Note: Please, be aware that this post may contain affiliate links.
Yesterday, I emailed Floureon, as I was quite impressed with their CCTV kits, but their security was lacking. I was hoping to make them aware that the defaults of
Are no longer acceptable and a security risk for their users.
The reply I got is, to be honest, disappointing. This is probably down to a poor grasp of the English language by the person answering the email. By publishing this email exchange I hope to obtain a better answer from a social media representative.
Please note that emails have been formatted to make them better in this post.
From: John Evans<firstname.lastname@example.org>
Subject: Request for comment on security
Date: Sunday, 5 January 2020 23:04
I own and run a blog/website called HASSCASTS. It’s a site dedicated to Home Automation and Smart Homes.
As part of the recent security issues with SWANN; Wyze and now Xiaomi, I decided to do a series of posts in which I look at what services if any, my followers would be able to take back control off. An example would be moving away from a subscription cloud-based CCTV system, to a local-based DVR system.
I decided to carry out my assessment of CCTV manufacturers early, as that was the reason I started the series, conveniently named “off-the-grid”.
I have over 60 CCTV manufacturers to audit. I was most impressed with the products from Floureon and I think I was looking at the “8CH True 1080P XPOE Surveillance Kits with 4x HD 1080P XPOE Cameras Human Detection Intelligent Analysis 1TB HDD” on your website. I decided to download the user guide so that I could look into the interface and the quality of the instructions etc.
From there, I discovered that the initial user interface has a default of:
That is the reason, I am emailing you. As well as the set of default credentials, there are no instructions in the user guide on how to set a password, and so I would suggest that many users will not do this and will stick with the default username with no password. Perhaps thinking they are safe with the security offered by their router etc.
Please, could you tell me if Floureon:
- have any feedback that I can give my followers?
- have any plans to change the default credentials or offer an alternative authentication system?
- would Floureon at least consider putting in the user guide a notice that as soon as a user logs in, they should at least create a password?
I have seen several implementations of the initially on-boarding of CCTV systems, whilst I have been looking at other manufacturers, and I hope that Floureon would consider adopting a similar system to one of the others that are out there.
I thank you in advance for any reply you may send, and I hope to hear from you in the near future. I anticipate that the full CCTV system post will be available in 1 to 2 weeks. If you wish, I can contact you again, when the post goes live for your attention.
To: John Evans<email@example.com>
Subject: RE: Request for comment on security
Date: Monday, 6 January 2020 02:36
The DVR default username is admin , no password by default. When you first time login don’t need to enter any password just click OK to login.
After you login can enter user setting to create password by self.
<original email included in response>
Please could any representatives, take a look at this email exchange and try and re-answer the question? I feel that such a poor response, should not be the end of this support request, and I hope that highlighting the conversation in this way, will result in a more productive answer.