Dahua And Hikvision Master Password Backdoor

UPDATE 2017: Dahua Backdoor Uncovered

UPDATE 2017: Hikvision Backdoor Confirmed

Hello community.

What is your opinion about possibility of local (Dahua) and remote (Hikvision) admin login without knowing the exact password of user with admin privileges? There is a possibility to generate a password knowing only the present date and just login.

The basic reason for leaving such possibility was helping users, which forgot their password. More or less 2 years ago Dahua had another way to do so, more hardware like (turn of the power, take out the battery, connect the contact and so on). Today you just need to calculate something like this:
8888 x day x month x year (last to digits)
and last 6 digits of this number as a password of 888888 user (it has admin privileges). Today it is: 8888 x 27 x 11 x 14 = 36956304 -> password: 956304. I have just checked it - it works fine.

I do not use Hikvision very often so can not check now, but as far as I know - it works exactly the same. Even more - you can use it remotely. More info here.

What is your opinion? Is it a good way? What mechanisms should be available to help user when he forgets the password?

Best regards,
Marian Maroszek

The Hikvision discussion claims that you need to know the device's serial number, which vastly limits the ability to hack into remote systems. This is much different than what you are claiming for Dahua (not serial number dependent).

I have forwarded this to Dahua and Hikvision for comment.

The general Hikvision password recovery process for administrative accounts is as follows:

1. The customer contacts Hikvision and provides basic information such as the customer's name, e-mail address, company name, contact number, contact address, device serial code and current system time of device, etc.

2. After Hikvision receives and authenticates the customer's information, it will provide a secure code that is valid for two days.

3. With Hikvision SADP software, which runs on a computer in the same LAN (Local Area Network), the customer can then type in the secure code and reset the password of the administrative account.

This password recovery process can only be run within the Local Area Network. It requires device-specific information that can only be accessed within the LAN, and it requires that the secure code generated by Hikvision be utilized using the SADP tool within the LAN.

Two weeks and no comments yet from manufacturers. Maybe some remarks from community?

Marian

Dahua provided the following:

"We are using our 3rd generation password and will strictly manage, not offering its rule to any customers." and that "NVR6000 series and other based on X86 structure are using third generation password."

I followed up with them asking for more details on which are X86 or not. However, it appears that many existing recorders can be accessed. I just sent them one more email to try to get any more information.

However, it appears that many existing recorders can be accessed.

Exactly. I guess that it could be 98% at the moment ;-) .

I heard another great info. Someone alternated the old trojan which was able to attack Synology's file servers. Now that alternated trojan can attack Dahua's DVRs which are available on public IP address and make a bitcoin digger out of them (not too effective digger in fact), as a result user has 100% Internet bandwidth usage as a bonus :-) . Disconnecting DVR from the network solves the problem.

Hikvision had the same problem, but as far as I know they already released new firmware which solves this issue.

I really think that those two vendors should provide some more info about it to this community.

Marian

I think that having an easy to figure out master password that can be easily calculated is a big problem. I believe that you should need 1) physical access, such as a reset button, and 2) that it should wipe all settings. This way, a casual person scanning the network can't get in, and two that the person using the device will hopefully notice that all settings have been wiped.

Having a back door is just as bad as having a vulnerability...

http://www.forbes.com/sites/kashmirhill/2013/08/27/baby-monitor-hack-could-happen-to-40000-other-foscam-users/

If the password generator uses the time and date, if the clock is off then you are out of luck. I have seen cameras that are off by a day or weeks or years... If the generator uses the serial number, then usually you again need physical access to the device.

Once a password formula is know and out in the wild, you are at risk. A generator on the other hand that is controlled by the manufacturer, and uses the time/date so that it "expires" and the request is logged with who requested it, etc. that is better, but not great...

I tried this on two Dahua DVRs (an older generation HCVR7208 and a new tribrid HCVR7816S).

Local login (using a mouse and monitor connected directly to the DVR) worked on the HCVR7208, but not the HCVR7816S, using 888888 as the user and 425024 (password generated from today's date).

Remote login, via the web interface or PSS software, did not work for either.

So is this a security risk? Yes. Anyone with a calculator and local access to a DVR may use it.

However, considering you need to be physically at the DVR, with a mouse and monitor attached, it is much less of a security risk than it could be if it were enabled remotely. Many DVRs do not have mouse or keyboard attached, with users accessing them only via the web interface or remote software.