My organization installed a bit of cheap security in the form of a Lorex DVR, model LHV1008. It includes multiple cameras and some pretty decent features. Unfortunately, the excellent feature set is cloaked in a mountain of strange and buggy software.
It includes a locally accessible interface, a completely different web interface served directly from the box, and PC, Mac, Android, and iOS applications that will automatically connect directly via local network or via FLIR’s relay service. (Apparently FLIR owns Lorex, or something of that nature.) It also has a plain old RS232 terminal interface that I have not used. That’s a lot of distinct interfaces, and I’m sure many of them are full of security holes. Because of this, I opted to keep our device behind a firewall, although I wish it were hardened enough to put on a public IP.
Unfortunately, the web client doesn’t play well with modern version of Firefox, and it also doesn’t include one very important feature: synced playback. When viewing three cameras in a cluster, all covering multiple angles, it’s maddeningly confusing to have all three playing back independently. To get this feature, I had to download and use the FLIR Cloud Client for Windows, which includes the elusive sync lock button.
The catch: FLIRCloudClient requires administrator privileges to run! This is a problem for organizations like mine that don’t let average users run as administrator (which is a very good practice). I “solved” this by using a hex editor (HxD) to change the internal manifest of FLIRCloudClient.exe to stop the UAC prompt. To do this yourself, just search for requireAdministrator in the file and replace all instances with asInvoker. Overtype the original string and pad the remaining characters with spaces (hex 20). Tada! It works just fine. I don’t know why they requested administrator to begin with, but this application has all sort of Visual Studio development cruft included, such as debug manifests, pdb files, and 171 dll’s, so I’m not going to think too hard about the why.
UPDATE 7/22/15
I discovered today that the FLIR Cloud Client seems unable to connect to the camera without administrator privileges. Perhaps they are required to open a network port? I will keep messing with it.
Another significant problem: Lorex will reset the ‘admin’ account for the DVR for anyone who calls. They don’t do this via network access; they appear to generate an override password based on today’s date. When I called to have it reset, they asked me for contact information and then gave me three different numeric passwords to try. While no organization needing seriously high security would rely heavily on this device, or would at least physically secure it, it’s bothersome that anyone can get into it so easily. Another security problem is that all user passwords must be exactly six characters.
Overall, this device provides great bang for buck, and the quality is quite good, even at night. I greatly appreciate the motion sensing regions that I can “paint” over onto a camera image that allow me to ignore a few plants that wave in the breeze. Also, the free video relay service is a significant help for devices behind firewalls.
bendodge's Weblog 