Subscriber Discussion

What Do You Usually Do When You Lost The Password Of The Security Cameras And Recorders?

UM
Undisclosed Manufacturer #1
Mar 21, 2017

What do you usually do when you lost the password of the security cameras and recorders?
     - Hikvision’s password reset policy encountering a security vulnerability

When you start security products at first, you usually set the new password which meets the complexity requirement to enhance the security.
Password complexity is essential for security reinforcement, but if you lost your password, it is too hard to figure it out and sometimes there is no other option than a factory reset (it applies to Hanwha Techwin’s products).

Recently I found out the easy way to reset the password of Hikvision products.
After losing the password, I was about to do a factory reset, but I couldn’t find the reset button. I contacted the Hikvision support center and got a tool called SADP Tool for password reset.
It is easy to use.
You first install the tool on your PC, search the relevant device, and export the ‘Key request file’, Then fill out the both user and product information and send email to the support center. When you receive ‘Key file’, import the file using SADP Tool, and then password reset is done.
The user info you should give is your name, email address, phone number, and company name. You also should provide device info such as the firmware version, serial number and other date and time info, which you can get easily when you check SADP Tool.


 
There is no doubt that SADP Tool is easier than a factory reset. However, it is fact that any other people who get access to SADP Tool can easily reset the password and control my system.

Furthermore, what happens if anyone sends the false user info out of spite?
With curiosity, I created a fake user and sent spoof user info such as name, phone number, company name, address, etc. with my device information to the Hikvision support center. Do you know what happened? They sent me ‘Key file’ before the day passed!
The manual says that you should not reset the device after exporting the ‘Key request file’ and the ‘Key file’ you received is valid only within 24 hours. But these restrictions do not mean much, I think, and anyone can easily get the ‘Key file’ to reset the password of Hikvision products.
If I take this issue a bit seriously, the manufacturer (Hikvision) may be able to remotely reset the password of their products whenever they want only with limited info such as the firmware version and serial number. And if that is true, you may have a very serious security vulnerability hidden in the back of user convenience.

I am not writing this to attack a certain company. I wish we all – security product users, manufacturers, installers and more – have chance to be concerned about the password reset policy to reduce security vulnerability.
Feel free to give your opinions. Thanks.

 

(2)
UI
Undisclosed Integrator #2
Mar 21, 2017

I guess if anyone wants to do some social hacking on a one-off basis this is a big concern.  

Why crack into one Hikvision NVR at a time when everyone else seems to be able to hack them in bulk?

(1)
UM
Undisclosed Manufacturer #3
Mar 21, 2017

That is the problem with "one-time" passwords.  Anyone who has access to the algorithm can access the device.  In previous generations of products, the algorithm has been cracked.  Once you have access via the network and their tool, you gain access.  As you stated, I seriously doubt the manufacturer will restrict resets to the SI or owner.  They are simply collecting the info in case they get in trouble down the road.

I personally feel that a hardware reset button that erases all configuration data is the way to go for best device security.

(1)
HK
HyuckRae Kim
Mar 22, 2017
In reply to Undisclosed Manufacturer #3

I agree with your opinion.

However, there are the following problems in actual use.
My friend is a CCTV installer. And he said how do I go to the reset button every time I lost password? Rather, it's much easier to call the customer center and reset it online.

Usability and security seem to be very conflicting at first glance.
But, as you said, I think that the ownership of resetting password must be the owner and should never be involved in the manufacturer.

If such a policy is to spread, I believe that users will improve their perception.

 

Avatar
Josh Hendricks
Mar 22, 2017
Milestone Systems

I'm far from a hacker but if I need to get into a camera for which the password is lost/unknown, my first step is to use Wireshark to capture the traffic between the camera and server during startup.

Quite often HTTP is used with basic authentication so the password is sent in (reversible) base64 encoding.

If HTTPS is used, it might be possible to get the password using Fiddler.

Otherwise I fully support a 100% customer-managed remote password reset feature. I'm uncomfortable with a vendor having the ability to facilitate someone else accessing my devices. But the convenience of resetting a camera without having to get a ladder (or ladder truck) is a huge time and money saver in those few times it becomes necessary.

(2)
Avatar
Kevin Bennett
Mar 24, 2017

I have not run into a scenario where I needed to reset a password for a Hikvision product, but I have for an Arecont.  Those of you who have used Arecont know there is no reset button.  It used to be "send it back to the manufacturer" if you needed a reset.

Several months ago we had an issue where we needed a password reset on an Arecont, contacted them, and they provided a one-time use file similar to what it appears UM1 is referring to above.  One of the Arecont configuration applications (don't recall which one) has the option to do a password reset if you have that one-time file.

Arecont has set the application and file process to be specific to both an individual camera and an individual computer used to access the device.  That means I can use it only on the camera whose MAC address I had to provide to Arecont, and only from the computer whose MAC address I had to provide to Arecont. 

From outward appearances, this appears to be a fairly secure process.  Not as convenient as giving me a friggin' reset button, of course.

(1)
(1)
UM
Undisclosed Manufacturer #3
Mar 24, 2017
In reply to Kevin Bennett

What validation is done to verify the user doing the reset?  What stops anyone from giving support the MAC address of their PC to do the reset - support doesn't know if the PC used is the end user, SI, or a hacker.  I know manufacturers who request a lot of info, but just for CYA purposes without looking anything up in a database, which for most manufactures doesn't exist, as these types of products are never "registered".

What happens if the PC has multiple NICs - wireless, wired, etc.  Is their application smart enough for this?

Avatar
Kevin Bennett
Mar 24, 2017
In reply to Undisclosed Manufacturer #3

Our cameras are on a closed/private VLAN segment.  Only a select few people have access, and only from computers allowed to connect to that VLAN.  I fully realize that not every site is set up with good, or even minimally acceptable, security practices in place.

What happens if the PC has multiple NICs - wireless, wired, etc. Is their application smart enough for this?

I do not know.  That is a question for Arecont.  I do know that it is indeed MAC specific for both the camera and computer, though.  I tested it, because I'm kind of sort of not the trusting type.

Avatar
Kevin Bennett
Mar 24, 2017

<moved to proper reply location>

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions