Hikvision Default Password Changed Mysteriously - Hacked?

Hi IPVM guys,

today lots of Hikvision customers dvr/nvrs, used till now with default password (12345), seem to have changed password by themselves.Not able to get any of them for testing, yet and not able to access into any them remotely.

Any suggestion ?

Lots of thanks in advance and best regards,bob


Bob, if you had Hik DVRs/NVRs with remote access enabled using admin/12345 you were most likely sharing control of those devices with a botnet anyway for some time.

At this point they probably need to be hard reset locally and the password changed.

thanks for the priceless info ! tomorrow i ll get some units.need to google to catch the procedure to do it ! once,thank you !

Hi Bob.

We are HiKVision OEM partner.

These DVRs will have been hacked.

Over the last week we have had over 150 customer DVRs that have been hacked and the password changed.

Please note when you reset the password please look in to the user accounts as it seems on this particular hack the hacker is creating new user accounts and passwords so that they can still access the DVR after the Admin password has been reset from the hackers.

The user account the Hacker seems to be creating is called “System” so to most people they may think this is a genuine account which it is not.

I just experienced my first one this week. Symptom was DVR not accessible via browser or app, password didn't work. I had to go on site and run the password reset. Was an older firmware and it let me. When I got back in I found this: I never created a "system" account.

What model DVR? Was it analog/HD analog, or IP?

7716 IP NVR. It's a little over a year old and firmware was that interim period when they made you change from 12345, but didn't care too much what you changed it to. I think we used 54321 and can only assume the hacker got it. Interestingly when I reset the password, it wanted the longer more complicated pw.

Define "remotely". Who has access to them? Are they on an isolated company VLAN with no external access, only through a company gateway server? In this case, perhaps IT changed the default password.

If they were left with default password, and are accessible with no VPN / accessible via internet, the password was changed by a person, could be anyone. Could be the aspiring hacker or some kid in a basement somewhere who is just having "fun". We can't help you here and there is no easy way to fix it except sending someone out to every site and resetting the NVR if there was no backup admin created (always recommend creating a 2nd admin account).

the password was changed by a person, could be anyone. Could be the aspiring hacker or some kid in a basement somewhere who is just having "fun".

Daniel, I agree theoretically it could be anyone.

However, with #2's 150 hacked DVR report + Bob's + a third one we received a week ago, that's too many devices being hacked for it to be random kids.

The more likely explanation is that someone has automated the process and using it to probe the public Internet, yes/no?

I agree. Not sure if you caught this on your radar, but Krebs on Security claims to have found who was behind the Mirai botnet.

These guys have essentially been shut down and are under FBI investigation, but their code / methodology is being copied and implemented on a daily basis.

Daniel, what I am not clear about is that, to date, we have not heard any reports that Hikvision products were impacted by the Mirai botnet.

So is that wrong? Has the Mirai botnet mutated to cover Hikvision? Is there some other exploit impacting Hikvision now?

Because up until a week ago we had no recent reports of Hikvision attacks and now there are (at least) 3 in the course of a week.

Mirai botnet was shut down a while ago. No longer exists. What resulted from that was methodologies and copied code, which can be modified to attack other systems. These botnets are now common, but they are usually written to systems with default usernames/passwords, and grow through simple network scanning of similar systems.

I have no knowledge if anyone has actively exploited Hikvision's known buffer overflow vulnerabilities.

Daniel -

Are you referring to the original Mirai botnet, before the source code was released?

Mirai is still very much around, and as happens in many of these cases has mutated and advanced. For example, Mirai now runs on Windows.

There never was a single Mirai botnet. Mirai was the software used to build a botnet, and there have always been multiple botnets.

The problem is that you can't shut it down.

They still exist, running the standard code. There are tens of varieties now exploiting things that are not default telnet passwords.

You might also want to do these resets in an isolated network and delete the corrupted settings entirely just to be sure. Then update the firmware.

Agreed.

Though these days, even that may not be enough.

I have had a couple Interlogix cameras (same thing as Hikvision renamed) do the same thing and we had to go out and physically factory default the camera. The weird think about it is that they are attached to an Avigilon VMS and not open to the Internet. Something very odd going on here and I can't figure it out.

Your customer had a device attached to the public internet using default credentials. "WCGR", as they say on Reddit.

Thanks to everyone who commented here. We ran a post on this this morning prompting Hikvision to admit to the hacking.