Subscriber Discussion

Is Hikvision More In The Wrong Than Avigilon? (Defaulted Device Hacking)

U
Undisclosed #1
Mar 04, 2017
IPVMU Certified

Is Hikvision more in the wrong than Avigilon because someone wrote a script targeting them this time?

Is negligence only attributed after an exploit?

Related: List Of Cameras/Nvrs That Still Ship With a Default Password 

NOTICE: This comment was moved from an existing discussion: Hikvision Defaulted Devices Getting Hacked

(1)
JH
John Honovich
Mar 04, 2017
IPVM

Good question.

Hikvision is clearly more in the wrong than Avigilon because Hikvision's approach created far more risk / exposure than Avigilon's.

Hikvision's international business model is to sell to anyone at low prices. This lead them to be a top choice for homeowners, DIYs, non-technical dealers, etc. Hikvision knew that it was catering to a mass market, low tech audience. By contrast, Avigilon sells a far smaller number of expensive cameras to a tightly controlled dealer market.

Additionally, Hikvision has consistently encouraged their users, until a few months ago, to port forward and provide public access through their insecure DDNS service, making the risk of default passwords attacks that much greater.

So I think all manufacturers should enforce strong passwords and auto-logout on login failure.

But Hikvision, by sheer size of its deployed base, by its focus on the mass market with lower technical skills, and its ongoing encouragement of port forwarding, created far higher risk and negligence than Avigilon.

Agree/disagree?

(11)
(1)
U
Undisclosed #1
Mar 04, 2017
IPVMU Certified

Hikvision is clearly more in the wrong than Avigilon because Hikvision's approach created far more risk / exposure than Avigilon's.

Yet today, as far as I know, Avigilon devices ship today with a blank password, while Hik has since instituted one of the most stringent password policies around.

Does this mean that Avigilon is being more negligent with respect to new devices?  

(2)
(2)
JH
John Honovich
Mar 04, 2017
IPVM

Again, I think all manufacturers, including Axis, Avigilon, etc. should force strong passwords. To that end, any manufacturer who is still doing so, I would consider negligent, including Avigilon.

However, in terms of risk level, it is far lower for Avigilon simply given how many fewer Avigilon devices are out there and how many of those are publicly accessible.

For example - 1,000x differential:

(1)
U
Undisclosed #1
Mar 04, 2017
IPVMU Certified

To that end, any manufacturer who is still doing so, I would consider negligent, including Avigilon.

Yes, but any manufacturer who continues this practice, even in the face of such attacks as we have witnessed recently, must surely be judged harsher.  

Also, IMHO, Hikvision got out in front of the password thing before most other manufacturers.  Do you agree?

(2)
U
Undisclosed #1
Mar 04, 2017
IPVMU Certified

However, in terms of risk level, it is far lower for Avigilon simply given how many fewer Avigilon devices are out there and how many of those are publicly accessible.

Quantify risk level.  Just by number of devices?  What about what those devices are protecting?  

I would expect that all 334 of those devices would be targeted before the 300,000 if someone were looking to do something besides install a DDOS client.

 

(1)
(2)
UI
Undisclosed Integrator #2
Mar 04, 2017

Quantify risk level. Just by number of devices? What about what those devices are protecting?

In terms of exposure to news agencies?  Certainly.  If 334 devices are hacked it is significant, no doubt.  300,000 is far more news worthy.

(2)
U
Undisclosed #1
Mar 08, 2017
IPVMU Certified

The news worthiness would also depend on the victims. An Avigilon install is far more likely to protect national infrastructure and other high worth targets; Hik as already argued has a significant number of DIY and lower-end sales.

Avatar
Campbell Chang
Mar 05, 2017

What about Dahua?

 

Similar numbers to Hikvision.  They haven't changed anything since the Mirai incident and still have a default credentials policy.

(3)
JH
John Honovich
Mar 05, 2017
IPVM

What about Dahua?

Campbell, you haven't heard? ;)

Last night, a Dahua backdoor was posted on IPVM that impacts current products, see: 0-Day: Dahua Backdoor Generation 2 & 3

That is far far worse than default credentials since it provides remote unauthenticated admin access. Full report on Dahua backdoor here.

(1)
MM
Michael Miller
Mar 04, 2017

Besides Avigilon ES cameras we don't have any connected to a WAN or Router without a server in between.  I would wager this is the norm with other dealers.  Hikvision, on the other hand, would be the other way as most of their cameras/NVRs are connected directly to the WAN/router and just put in a DMZ because most DYI people don't know how to port forward or setup a VPN.

Not having to change the password when you power up the camera the first time speeds up deployment as we can just plug cameras in right out the box without even having to IP them.  Once all camera are connected to the servers you can select all cameras in the system and change all passwords in like 2 clicks.   Long as the passwords get changed does it really matter if it is done first or last during the install? 

Also, Avigilon's communication between cameras and servers is encrypted and the firmware security built in though I am not sure of the specifics.  

(4)
UI
Undisclosed Integrator #2
Mar 04, 2017

Plus cameras are usually on a isolated camera network or VLAN with no exposure to the internet or even a gateway.  This is true with every VMS I have deployed and not exclusive to Avigilon.  The server would have to be the attack vector for Avigilon if it is coming from the internet.  While they do not require a password change it is likely a person competent enough to manage a server is competent enough to realize they need to change the password.  Are DIY users likely to have the same understanding?

Hikvision has an attack vector right through the NVR.  It doesn't matter if the cameras have passwords or are encrypted when the main box is directly on the internet.

U
Undisclosed #1
Mar 04, 2017
IPVMU Certified

Hikvision has an attack vector right through the NVR.

So do Avigilon NVR's, no?

(2)
UI
Undisclosed Integrator #2
Mar 04, 2017

Is this from one of the Razberi based models?  You're comparing a windows based server that has a seperate switch to an IoT NVR.  That address is for the switch which is not exposed to the internet, unless intentionally done.  Just because a HIK NVR and an Avigilon Razberi rebrand have POE ports on the back does not make them the same type of device.  No where does that manual say the best practice for using that login screen is to directly place this device on the internet with port forwards in order to use DDNS.

Nice try though.

(3)
U
Undisclosed #1
Mar 05, 2017
IPVMU Certified

Nice try though.

Is this any better?

its from the HD Appliance manual.

(1)
(1)
MM
Michael Miller
Mar 05, 2017

Have you ever installed a Avigilon system?

 

(2)
U
Undisclosed #1
Mar 05, 2017
IPVMU Certified

Not an appliance, no.  

This is a page from the Avigilon user manual for the HD Video appliance.

Is that user name/password forced to be changed?

(2)
UI
Undisclosed Integrator #2
Mar 05, 2017

Unreal...  You have discovered the vast Avigilon orchestrated conspiracy to undermine Hikvision. Congratulations Snooper Trooper!

There are many items with Avigilon that don't require a password change including the cameras, servers, and even the VMS itself.  Generally you will find people paying for the $8K device you are referencing will take slightly more basic steps to secure it than plugging it into a cable modem/router.

 

(1)
(1)
(1)
U
Undisclosed #1
Mar 05, 2017
IPVMU Certified

There are many items with Avigilon that don't require a password change including the cameras, servers, and even the VMS itself.

As long as we are in agreement that Avigilon hardware and software, from a pure engineering standpoint, is as  vulnerable to default credential attacks as Hik was, and more vulnerable to such attacks than Hik today, for those devices that end-up exposed.  

Generally you will find people paying for the $8K device you are referencing will take slightly more basic steps to secure it than plugging it into a cable modem/router.

Is the security tighter for their cheaper devices then?

(2)
(2)
UI
Undisclosed Integrator #2
Mar 05, 2017

This is going in circles.  Read John's initial response.

(1)
U
Undisclosed #1
Mar 05, 2017
IPVMU Certified

I have read it.  I disagree with it.

Specifically, I disagree with the premise that Avigilon is ethically superior to Hikvision with respect to their user management, merely because they sold less cameras.

As for John's argument regarding the 'tightly controlled' dealer market of Avigilon vs the less skilled Hik dealer and greater DIY customer base, one could make the opposite case:

Namely, that because Avigilon sells cameras into higher-end government installs that they should take every precaution against possible breach, in case an installer neglects to create a strong password.  It happens right?  Or a camera gets reset to defaults settings by accident or glitch.

And you do know that Mirai contains Avigilon default credentials as well as Hik's?

This means if you have an Avigilon camera open to the Internet with default credentials, the odds are the same that it will get exploited, as a Hik default cred camera. Both probably sooner than later.

But more than anything, the fact that Avigilon still ships cameras with no password, as a benefit to the dealer, but not for the end-users benefit, is less secure than Hik's current approach.

I bet Avigilon changes it within 2 years.

You in Trooper?

(3)
U
Undisclosed #3
Mar 05, 2017

I have a feeling that you are not Avigilon partner

Am I right?

(2)
U
Undisclosed #1
Mar 05, 2017
IPVMU Certified

I have a feeling that most Avigilon dealers would not be critical of Avigilon on IPVM.

Am I right?

(1)
(2)
U
Undisclosed #3
Mar 05, 2017

Yes,

please answer my question

thanks

(1)
U
Undisclosed #1
Mar 05, 2017
IPVMU Certified

please answer my question

I did rhetorically: Since I am criticizing Avigilon we know that I am probably not a dealer.

are you still a Hik dealer or did u drop them like Mike?

(2)
MM
Michael Miller
Mar 05, 2017

Ok good.  Did the switches you use require a user/password change?   

 

(1)
MM
Michael Miller
Mar 05, 2017

I see you are avoiding my question wether you forced to change user/pass on the switches you installed.  Also why the bone to pick with Avigilon?  What other VMS systems require user/pass change when you first install?

(1)
UI
Undisclosed Integrator #2
Mar 05, 2017
You are just feeding a troll.
(1)
U
Undisclosed #1
Mar 05, 2017
IPVMU Certified

I see you are avoiding my question wether you forced to change user/pass on the switches you installed.

Yes, I did avoid it out of courtesy.  But since you force me to answer, the reason is because you were being extremely disingenuous to say the least.

Your phrase "switches you installed" is obviously presumptive and intentionally subversive as I have said nothing about installing any switches.

In fact, I have already replied to you that I have never installed an Avigilon appliance and that the screen shot was from a manual.

Yet you twice persist in this fiction, obviously a thinly disguised ploy to derogate, via ad hominem, my 'hands on' experience compared with your own vast 'real-world' knowledge.

This is a tactic you have used many times on the forum, usually when logic or facts fail you.

I usually just ignore such provocations...

 

(4)
U
Undisclosed #3
Mar 05, 2017

"I usually just ignore such provocations..."

BS,

you are provoking Mike in my opinion
in very boring ,useless discussion

UD2 is right

with his response to Mike

"You are just feeding a troll."

(4)
(1)
UI
Undisclosed Integrator #2
Mar 05, 2017

This is why John stopped participating.  I have the feeling he is waiting to see how long it takes us to stop fueling this thread :)

That said, I realize I just contributed :(

(1)
(1)
U
Undisclosed #1
Mar 05, 2017
IPVMU Certified

This is why John stopped participating.

You speak for John?

(1)
JH
John Honovich
Mar 05, 2017
IPVM

This is an interesting topic but the back and forth it has fallen into is not. Please stop. I'll delete further responses on this subthread that are just back and forth arguing without new evidence presented.

(2)
U
Undisclosed #1
Mar 06, 2017
IPVMU Certified

What other VMS systems require user/pass change when you first install?

Newer Hikvision appliances

(2)
(1)
MM
Michael Miller
Mar 06, 2017

  You are comparing a Hikvision NVR/DVR with built in POE switch which is fully integrated into the NVR GUI to a Windows server with a built-in switch (on a dedicated network). You have one admin user/password on that Hik box compared to 3 admin accounts (VMS, Windows, and Switch). 

I get your point but I don't understand why you are picking on Avigilon when there are many other VMS platforms, Windows servers, and network switches which don't require you to change your user/password when you first install them.  

(2)
U
Undisclosed #1
Mar 06, 2017
IPVMU Certified

You are comparing a Hikvision NVR/DVR with built in POE switch which is fully integrated into the NVR GUI to a Windows server with a built-in switch (on a dedicated network). You have one admin user/password on that Hik box compared to 3 admin accounts (VMS, Windows, and Switch).

They are both essentially all-in-one, pre-installed NVR appliances and they both have dedicated camera networks.  

One runs Windows and one runs Linux.  Both are sold thru local dealer channels, but Hik also seems to also allow considerable product to be purchased by DIY thru gray channels.

I don't understand why you are picking on Avigilon.  

I am not picking on Avigilon per se, I am only saying that Hik's password policy was not different than most majors at the time in question.  And in fact they were on the early side of adopting strong credentials soon after.  I accept John's point that they should take more responsibility because their customer base contains DIY, but I feel that since they stepped up before many others, that they shouldn't be judged as harshly.

Btw, I didn't create this discussion, John did. I just posted in the other original discussion and used Avigilon, just as an ad-hoc example,  because I knew they still used default passwords.  I could have used other examples.

 

(2)
MM
Michael Miller
Mar 08, 2017

They are both essentially all-in-one, pre-installed NVR appliances and they both have dedicated camera networks.

Sorry but I have to disagree.  If you are just looking at the boxes they do look the same but on the inside, they work completely different. 

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions