CVE-2015-2882 in In.Sight B120-37
Summary
by MITRE
Philips In.Sight B120/37 has a password of b120root for the backdoor root account, a password of /ADMIN/ for the backdoor admin account, a password of merlin for the backdoor mg3500 account, a password of M100-4674448 for the backdoor user account, and a password of M100-4674448 for the backdoor admin account.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/27/2020
The Philips In.Sight B120/37 video surveillance device presents a critical security vulnerability through the presence of multiple hard-coded backdoor accounts with weak and predictable passwords. This vulnerability falls under the category of hardcoded credentials, which represents a fundamental flaw in the device's security architecture and directly violates security best practices established by industry standards such as cwe-259 and cwe-798. The device ships with multiple accounts that are accessible through default credentials, creating an inherent security risk that persists throughout the device's operational lifetime without proper authentication mechanisms.
The technical implementation of this vulnerability involves the inclusion of several backdoor accounts with specific password values that are easily discoverable through public research and vulnerability databases. The root account uses the password b120root, the admin account utilizes /ADMIN/, the mg3500 account employs merlin, while both user and admin accounts share the password M100-4674448. This configuration creates a multi-vector attack surface where an attacker can potentially gain administrative access through any of these accounts, significantly reducing the effective security posture of the surveillance system. The use of predictable and simple passwords demonstrates a clear lack of security awareness during the device's development lifecycle.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables full administrative control over the surveillance system. Attackers can manipulate video feeds, modify system configurations, disable security features, and potentially exfiltrate sensitive data from the surveillance network. This vulnerability directly maps to the attack pattern described in the mitre att&ck framework under initial access and privilege escalation techniques, where adversaries can leverage default credentials to establish persistent access to networked devices. The presence of multiple backdoor accounts increases the probability of successful compromise and provides attackers with alternative access paths when one account is discovered and secured.
Organizations deploying Philips In.Sight B120/37 devices face significant risk from this vulnerability, particularly in environments where physical security is paramount and surveillance systems are critical infrastructure components. The vulnerability affects the device's integrity and confidentiality properties, as unauthorized access can lead to complete system compromise and potential data breaches. Network segmentation and access controls cannot adequately protect against this threat since the backdoor accounts are accessible through the device's default configuration. Remediation efforts must include immediate account disabling, password changes, and potentially firmware updates from Philips to address the hardcoded credential issue. The vulnerability also highlights the importance of secure development practices and the need for regular security assessments of networked devices to prevent similar issues in future deployments.