Author Topic: so what'(s the point of Flir login/password to access our own camera?  (Read 504 times)

0 Members and 1 Guest are viewing this topic.

Offline calel

  • Regular Contributor
  • *
  • Posts: 97
  • Country: ch
ok so can someone explain the reason why Flir engineers would put a password on the customer's own camera? (other than being complete aholes)

2nd question: how were those passwords found out: were they public (as in, disclosed by FLIR) in the first place (in which case I take back what I said) or did some hacker figure them out?

last question: if it's meant to be a true password to prevent customer from accessing their own cam, how come it's the same password for all cameras of same model? ie. why do all E4's have same password, instead of a different password for each serial number?  ???
 

Online Fraser

  • Super Contributor
  • ***
  • Posts: 10077
  • Country: gb
Re: so what'(s the point of Flir login/password to access our own camera?
« Reply #1 on: September 15, 2020, 10:30:38 pm »
Equipment capability lockdown Passwords is an emotive subject.

In the case of the FLIR cameras I can explain the reasons behind the Passwords

The Ex series cameras were designed to use the identical hardware to make mass production simpler. The E4, E5, E6 and E8 are differentiated by cost and capabilities. The more you pay, the more capable the camera. The cameras capabilities are determined by the settings in the firmware configuration tables. The E4 is heavily hobbled to make it suitable for the budget end of the range at an attractive price point. The E8 has more functionality, higher resolution and lower noise and matches FLIR need for a better performing camera that is still not as capable as the FLIR professional camera series. The E still has artificial noise injected to limit its sensitivity and not all functions found in the firmware are enabled. The E4 upgrade made people examine their professional FLIR cameras such as the Exx and Txxx series. It was found that FLIR set the performance in those ranges of cameras in the same way, via the configuration files.

So why did FLIR use a password on their cameras when access was attempted via FTP over IP ? Well why not ? The cameras are not open source and it is good practice to password protect an open port that provides access to a products file system. The user would not be expected to have access to the cameras file system in normal use. FLIR likely wanted to stop people snooping around in their cameras file system as well... for obvious reasons !

FLIR have released the “flir” & “3vlig” login and password in technical documentation for other cameras. That login and password is best described as an “Engineering Password” that limits access to the file system to those with a need and the knowledge to not stuff up the camera ! Manufacturers do not want cameras returned to them or help desk calls after someone with a little knowledge bricks a camera and demands warranty support. That is just a fact if life.

FLIR actually dropped the ball on their security of the firmware. Due to the firmware being poorly protected, the truth behind the Ex, Exx and other camera series was revealed to the public. Do you think FLIR enjoyed that experience ? They should have better protected their firmware if they were going to use configuration file based camera hobbling. They tried to correct the error in later firmware versions but the damage was already done.

How do we find out passwords ? There are several ways to discover passwords and the difficulty often depends upon the purpose of the password, it’s format and the form it is stored in within an equipment. There is of course the ‘leak’ method where a tech for a company releases a password into the public domain. That can cost the tech their job though. There are many on this forum who know much more than me about password detection and circumvention. I find passwords through research. It is surprising how often I have discovered the engineering passwords commonly used by a particular manufacturer by looking at service bulletins and ICD’s. Remember, some passwords are intended to limit access to the cameras file system to those with a need and the knowledge to not brick the camera. As such sometimes the password is released in FAQ’s, Technical Bulletins or even answers to technical issues on a manufacturers Customer Support page. When this approach fails, people resort to either attempting to guess common passwords (time consuming) or analysing the software/firmware looking for likely passwords of password sub routines that may be modified. But how do you access that data without  the password ? You dump the contents of the cameras flash storage where the firmware resides, or in some cases look inside a firmware update package. A lot of password cracking comes from experience of doing such, inside information, good analysis tools and some luck ! It is often not easy ! If a product has a data link capability that would require file system access, it is sometimes possible to carry out a firmware update or other file system update and monitor the data link. Post event data analysis then allows the investigator to look for the initial ‘handshake’ routine between the equipment and host computer. Wireshark is one tool used in this process.

I think I already answered your last question but will make something clear. The camera you buy is your property. The software and firmware that runs in that hardware is subject to a EULA and, in some cases, that means you bought the camera, bought its functionality, but did not buy the software/firmware ! I will not get into the rights or wrongs of that situation but when a manufacturer provides you with everything that you paid for, can you really complain if the OEM does not give you full access to all the commercially sensitive contents of the file system and configuration ? The password is there to deter snooping into things that the user does not need to know and to reduce the risk of users fiddling with what they do not understand. The password is not a Government grade protection system and can be beaten if enough effort is put into it, as we have seen with the E4 upgrade.

Unless an equipment is covered by the Open Source platform type agreement, a user really has no right to the firmware content if the product performs as advertised.

That may not please some who read this, but it is the real World and those who manufacture products will defend their right to limit user access to what is needed and not what they might desire, but have not paid for.

Fraser
« Last Edit: September 15, 2020, 10:37:53 pm by Fraser »
Cogito, ergo sum
 

Online Bud

  • Super Contributor
  • ***
  • Posts: 4454
  • Country: ca
Re: so what'(s the point of Flir login/password to access our own camera?
« Reply #2 on: September 15, 2020, 10:59:48 pm »
last question: if it's meant to be a true password to prevent customer from accessing their own cam, how come it's the same password for all cameras of same model? ie. why do all E4's have same password, instead of a different password for each serial number?  ???
The answer is passwords are for maintenance/repair service. How do you expect a service center that receives,say, a hundred cameras each day for maintenance/repair, how you expect them to manage camera specific passwords? Should the repair technicians spend time to look up the passwords in some database? Who will maintain the database, pay license fee for it, who will support the database server, who will administer the database, who will patch vulnerabilities, manage the hardware lifecycle, who will maintain the proper information in the database, etc. The E4 already has camera specific encryption keys.
Facebook-free life and Rigol-free shack.
 

Offline calel

  • Regular Contributor
  • *
  • Posts: 97
  • Country: ch
Re: so what'(s the point of Flir login/password to access our own camera?
« Reply #3 on: September 15, 2020, 11:09:37 pm »
ok thx that clears things up I guess  ^-^

btw does that mean even the e8 itself had its own limitations? (you mentioned noise in the e8)
so Fubar's hack makes theee4 even better then a non-modified e8? ???


The answer is passwords are for maintenance/repair service. How do you expect a service center that receives,say, a hundred cameras each day for maintenance/repair, how you expect them to manage camera specific passwords?
easy: there could be a direct correspondence between serial number & password (only the flir techies would know the formula of course)

also fraser mentioned how it would be possible to access the camera's data directly without password by dumping the entire firmware then analyzing it - so that implies the firmware itself is not encrypted?
« Last Edit: September 15, 2020, 11:33:01 pm by calel »
 

Online Fraser

  • Super Contributor
  • ***
  • Posts: 10077
  • Country: gb
Re: so what'(s the point of Flir login/password to access our own camera?
« Reply #4 on: September 15, 2020, 11:29:23 pm »
The Ex series hack is amazing for a good reason.... I will explain....

FLIR have elected to use the same design of firmware across several RANGES of thermal camera. This means the Ex series firmware basically looks the same as that found on the a Exx series, Bxxx and Txxx cameras. You cannot load Txxx firmware onto an Ex camera though. What you discover when looking at the a Ex series cameras firmware is that there is functionality within it that is normally only found on the much more expensive cameras from the a Exx, Bxxx and Txxx series. Then when you look at the settings within the configuration files that are in plain text, you see “False” next to these more advanced entries. It is no surprise that forum members experimented by setting these features to “True”. The result was the appearance of features present on the E8 and some that were only found on the Exx, Bxxx and Txxx cameras. Some features had to be configured but copies of higher end cameras configuration files helped with that. Some features that require a touch screen were not useful as the Ex series does not have a touch screen and there are features that many users will never use in daily life. ‘We’ on this forum tended to just enable everything though  ;D Clever chaps like Bud have continued to add functionality to upgraded cameras. It has been possible to make the Upgraded E4 far better equipped than the Standard E8 so users of the E8 also see benefit from the upgrade ! And yes, the artificial noise generator is switched on and producing noise on the standard E8 to prevent it competing too well against the more expensive Exx range. I forget the value of noise injection, but it was significant considering the cameras price point. The true sensitivity of the Ex series without the artificial noise injection is likely 35 to 40mK so when you look at the different models and see a figure of over 100mK, all that extra noise is thanks to the artificial noise generator. The upgrade switches off the artificial noise generator by setting its entry in the configuration file to “False”. It is also possible to reduce the injected noise to 0mK but better to kill the darned thing in most people’s opinion.

Hope this helps

Fraser
Cogito, ergo sum
 

Offline calel

  • Regular Contributor
  • *
  • Posts: 97
  • Country: ch
Re: so what'(s the point of Flir login/password to access our own camera?
« Reply #5 on: September 15, 2020, 11:38:13 pm »
damn...true sabotage then. like selling a window with crumpled cellophane pasted on top of it. bless those who discovered the hack

you said an upgraded e4 can be a lot better than standard e8 (including Fubar's upgrade for the 2.3.0 version?), other than the noise switched off, what are those features you were thinking about?

personally I applied Fubar's resolution hack then his menu hack
it was an 2.3.0 cam btw. any other upgrades I could be missing out on?
 

Offline negative_feedback

  • Contributor
  • Posts: 18
  • Country: cs
 

Online agiorgitis

  • Contributor
  • Posts: 31
  • Country: 00
Re: so what'(s the point of Flir login/password to access our own camera?
« Reply #7 on: October 07, 2020, 04:24:55 am »
easy: there could be a direct correspondence between serial number & password (only the flir techies would know the formula of course)
Provide a hacker with some serial-password pairs and next day you have a keygen.
 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 13082
  • Country: us
Re: so what'(s the point of Flir login/password to access our own camera?
« Reply #8 on: October 07, 2020, 04:42:30 am »
damn...true sabotage then. like selling a window with crumpled cellophane pasted on top of it. bless those who discovered the hack

you said an upgraded e4 can be a lot better than standard e8 (including Fubar's upgrade for the 2.3.0 version?), other than the noise switched off, what are those features you were thinking about?

personally I applied Fubar's resolution hack then his menu hack
it was an 2.3.0 cam btw. any other upgrades I could be missing out on?

This is very common, there are quite a few oscilloscopes for example where the low and high end of a series are identical hardware. On one hand it's annoying that devices are crippled, but on the other hand it's wonderful to be able to unlock additional capabilities on an affordable device.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf