Gjoko Krstic, a cybersecurity specialist at Zero Science Labs, has discovered secret hard-coded accounts in thermal security cameras manufactured by FLIR Systems, one of the largest vendors of such products.
According to Krstic, the backdoor accounts "are never exposed to the end-user and cannot be changed through any normal operation of the camera."
Multiple product series affected
The hard-coded credentials affect the following FLIR thermal camera series:
FC-Series S (FC-334-NTSC)
PT-Series (PT-334 200562)
Depending on the version of the FLIR camera, the hacker gets access to the device through different username-password combinations.
In addition to secret backdoor accounts, Krstic has also discovered four vulnerabilities.
No response from FLIR
The expert has reported the flaws to FLIR via the Beyond Security's managed disclosure program, but neither he or Beyond Security received a response from FLIR.
FLIR is a very popular brand for security cameras. The company's thermal cameras are standard IP-based security cameras with the extra feature of being able to function in thermal mode during the night.