Floureon Security Policy

Note: Please, be aware that this post may contain affiliate links.

Part of the Off the Grid series

Yesterday, I emailed Floureon, as I was quite impressed with their CCTV kits, but their security was lacking. I was hoping to make them aware that the defaults of
username: admin
password:

Are no longer acceptable and a security risk for their users.

The reply I got is, to be honest, disappointing. This is probably down to a poor grasp of the English language by the person answering the email. By publishing this email exchange I hope to obtain a better answer from a social media representative.

Please note that emails have been formatted to make them better in this post.


From: John Evans<john@hasscasts.com>
To: support@floureon.com<support@floureon.com>
Subject: Request for comment on security
Date: Sunday, 5 January 2020 23:04

Hi,
I own and run a blog/website called HASSCASTS. It’s a site dedicated to Home Automation and Smart Homes.

As part of the recent security issues with SWANN; Wyze and now Xiaomi, I decided to do a series of posts in which I look at what services if any, my followers would be able to take back control off. An example would be moving away from a subscription cloud-based CCTV system, to a local-based DVR system.

I decided to carry out my assessment of CCTV manufacturers early, as that was the reason I started the series, conveniently named “off-the-grid”.

I have over 60 CCTV manufacturers to audit. I was most impressed with the products from Floureon and I think I was looking at the “8CH True 1080P XPOE Surveillance Kits with 4x HD 1080P XPOE Cameras Human Detection Intelligent Analysis 1TB HDD” on your website. I decided to download the user guide so that I could look into the interface and the quality of the instructions etc.

From there, I discovered that the initial user interface has a default of:
user: “admin”
password: <blank>

That is the reason, I am emailing you. As well as the set of default credentials, there are no instructions in the user guide on how to set a password, and so I would suggest that many users will not do this and will stick with the default username with no password. Perhaps thinking they are safe with the security offered by their router etc.

Please, could you tell me if Floureon:

  1. have any feedback that I can give my followers?
  2. have any plans to change the default credentials or offer an alternative authentication system?
  3. would Floureon at least consider putting in the user guide a notice that as soon as a user logs in, they should at least create a password?

I have seen several implementations of the initially on-boarding of CCTV systems, whilst I have been looking at other manufacturers, and I hope that Floureon would consider adopting a similar system to one of the others that are out there.

I thank you in advance for any reply you may send, and I hope to hear from you in the near future. I anticipate that the full CCTV system post will be available in 1 to 2 weeks. If you wish, I can contact you again, when the post goes live for your attention.

Thanks, again
John Evans
HASSCASTS
john@hasscasts.com
http://hasscasts.com


From support@floureon.com<support@floureon.com>
To: John Evans<john@hasscasts.com>
Subject: RE: Request for comment on security
Date: Monday, 6 January 2020 02:36

Dear Customer

The DVR default username is admin , no password by default. When you first time login don’t need to enter any password just click OK to login.
After you login can enter user setting to create password by self.
Best regards

<original email included in response>


Please could any representatives, take a look at this email exchange and try and re-answer the question? I feel that such a poor response, should not be the end of this support request, and I hope that highlighting the conversation in this way, will result in a more productive answer.

Grandadevans

I am a disabled veteran of 3 tours of Iraq and a tour of Afghanistan as part of the British Army. No longer able to work as I have to lay down on a sofa-bed in my living room 20-ish hours a day. I'm hoping to be able to make a living blogging about my Home Automation /Smart Home journey and maybe regain some dignity in life.

2 thoughts on “Floureon Security Policy

  • January 7, 2020 at 13:18
    Permalink

    I agree – manu. should be making password changed mandatory and also include a way to reset this via a h/w switch inside the unit (I’ve seen too many that are locked out as the person who set the password has left…).

    Also on a similar subject – I do not trust these units not to phone home. My camera’s are all blocked from accessing the internet by a firewall script on my router – unfortunately I couldn’t do VLANs & ACLs with my home kit and am too tight to change it! 🙂

    Reply
    • January 7, 2020 at 21:24
      Permalink

      Hi, Michael
      When I do the router page for the Off the grid series, one of the things that MUST be present is some way of isolating items. I know that my Router has a guest Wifi that doesn’t allow guest Wifi users to talk to each other. It also has the ability to apply different profiles to devices, including isolating them from accessing the internet.

      I agree that trust is a major issue with providers, and it is one thing that would aid the selection of manufacturer/provider massively.

      Thanks again for the comment and your continued support

      Reply

Leave a Reply