Should Hikvision Hack Its Own DVR's?

Before it was forced to shutdown, insecam.com had a listing of over 73,000 private cameras, available for viewing by anyone. Hikvision DVR's (and DVR's in general) were especially prized because of their 8 and 16 channel views. Although this site was pressured to close, the lists of unsecured cameras/devices grows, with new sites to view them as well.

Which leads me to a crazy idea. Why not, in an automated fashion, log in to all these devices and leave some calling card that would alert/motivate the owner to change the password. Something non-destructive but visible is needed. How about making all camera titles say "change password - device was accessed from Internet.". Or in an overlay? Ideas?

Going the whole hog and changing the firmware automatically is unlikely to fly in the U.S., but maybe in China it could be done for interests of national security.

Is this an old idea that has already been shot down?


Going the whole hog and changing the firmware automatically is unlikely to fly in the U.S., but maybe in China it could be done for interests of national security.

Logging in and leaving a "calling card" would create a major firestorm, that would be called hacking... many other downsides as well would arise from that stunt that would land them in deep trouble...

...would create a major firestorm...

Agreed, certainly in the West. In China though, it doesn't strike me as something that would neccesarily land them in hot water.

I would also like to point out that I am not saying HIK should portscan the Internet blindly for their devices. I am talking about the lists of HIK devices that have already been discovered by others and are currently being monitored by people around the world, violating their privacy daily. This 'hack' would not involve any human interaction or retrieval of any video or any information at all.

It could be argued that it would set a dangerous precedent, and I see that too. But one thing I am sure of, if I somehow had a camera that was accidentally accessible on the Internet and people were viewing it daily, I would want to know, wouldn't you?

Would you be pissed at them for telling you you're being watched by strangers?

I'd be impressed that the manufacturer of my system cared enough to alert me to a security breach. I like the idea. I'd be wigged out if Hik sent me a message like that on my Bosch NVR though so they should keep thier "hacking" to just thier systems :)

FWIW, these paragraphs from the article above are what made me think of the OP:

So many cameras are setup to look down into cribs that it was sickening; it became like a mission to help people secure them before a baby cam “hacker” yelled at the babies. I wanted to warn and help people who unwittingly opened a digital window to view into their homes, so I tried to track down some security camera owners with the hopes of helping them change the default username and password. It is their lives and their cameras to do with as they think best, but “best” surely doesn’t include using a default username and password on those cameras so that families provide peep shows to any creep who wants to watch.

The site lists the camera manufacturer, default login and password, time zone, city and state. The results for each camera are also theoretically pinpointed with longitude and latitude on Google Maps. That can be opened in another browser window, zoomed into, converted to Google Earth, then Street View in hopes of seeing an address to take into a reverse phone look-up. It’s slightly easier if it’s a business and you see a name on a building. There may be an easier way, as it was slow and frustrating.

A, framing it as 'hacking', you wouldn't make a good marketing person...

I think there are some manufacturers who include this as a service. At the very least, they could market it as a service, saying that they are helping people.

Indeed, in the future, set auto upgrades as a feature, make it the default, allow people to opt out...

A, framing it as 'hacking', you wouldn't make a good marketing person...

My theory was if I called it 'hacking' myself that would relieve others of the duty to point that fact out. Keefe wasted no time in disproving that theory. :)

I wouldn't call remotely upgrading one's own product hacking.

People can argue that it is right or wrong but I think an ethical marketer could reasonably position this as being beneficial and not hacking at all.

While this is definitely outside the box thinking, I do not imagine it would be well received. Here's a personal example of why this is a bad idea:

In the Win2K days I used the command net send to send a message to everyone at a medium size employer that I would be shutting down a key office printer. The message that popped up on their screen had everyone from administrators to the Director of IT scrambling around thinking they had been hacked by The Lawnmower Man. Large scale short messaging was the original purpose of net send! I could see something like this occurring on a much larger scale if Hikvision took this action.

The message that popped up on their screen had everyone from administrators to the Director of IT scrambling around thinking they had been hacked by The Lawnmower Man.

Yes, I imagine that it would not be well received by some. Though in your example, presumably the majority of people receiving the message were not concerned about the status of the printer at that instant, and therefore might only see the negative aspect. In this case it would be more like the message was "The printer has been hacked by The Lawnmower Man". Still your point stands that messengers are often shot because of the message.

So instead, maybe the camera title gets changed to a link to the predatory website that is actually showing the DVR images. The user would change their password at once and direct any negative energy to where it was deserved, the site that was exploiting them.

Hik doesn't have do it in any case, a white hat could do it also, though it could be a lot of work for all the different interfaces. It's still illegal but maybe an ethical argument can be made for it.