Thursday, 24 January 2013

Setup Guide / Walkthrough of Tenvis JPT3815W 2013 IP Camera

UPDATE - 2014-06-30

I will leave the rest of this review intact for posterity, but please read this warning before purchasing. 

Given the seriousness of this vulnerability, I would strongly recommend against buying this camera, or any others from Tenvis. 

Not until the company can prove they know how to build secure products and care about their users.

Please read this warning very closely if you already own this model, or any Tenvis camera.

Tenvis JPT3815W 2013

The Camera

Tenvis are a Chinese manufacturer whose product line includes IP Cameras, such as the model JPT3815W 2013 featured in this setup guide. Available to purchase online, this serves the budget-end of the IP Camera market. In fact, this camera currently has a selling price of less than £40. Tenvis offer a Global User Experience Improvment Program, which offers a free camera in return for writing guides to help other users. This camera was received through such a program.

View on Amazon.

However, any opinions expressed about the camera (good and bad) are entirely my own.

I became a member of the improvement program when I reported a security vulnerability to the company. They responded by thanking me for my report, and informed me they would work to fix the vulnerability immediately.

Read on for the full setup guide and review.


Like all good setup guides, we shall start with the unboxing.

Box shows white camera on one side, black on the other

Seems I got the black one

Infrared LEDs for night vision

A speaker? Looks like one but no mention of a speaker anywhere!


The Setup

When evaluating the ease of using of installing and configuring, I always apply the mother test; could my mother do it?

Setting up these devices reminds of setting up routers; logging directly into web pages served up by the devices. Initial configuration is helped by an accompanying setup wizard, available from or included on your installation CD... but who uses CD's nowadays?

Quick Start Guide Booklet

Old Guide

New Guide

Notice a difference between the old guide and the new one? The text at the bottom of the front page now reads:
For security's sake, please update the default user name and password of your IP camera. The exact process is on page 5 & 9.
Why do I highlight this? Well this was part of my complaints about the previous setup, and how the default configuration left the user with a username of admin and an empty password. Of course, you can set another password, and even change your username. However, it wasn't mandated or even encouraged. I worry the average user won't configure a password. This might not be a problem if your camera only ever sits in your private home network, protected by your router. Should you enable DDNS and port forwarding on your router to access the camera remotely, you absolutely must set a secure password! Do not leave an empty password, ever. Just don't.

Anyway, my rant over for now... Don't worry, there is more to come!

The Wizard

Install and launch the wizard.

Setup Wizard

Not much explaining to do here. Read the instructions, which inform you to connect your camera to a power supply using the adapter provided, and insert a LAN cable connecting your camera to your network (typically by plugging it into the back of your wireless router).

Select camera from list

Should you have many cameras in your setup, you will have to select which one you wish to configure. This is done, counter-intuitively, by selecting the number corresponding to the camera from the number picker, and clicking next. If you only have one, just click the next button.

Make sure do not need to modify the numerical order of the camera?

During setup, I received this dialog box. I'm not sure if I'm being asked a question or not, and what pressing either button will do. I pressed the yes button and it went away. That dialog needs clarifying.

Reconfigured to my subnet

Pressing the Open button next to the red flashing arrow will launch a browser at that IP address to allow you to access the camera. This is the IP address you will always use internally (I.E., inside your home network) to access the camera. 

As a side note, by default, the camera uses the IP range I thought I might have an issue as I use the range. However, after pressing the One Key Set button, shown below, and letting the camera restart, the wizard automatically assigned an IP address in the correct range. (If you don't understand any of this paragraph; don't worry. I thought there would be a problem but there wasn't).

Re-assigning IP Address

The HTML Configuration Page

Accessed by browsing to the correct IP address and port number for your camera (default port = 82), you will be required to login. 

Default settings have a username of admin and an empty password

The live view of the camera, accompanied by the controls to pan and tilt, change brightness, resolution etc... See that button down the bottom right? That's your configuration button and you're going to want to change your password.
That's my arm and I'm famous now!!

Changing Default Password

You absolutely must change this from an empty string to a secure password. 

Even the book says so.

From the System menu heading on the left hand side, choose Change Password.

Changing password

But Don't Make It Too Secure!

An oddity I discovered when trying to change my password is that there seems to be a maximum character length in the password you can choose. The password I was going to use was 20 characters long and a healthy mixture of uppercase, lowercase and numbers, entirely meaningless to everyone. In other words, it was very secure.

The configuration seemed happy with the change and prompted me for my new username and password. However, when entering them, it refused to accept it. Thinking maybe the new password hadn't saved somehow, I tried the default empty password; also refused. Uh-oh!

Thinking to myself, whilst a bit of a long shot, I wonder if it truncated my password without telling me? I mean, that would be madness, and no system would ever do that.... right?

So I entered my 20 character password; denied
So I deleted the last character, and entered the 19 character password; denied.
So I deleted the last character, and entered the 18 character password; denied.
So I deleted the last character, and entered the 17 character password; denied.
So I deleted the last character, and entered the 16 character password; accepted.
Hints to Tenvis:
  1. If I want a long, secure password, please let me have one. This device will be accessible to the outside world and needs to stand up (potentially) to anyone on the internet repeatedly trying to guess my password. The longer the better.
  2. If you are going to limit my password, tell me the maximum length I can use.
  3. If you are going to limit my password, reject any attempts to use a longer password. Do not, under any circumstances, modify my password before storing it!

Enabling Wifi

You probably won't leave your camera physically connected to your network. In this case, you will want to enable it to connect to your wireless network.

Available wireless networks

Choose your wireless network, and enter your password where prompted.

You must activate
I found this step a little confusing, after entering the details for your wireless network, it creates a profile for this. You still have to activate the profile to get the green tick you see above.

At this point, you can disconnect the LAN cable from the camera, and access it wirelessly. If you have issues connecting, trying closing your browser and re-opening it to point the IP address and port for your camera.

In Conclusion

My initial setup was reasonably straightforward and nothing too frightening for me. However, I am a self professed geek and problem solver. I thrive on getting this kind of thing working. This would fail the mother test; my mother would not be able to set this up. I would have received a phone call from her as soon as she took it out the box I believe.

There needs to be some tidying up of the dialog and some additional descriptions added to places. The PT configuration section for example, offers no description of what PT even means. My guess is Pan/Tilt.

Also, my box did not contain a network cable, which is required for setting the device up. An oversight perhaps? I presume the box was meant to contain one. However, I do have 50 spare network cables around my office at any one time, so it didn't stop me using the camera, but an average person might not store so many cables.

I am still unhappy that the default settings have a blank password, and a well-known username for all devices. However, I am slightly happier the documentation now encourages the user to change the password. But why stop there? Go one step further and mandate a password. That small step could help prevent someone from accessing, nay, controlling one of your customers' cameras. This thought should terrify a company and have them spring into action to ensure that never happens. Hopefully that software update is coming.

On the whole, I am very pleased and left wanting for nothing from this camera. For under £40, it is a bit of bargain. As mentioned above, you do need technical knowledge to set it up. So if you are tempted by an IP camera, this one is certainly decent for the price.