Securing remote access in Milestone XProtect Essential and Express

May 24th, 2017 by Paul Sandford

Milestone has changed their practice of using a default user and password in their entry-level XProtect products, Essential and Express.

This is in response to a security vulnerability that relates to customers who have enabled remote access via the mobile server on these variants of their video management system (VMS) software.

This issue only affects:

• XProtect Essential 2.0a to 2017 R1
• XProtect Express 1.0a to 2017 R1

No versions of Expert or Corporate are affected and none of the Husky NVRs are affected either. Professional and Enterprise (now discontinued) are only affected if they were upgraded from the entry-level products noted above.

The following recommended action has been circulated by Milestone to help users ensure their system is secured. Users can mitigate the issue in two ways:

• Through update: Update the installation to the 2017 R2 version of the products available June 8th 2017. None of the XProtect 2017 R2 products will have this issue.
• Instantly: Right-click on the user “admin” and select either “Delete User” or “Properties –> User Information” to change the password.

How did this happen?

Milestone work hard to make their products easy to use – it’s one of the reasons XProtect is our go-to VMS. When Milestone initially designed the installation/upgrade process, a default basic user with a default password was added, simply because it helped the user get up and running more easily. Unfortunately, this practice potentially allows unauthorised people to access camera feeds if the user is not deleted or the password changed afterwards. Milestone realised this was the case and has now stopped this practice as of XProtect version 2017 R2.

This is positive action and we’re pleased to see Milestone has addressed the issue and circulated a notice to users.

“People who have installed Milestone and are using the mobile server for any of these affected versions should either upgrade right away or turn off any external access to the system in their firewall until an upgrade can be performed. The risks involved are limited to data protection issues and we know of no cyber security risks exposed by this notice from Milestone.

As with any network device default passwords should always be changed to strong and secure passwords. This remains the case for video management systems as much as for network cameras and other security-related devices.”

Kevin Bowyer, Technical Director at NW Systems Group

Network Webcams customers benefit from free technical support, so if you need further advice about your version of XProtect and this security vulnerability, you can contact us via our helpdesk.