Gjoko Krstic, a security researcher with Zero Science Labs, has discovered secret hard-coded accounts in thermal security cameras manufactured by FLIR Systems, Inc., one of the largest vendor of such products.
According to Krstic, the backdoor accounts "are never exposed to the end-user and cannot be changed through any normal operation of the camera."
The hard-coded credentials affect the following FLIR thermal camera series:
Depending on the FLIR camera version, the following username-password combos will grant an attacker access over the device.
Besides the secret backdoors, Krstic also found four other vulnerabilities:
The researcher reported the vulnerabilities to FLIR, via the Beyond Security's managed disclosure program, but neither he or Beyond Security received a response from FLIR regarding the issues.
Two days ago, Depth Security also published research on other vulnerabilities in FLIR products the company failed to patch.
There are several ways that FLIR customers can protect themselves. The easiest one is to prevent access to these cameras from the Internet by placing the devices behind a firewall until the vendor issues a patch.
UPDATE [October 17, 15:35 ET]: FLIR has told Bleeping Computer that it issued security updates for the flaws reported above. Customers can download the firmware updates and installation instructions from this page.
FLIR is a well-known brand for security cameras. Its thermal cameras are nothing more than regular IP-based security cameras with the extra feature of being able to function in thermal mode during night time.
FLIR's thermal camera imaging capabilities have been recently used to film the "Walk On Water" music video by famous rock band 30 Seconds to Mars.