plunder the admin passwords with little difficulty.
  2. The ZViewer application installs in such a way that on current versions of Windows, the UAC system asks you for permission to run as an Administrator on every startup.   There seems no reason to me why this remote-video watching application should have Administrative permissions on my Windows computer.
  3. The support is what you expect from a cheap consumer device.
Being the sort that I am, I tried to ask about these with their support.    The first answer I got back was marginally informative.   (1) No SSL, sorry.   "You can keep your network secure by changing your username and passwords from defaults and not giving out the information."  (2) It's not us, it's Microsoft, "The program itself is not asking you to run it in admin, windows is."

My reply to that was admittedly pointed:
If Windows is asking, it is because the zviewer installation process is requiring it to ask.   Why does your software install requiring admin permissions on the windows host?  This should not be necessary, I don't think 
I understand the TLS/SSL thing.   Your suggestion to change passwords and not tell anyone is quaint, and we could not get away with that in our software.  I now understand now your product is fundamentally insecure and requires a secure network.
To which I got 

Have a great day.
Which doesn't exactly answer the question about admin privilege needed to run the viewer.  I've sent a followup about that, we'll see.

I'm sure I've been marked PITA in their support database.   I'd say they are defensive, with much to be defensive about.

No comments:

Post a Comment