My Problems with QSee QR-414 DVR Package

[Liber8or 0]

I ordered a QSee QR414-411-3 (4 Channel H.264 Network DVR CIF Real Time or D1 Recording w/ 4 Color CMOS Cameras and 320GB Hard Drive) from Amazon.com. The product details are located at http://q-see.com/products/security-product.php?ProductId=256 Perhaps I got started on a bad note with this product because FedEx delivered it to my neighbor, despite correct address information?

 

 

Upon opening the box, which was clearly labeled as containing two wide-angle and two narrow-angle cameras, I discovered they had included the wrong kit. Instead of getting four cameras, a four-way power splitter and four power/video cables, I received two cameras, two ridiculous decoy cameras, a two-way power splitter and two power/video cables. Naturally, Murphy ensured it is Saturday (they are not open) and that they don't open until 12 PM on Monday (my time). I'm sure this problem will be rectified; everyone makes mistakes, right?

 

The DVR was easy to setup. The firmware is not overly impressive, but seems to be about what I expected. The camera quality is average, about what I expected, and I can live with it. I'm not trying to build the perfect system, just an affordable system.

 

Minor annoyance: the USB-mouse is not recognized after the DVR reboots, so you have to physically unplug the USB connection and plug it back in for it to put the cursor back on the screen.

 

Getting the web viewer working was tricky, although the manual's instructions were correct. It only runs in Internet Explorer and is .cab file-based. It makes heavy use of ActiveX (the same .ocx components are used in the web platform as well as the "installed" version). As a heavy Chrome user, this is a problem for me. It also means that monitoring my home is not as simple as pulling up "any ol' browser" and logging in. If I have to change 1,000 ActiveX trust settings, it's not going to be pretty.

 

Luckily, the iPhone application worked pretty well, after I completely disregarded the printed materials and read the firmware upgrade page on the Q-See website. The paperwork said to download "APlayer," which crashed everytime it connected to the DVR. Finally, I saw the website's notice and downloaded the correct app, which worked quite well:

 

After updating the firmware on the DVR to this version you will need to use a different program to access your DVR from your mobile phone. iPhone: Download Asee from the iTunes app store.

 

Finally, turning on the web viewer password controls, I couldn't log in to the admin portion of the web interface. I determined it was my fault, because I enabled the password settings before actually setting a password that was known to me.

 

At first I thought, "Well, I'll just have to reset the DVR using the box, thereby losing all my settings." That was acceptable because I hadn't customized much. So, before I did that, I decided to search the PDF manual for the word password, just in case I missed something about resetting the password(s). Then, I came across this jewel in the publicly accessible PDF manual for this DVR:

 

Q: I have changed the password but do not remember the new password. How can I access the system? A: If you forget the system password, enter 519070 into the password field to reset the password.

 

This works from the console and the web viewer. Am I the only person who finds this an egregious problem? Perhaps I'm missing a method for turning off this huge exploit? It would seem that right now, if someone knows my IP address, or happens to port scan for the open port (thank God I didn't use port 80 as they suggested), they can see and control my cameras (it gives admin access).

 

The password exploit problem is enough to cause me to return this unit. It's the last straw in what I see as a poorly thrown-together CCTV solution. Fundamentally, I can't help but wonder what kind of vulnerabilities might be present in the system if they intentionally created something like that. If the password reset was hardware-based I'd understand, as one can somewhat limit the physical access to the box and there probably should be some way to reset the password (especially with a consumer model).

[rory 0]

Regarding the password, that is probably only for local access, not over the network. If you go into the user setup it may show if it is a built in local admin account or other. The DVR i have here for example has a default admin password but its only for local access. Also at the price I found online that is probably their rock bottom system so cant expect much from it. One of their better 4 channel DVRs for example costs that price alone plus the cameras and accessories, and that DVR is still considered a basic consumer DVR in the security world.

[Liber8or 0]

Using the IE interface from my computer at work and a computer at a friend's home, I am able to log in to the DVR using the default admin password. Neither are local to my network, nor have accessed the interface before using the passwords I established. So, it would seem it's not for local access only.

 

I also have not been able to locate instructions for disabling the "default" password.

 

EDIT: It's probably poor form for me to refer to this as the "default admin password," because I changed that. I also changed the default user password, as well as the mobile password. I'm referring to something more powerful; a built-in backdoor "god" password that I cannot turn off and works from anywhere.

[bpzle 0]

Thanks for posting this.

 

Any idea what, if anything you'll get to replace the system?

[Liber8or 0]

I'll probably wait until Monday to give them a chance to explain or clear up the issue if it's user error. If the password issue cannot be resolved, I'll start seriously looking at other models.

 

I don't want to give the impression that I am expecting too much from a consumer grade model. I don't expect ultra-fine recording quality or zero problems. I do however expect to receive what I ordered, have the documentation match the product and not have my system open to the world through a back door.

 

I tend to compare this experience with my GE Concord security system. Surely there are better, more expensive, panels. However, I installed that myself, with almost zero help from SafeMart. The documentation GE provides is wonderful and complete. Also, if you break into my home, there is not a single master code that can be used to reset my alarm panel, nor through the web interface.

 

I think Q-See could go a long way in the market by hiring a consultant to rewrite their documentation (i.e. write it in native English), redesign their user interfaces, and provide a consistent approach to documentation across the board (think strategic product experience). Consumers expect this of all vendors now, not just high-end products.

 

Here's an example of what I mean... have a look at the diagram on page 4 (actual PDF page 8 ) of this manual. Item#8 on that page is the strangest looking USB connection I've ever seen! I wonder if the USB-IF knows about that one?

 

http://q-see.com/files/manuals/QR414-ManualWeb.pdf

[cglaeser 0]

Also, if you break into my home, there is not a single master code that can be used to reset my alarm panel, nor through the web interface.

 

Or more accurately, you don't know a single master code. Even if the developers did not intentionally design a single master code, security holes are discovered in various products all the time.

 

Best,

Christopher

[Liber8or 0]

Or more accurately, you don't know a single master code. Even if the developers did not intentionally design a single master code, security holes are discovered in various products all the time.

 

Fair enough. But at least in that case it's not intentional and published in the manual for the device.

[rory 0]

I tend to compare this experience with my GE Concord security system. Surely there are better, more expensive, panels. However, I installed that myself, with almost zero help from SafeMart. The documentation GE provides is wonderful and complete. Also, if you break into my home, there is not a single master code that can be used to reset my alarm panel, nor through the web interface.

No, but one could just cut the phone line or jam the radio if it has one, or pull the plug and disconnect the battery, and ofcourse kill the siren

 

But yeah its a really basic DVR, there are much worse DVRs out there for even more money.

 

Would I buy it? Heck no!! Also I wouldbt buy the GE Concord system either, much better products out there for that as well

[Kablooie 0]

If you forget the system password, enter 519070 into the password field to reset the password.

I can confirm that this works. I have a client who purchased a couple of the QR414 models as a timelapse VCR replacement and I just logged into them using 519070. At least I had the presence of mind to change the default port numbers when I set these systems up for him.

 

In another thread someone posted that they had an 8 channel Q-See DVR and when he called support they were able to logon without asking for a password. I thought maybe either the admin or user password was not changed. This clearly shows I was wrong.

 

The QR414 sells for $99 w/o cameras or hard drive. You get what you pay for. However I will say that recorded video is pretty decent with the D1/Normal setting. This setting records at 7fps. With a 1TB hard drive w/ 4 cameras I'm seeing it retains from 6-7 weeks of video.

[Soundy 1]

Getting the web viewer working was tricky, although the manual's instructions were correct. It only runs in Internet Explorer and is .cab file-based. It makes heavy use of ActiveX (the same .ocx components are used in the web platform as well as the "installed" version). As a heavy Chrome user, this is a problem for me.

https://chrome.google.com/extensions/search?itemlang=&hl=en&q=ietab

[Liber8or 0]

https://chrome.google.com/extensions/search?itemlang=&hl=en&q=ietab

 

Not a real solution for me, but an OK hack, I guess. If I want my browser to process things like the worst browser in the world, then I'll just go ahead and use the worst browser in the world.

[Liber8or 0]

I've contacted the Q-See technical support line and the customer service line. The technical support representative was very kind and acknowledged that the firmware running on the QR414 doesn't support disabling the "god" password. He didn't think there would be another firmware upgrade to add that feature. He suggested, as I suspected they would, to run the system on a port other than 80. He acknowledged its a problem, but he's probably right about someone needing to be very determined to find my system and log in. However, that's not good enough for me, but I appreciate his understanding attitude.

 

So, I spoke with customer service regarding the two missing cameras (I received two decoys in place of two of the four cameras I was supposed to get). She acknowledged that I could take care of that through an RMA with Q-See, but that if I wanted to return the product all together I should approach that through Amazon. Amazon was helpful and issued a RMA label for the product. I'll be shipping it off tonight, if I have the time.

 

I decided to browse some other options available in stores locally. I found that CompUSA offers a very similar product (made by NightOwl) for about the same price. In fact, it seemed eerily "all too similar." After visiting their website and seeing some screenshots, I was able to determine (with reasonable certainty) that NightOwl is using the same Chinese firmware that is causing my instant problem. I'm on my lunch break right now, so I don't have time to do a whole lot of research right now.

 

It's back to the drawing board. So, CCTV pros, what to do now? Any suggestions on an affordable home CCTV option that works natively with any browser and doesn't have a backdoor exploit?

[rory 0]

finding a "cheap" DVR that doesnt use ActiveX in a browser is next to impossible.

However the Dahua DVRs do have a Mac version of their Windows Client software.

Dahua is sold under some names such as Intellicam in the US.

In fact the Q-see on the other thread, the review, is the same DVR.

sample screenshots: http://www.bahamassecurity.com/gallery/?DVR-Dahua

(DVR case looks different as its a different US distributor)

 

Personally I never use a web browser to watch live video, will never have the same power as a client app.

[cglaeser 0]

Personally I never use a web browser to watch live video, will never have the same power as a client app.

 

The difference between using a web browser and a client app can be even more compelling on a smart phone. The problem is many consumers want everything for free. Exacq mobile is excellent, whereas using a smart phone web browser to view an Exacq server is pretty much just a novelty. At $49, I consider Exacq mobile to be a reasonable deal, but some consumers squeal like a stuck pig.

 

Best,

Christopher

[Liber8or 0]

If you are willing to share, what would you consider the next step up from these entry-level systems (i.e. the next price point and maybe some example system models)? Perhaps the next price point contains some models with the feature set I desire?

 

By the way, what don't you like about the GE Concord alarm panel? It seemed pretty robust to me, as a layman. I'm always interested in alternative views on products I own.

[bpzle 0]

Any suggestions on an affordable home CCTV option that works natively with any browser and doesn't have a backdoor exploit?

 

Yup. PM sent.

[rory 0]

Personally I never use a web browser to watch live video, will never have the same power as a client app.

 

The difference between using a web browser and a client app can be even more compelling on a smart phone. The problem is many consumers want everything for free. Exacq mobile is excellent, whereas using a smart phone web browser to view an Exacq server is pretty much just a novelty. At $49, I consider Exacq mobile to be a reasonable deal, but some consumers squeal like a stuck pig.

 

Best,

Christopher

Mobile phones are even more limited .. I dont use those either.

[rory 0]

If you are willing to share, what would you consider the next step up from these entry-level systems (i.e. the next price point and maybe some example system models)? Perhaps the next price point contains some models with the feature set I desire?

Actually most of the bigger name DVRs dont have much more features in many cases, you would need to step up alot more $$$$ to really make a difference unless you want to go PC based. But as mentioned that Dahua has features your even more basic one doesnt.

[enoxos 0]

Any suggestions on an affordable home CCTV option that works natively with any browser and doesn't have a backdoor exploit?

 

Yup. PM sent.

looking for the same thing as well.

 

having the same problem

[enoxos 0]

having the same issue but with a different model from Q-see and hence a different reset password.

 

I am trying to disapher the firmware and see if it is possible to change it. If it encoded on the BIOS, then it is a whole another story.

 

Any body with any experience tweaking firmware? lol

[rory 0]

Any body with any experience tweaking firmware? lol

Yeah, normally what I do is sell the device and buy another one, saves on labour charges

[Liber8or 0]

If you've been following this thread, check out my experience with the new Samsung unit I purchased to replace the QR414, which I've returned.

 

http://www.cctvforum.com/viewtopic.php?f=56&t=23530

[Securame 0]

Allow me to bring back this old thread to the present, since it seems that this is news now:

http://www.csoonline.com/article/3034284/security/hard-coded-password-exposes-up-to-46000-video-surveillance-dvrs-to-hacking.html

 

After more than 5 years...