A reset button on the physical motherboard would be the best option to alleviate this issue. It would be secure, effective, and would reduce tech support costs as well
Hikvision Security Code Cracked
Published Aug 08, 2017 16:01 PM
Hikvision's 'security code' feature has been cracked and a program generating security codes is being distributed online. IPVM has obtained and tested this program, verifying that it works.
Hikvision 'security code' allows unauthenticated users to access Hikvision recorders locally regardless of the admin password strength. Hikvision has used this as a tech support feature, as we covered and explained in this report.
Hikvision has historically called this 'security code' or 'security codes', e.g.:
Now, anyone with this program can generate a security code that resets the admin password and takes over the Hikvision recorder. Hikvision does not allow disabling this 'security code' feature.
Inside this note, we show how the program works, what it does and what risks it poses.
Cracked ******* ********
*** **** ********* ** *********** ** a ***** (****) ******* **********. ** does *** ******* *** ************ *** can ** *** ******** ******* ************* access ** *** ******* ************. ** are *** ************ *** *******, ** it ******** * ******** **** ** Hikvision *****.
** *** ******* ** *** **** generator, *** ****** **** ******** *** IP ******* ** *** ********* ********:
****, **** *** ** ******* ** verified ** ***** * ********* ****** you *** ***** *** ****** ****** of *** ****, *** *** **** you **** ** ******** * ***** code ***. **** **** ****, *** software ******* * ******** **** **** can ** **** ** ***** *** admin ********:
*** **** *** **** ** **** on *** ********* ******* ** **** out *** ***** ******** *** *** a *** ***, ** ***** ***** on *** **** ****:
* ******* ** *** ******** ** demonstrated ** * ******* *****:
[******] - *** ******** ****** ******* the *****, ** *** *** ******* a ***** *********** ****** *** ****** for ***** **.
***** **** *****, *** ****** ***** the ******* ** ******* *** ****, to ******** ***** *** ****** *****, or ** **** *** ****** **** of *** **** *** *********.
Feedback **** ******* ******* ******
*** ****** ** *** ********, ***** [link ** ****** *********]******, **** ** did *** ****** *** **** *** hacking, *** ******* ** **** ******, and **** *********** *** *** ******* channel. ** **** ** ** ******* on ******** *** ******** ** ******* reset ***** *** **** ********* *******, as ** ********* **** ***** *** recorders. ** **** ****** **** ******* assistance *** ********* ****[****** - *** ****** ******* *** Facebook **** ** ****].
Works ** *** *-***, ****** ***** ****
**** ******** **** *** ******** **** crack ******* ***** ** ** *** W-Box ******** ***** **-*******, ********* ******* over *** ***** ******* / **** on ***** ******** ** ***** ** the ********** *****:
** *** ****** *-*** ******** (*.*.*) the ***** **** ******, *** ******* to *** ********* ******** ** *** to ** ******* ** *** ********* local *******.
** ******* **** ************** **** (** ***** ***** *** easily **+)*** ******** ** **** ** ****.
[******: *-*** ***** **** ****.*.* ***** ****** (******** ****). *** ****** ** ******* *** code *** **** *******.]
Benefits ** ********* ******* / ********
********* ******* *** ******** *** ****** their **** ******* ***** *** **** by ********* **** ******* *** ***** password ****** ** **********, ****** **** having ** ******* *** **** *** Hikvision ** *******.
Benefits ** ********* ***********
********* ***********, **** *********** *** *************, can **** *** ***** *** ******** Hikvision ** ** ***** **** ******* to ****** ********* *********. ** ***** for * ******** **-**** *************, ********** since ********* *** ******** *** *********** of ****** ********* **** *** *** be ****** **********.
Detrimental ** ********** ********* *****
*********'* ** *** ****** ********* ******** with ****-****** ******* (******, *******, ***.) often ******** *** **** ********* ** lower ******. *** ********* *********'* ********** team ****** ** *** ******* ** get ******** ********* ******* *******, **** as *** ***** ******** ******. ** obtaining **** ****, ******* *** ******* their *** ******** ****** *** ********* without ******* ** ******* ********* *******, reducing ***** ********* ** *** ******* authorized ********.
Cannot ** ********
*************, *** '******** ****' ******* ** hard ***** **** ********* ********* *** cannot ** ********. ** **** ******** with ********* ** ** **** **** would *** **** ****** ** ***** users ** ***** **** *************.
Atypical *** ******* *************
*** ***** ******** ***** ******* ** rare ******* ** ******* *********. ***** has * ******* '***** ********' *******, and ** *********************** ******* *** ******** ****** ******** codes, *** ********* **** ********, *******, Milestone, ***. ** *** ***** * person ** **** ** ** *** recorder *** **** *** *** ***** password **** ******* *****.
Cybersecurity ******** *** *********
************* *** **** ** ******* ***** for *********. *** *********** *** ***** passwords ** ** ***** ** ***, and ******* *** ********* **********, ** an ***** ******. ****** *** ***** code ********* ****** ********* ***** *** systems **** **** ******. ********* *** made********************** **** **** ************* *********, *** they ***** ******** **** ***** ******** that ***** ***** ********* ** ** wiped *** ******, *** ******* **** notifying ***** **** **** ********.
********** *********, ***** ********* ** ****** to ****** ***** ********, **** *************** like ****** ***** ******** ****** ** severe ***********, *** **** ***** ****** any ******* **** ****** **** **** security.
UPDATE - **** ******* ** ******** *****
**** ****, ****** *** *** ******** in *** **** ** * ******* executable ********* ********** ** ******** **********-***** versions, ******** ** *****:
*** ******* ****** **** *** ** these ***** ******** *** **** ****** from * ***** ****** ******/**** ******. Though *********** ** *** ********* **** ********* it *** *** **** ** ***** firmware, *** ***** ***** **** ** does ***** **** ** ****** ******** firmware, ** ** ****** ** **.*.*.
*** ******* *** ********** ***** (*** presumably *** *******-***** ****) *** ** compute ***** ***** ***** ** ***** below, ********** **** **** **** *** device's ****** ****** *** **** ******** is ********** ** * '***** ******', with *** ****** ** *** '***** number' **** ********* ** ***** ********** that *** ** ******* ** * standard ********:
Update * - ********* ******** **** "******** ***** ******"
** ****** **, ****, ********* **** a '******* ********' ***** * **** ******** ******** "********* NVR/DVR ******** ***** ******". ** ******** * ******* ** evolving ********** ** ******** ********* ****** various *********. ** **** ********* * call **** ********* ********* *************** ** go ******* *** ******* *** **** to ****** *** **** ***********.
*** ********* *****:
(*) ********* ****** ** *** ******** codes ** "**-****** ********* '******** ****'". To ** *****, ** *** *** term '******** ****' ******* **** ** Hikvision's *** **** *** **** *******, e.g., *** ******* ** ********* ********* calling ** * '******** ****'.
(*) ********* ******* ****** *** ******** that ***** ******** **** *** *******. Rather **** ********* * ***** ******** that ***** ******** **** *******. **** approach ** **** ** **** ** reviewing ** ****** **** ********* *** then ******* ** ******.
Update * - ****/*** ******** ** ********* ******** *** *** ******
*** ******** ** *********'* ******** *** been ********:********* ******** ** ******* ******** *****
Comments (59)
Sean Nelson
Aug 08, 2017UI
Undisclosed Integrator #1
Aug 08, 2017To be clear, does this only work locally on the LAN or is there a way to use this remotely as well? I don't think the SADP tool works remotely but I want to make sure I understand that part accurately
Brian Karas
Aug 08, 2017SADP primarily relies on multicast and broadcast packets, so you are limited to using it on a LAN (or VPN).
Brian Karas
Aug 08, 2017UPDATE -
Added some additional detail to the Cracked Program Overview section:
The code generator is distributed as a small (53KB) Windows executable. It does not require any installation and can be run directly without administrator access or any special requirements. We are not distributing the program, as it presents a security risk to Hikvision users.
UI
Undisclosed Integrator #2
Aug 08, 2017Hey Brian,
How does this program differ from the"HikVision Password Reset Tool" that is currently on ipcamtalk? From what I can determine it looks like it is just a different GUI from what they have posted on their webpage.
https://ipcamtalk.com/pages/hikvision-password-reset-tool/
Brian Karas
Aug 08, 2017We did some tests of this newer tool and the previous version you referenced. They produced the same output from the serial numbers/dates we tested with. You are correct that they are basically different GUI's producing the same results.
The following update was added to the report to reflect this:
UPDATE - Same Results As Previous Tools
This tool, though new and packaged in the form of a Windows executable functions comparably to previous javascript-based versions, examples of these:
Our testing showed that all of these tools produced the same output from a given serial number/date string. Though a discussion on the ipcamtalk tool indicates it may not work on newer firmware, tests prove that it does still work on recent recorder firmware, as it was tested on version 3.4.5.
The methods the javascript tools (and presumably the Windows-based tool) use to compute these reset codes is shown below, ultimately some data from the device's serial number and date settings is multiplied by a 'magic number', with the digits of the 'magic number' then converted to ASCII characters that can be entered on a standard keyboard:
UI
Undisclosed Integrator #1
Aug 09, 2017I thought the codes generated on the forum were for older versions and didn't work anymore. But maybe they still work on NVRs?
Brian Karas
Aug 09, 2017From our tests, the recorders can still be reset with these codes, though not always via SADP, in some cases the reset had to be done from the recorders local console. Still, they work, and present a security risk.
Sean Nelson
Aug 09, 2017Unless we are missing something, we tried the IPCT generator on some newer firmware products and it didnt work. We will try again to confirm.
Brian Karas
Aug 09, 2017Sean - can you provide details on what products/firmware versions you tested? Also, did you try the reset codes only via SADP or also from the local console?
RO
Ryan O'Daniel
Aug 09, 2017The reset tool works at the NVR itself on "older" firmwares that have the hidden menu that allows you to enter a secure code. The newer firmwares don't have the hidden menu on NVRs/DVRs, instead asking for a GUID password file that is supposed to be created during the initial setup.
This morning I tested it on a camera with firmware 5.4.0, a camera with firmware 5.4.3, and 5.3.6 and none of them worked.
However, it will reset cameras with firmware below 5.3.0. I tested it on an OEM DS-2CD2020-I with firmware 5.2.0 and it worked.
Brian Karas
Aug 09, 2017This morning I tested it on a camera
As mentioned multiple times in the report, this was targeted at recorders, not cameras. Even recorders with recent firmware could be bypassed using the codes generated.
Overall, I consider recorders to be a bigger risk than cameras for this. If you are deploying a Hikvision recorder, the cameras are typically going to be "behind it" from a network perspective, and most likely not directly accessible. Additionally, the cameras would typically not store any video.
The recorder, however, has stored video, and provides access to all the cameras connected to it. Bypassing the recorders authentication opens up the user to a much larger overall risk.
Joseph Marotta
Aug 08, 2017You left he hanging on this incomplete sentence....
"Our testing showed that all of these tools produ "
SB
Steven Burman
Aug 09, 2017To be fair, HIK is not he only manufacturer with a back door around a password. I had a client lose the password to their Bosch Dibos DVR, and the factory provided a work-around which allowed me to reset to default. Granted, this was around 2003 or so, but I'm sure some manufacturers still do things this way.
Brian Karas
Aug 09, 2017You are correct that Hikvision is not the only company with a back door password, we pointed out Dahua and XiongMai as two other companies that also take this approach. It was also noted that this is far less common among non-Chinese manufacturers, but if anyone has specific current references (e.g.:a 2003 scenario is not a valid example) we would be interested in hearing what other manufacturers take this approach.
Additionally, there is a difference between a "reset to defaults" and an admin password reset. With a default reset, the situation should be much more obvious, and would hopefully include wiping out stored video or making it unretrievable. This at least makes it easier to notice that the unit has been compromised, and hopefully makes it so that someone cannot retrieve data from the unit if it is compromised. It also matters how the reset is carried out, requiring physical access to a switch or jumper inside the unit also makes it much more difficult for an attacker to do this without being noticed.
SB
Steven Burman
Aug 09, 2017Yes, as mentioned in my post, a 2003 anecdotal reference has questionable validity in 2017, however, I wouldn't be surprised to find this is still a practice even for non-Chinese companies. And I do recall that the only change to the Bosch unit was a resetting of the password, all data was left intact. A final note, saying that there is a difference based upon what "should be" and "hopefully" is happening doesn't validate any difference.
UI
Undisclosed Integrator #3
Aug 09, 2017This used to be the way. I am pretty sure that this method works for 90% of the Hikvision devices out in the field. I have used IPCAMTALK's tool mostly to reset admin password but lately with newer Hikvision's firmware, 5.4.x(these are for cameras), the method discussed here no longer works.
On a NEWER Hikvision firmware, one would have to export a xml file from the camera/dvr using SADP on a local network, then, send it over to Hikvision Techsupport. Hikvision Techsupport would email you back a one time reset file that you can import back using SADP, then the admin password would be reset.
Hikvision did made sure that my cameras were purchased through authoirzed re sellers such as ADI before assisting me further.
JH
John Honovich
Aug 09, 2017Myung, thanks for the feedback.
Hikvision did made sure that my cameras were purchased through authoirzed re sellers such as ADI before assisting me further.
Question: curious, how did they make sure of that?
MK
Mike K
Aug 09, 2017Hikvision USA were able to distinguish if the products were sold to ADI,Tri-Ed versus OEM like Winic.
They must have access to Hikvision's China master database of some sort. I tried once to get techsupport on a Winic Hikvision OEM, but knew exactly that this was sold to Winic. They were pretty irate about it too, but understandable. Told me to call them because this is OEM Hikvision, not Hikvision brand.
UI
Undisclosed Integrator #1
Aug 09, 2017Hikvision requires you to submit the serial number of the unit. That's how they track it.
UM
Undisclosed Manufacturer #4
Aug 09, 2017On really new Dahua firmware's exporting the XML is also a option for resetting the admin password, Dahua also have a new online system that goes through there email server. You press "Forgot Password" on the GUI and it sends a security code for you to change the admin password on the local GUI.
Brian Karas
Aug 09, 2017UPDATE -
Added some additional detail to the W-Box test session to list the model number tested (0E-41TP1UN) and to clarify that it worked over SADP for older firmware, and via local console only for newest/latest firmware, 3.4.2.
UI
Undisclosed Integrator #1
Aug 09, 2017This is starting to sound like old news. The online generator for older cameras and firmware has been online for years. Newer firmware has fixed that. When I first read this I was thinking someone had cracked the new way to reset password but that's not the case.
The only problem here is that some devices still can have their passwords reset the old way because they're running old firmesre, is that correct?
Brian Karas
Aug 09, 2017The only problem here is that some devices still can have their passwords reset the old way because they're running old firmesre, is that correct?
UI
Undisclosed Integrator #1
Aug 09, 2017Which hikvision models did you test with the latest firmware?
OEM models might still have this issue becuase they don't upgrade to the latest versions or security protocols. That's up to the OEM.
UD
Undisclosed Distributor #8
Aug 10, 2017I suspect this is for low-end models, not I and K series, neither Blazers.
Will check when I get back to the office.
UI
Undisclosed Integrator #1
Aug 10, 2017Just checking in again, was this test performed on branded hikvision products with the latest firmware? Or just the w-box unit?
Brian Karas
Aug 10, 2017These are the models/firmware versions that we were able to successfully perform the admin password reset on:
Hikvision DS-7604NI-E1/4P firmware:
V3.4.3build 160822
V3.4.5 build 170224
Wbox 0E-41TP1UN firmware:
V3.0.8build 151103
We did also try the process on a Northern Video NVR and an LTS NVR, neither of which accepted the generated code when attempting an admin password reset.
UI
Undisclosed Integrator #1
Aug 11, 2017So based on Hikvision's bulleton, the newer NVRs aren't affected anymore. Those run the latest firmware, for example the I series NVRs.
The issue is only with the older NVRs. Cameras no longer work with this security code tools and newer NVRs don't either.
UI
Undisclosed Integrator #5
Aug 09, 2017I don't believe Hikvision is the only manufacturer who has a way to take over a recorder without having the password codes. I have used others who have back doors when passwords are lost or forgotten so we can get back into the recorders - (this includes some access control manufacturers as well). If I arrive at a competitors site running these recorders I know I can take them over within minutes. You do have to be onsite (or remotely logged in to the local server with a TeamViewer type program) and within minutes have all passwords reset to defaults then changed to our standard password protocols. For 1 manufacturer I keep the back door instructions on my phone so I don't have to call tech support to help me back door in - and I'm not a tech I'm in sales! So it isn't just a Hikvision issue, the reported way may be a different way to do it, but its possible to get into other recorders without knowing the passwords.
Additionally, who would the end user be worried about with this code cracking information. Seems that the hacker needs to be onsite - so it's unlikely an unknown person would be the culprit, and what's the chance that a known person would have the right skillset to pull it off - outside of the IT department - who may already have the passwords.
UI
Undisclosed Integrator #2
Aug 09, 2017The biggest issue with this password reset method is that all you need to utilize it is access to the LAN. Once I plug my laptop into an unsecured port on the security network with HikVision Cameras I now own them all. This is in comparison to other manufactures that have a physical reset button that must be used to reset the admin password. Just my 2 cents on the discussion.
SB
Steven Burman
Aug 09, 2017This forum seems to focus specifically on HIK even though some of the issues are industry wide. It grows tiresome. Being a professional site selling market research to the industry, personal attacks driven by animosity really do not belong.
UI
Undisclosed Integrator #2
Aug 09, 2017I agree. The same issues can be seen on a large range of CCTV Products. I just ended up focusing on HikVision in my comments because they were the topic of this post. Did not mean to target HikVision individually.
SB
Steven Burman
Aug 09, 2017I wasn't speaking of your post, but of this site's readily apparent animosity towards HIK. I really don't understand why they are focused on when there is a plethora of low-end IP camera manufacturers selling cheap cameras with poor or no cyber-security protections. I'm not defending HIK, quite the contrary, I typically stay away from so-called "bargain brands", unless specifically called out by my client. But as I said, I grow tired of seeing what is obviously a personal enmity portrayed as "market data".
JH
John Honovich
Aug 09, 2017Steven, thanks for your feedback. I appreciate it.
As for our animosity towards companies, this is a common accusation. In alphabetical order, routinely ADI people think we hate, Anixter people think we hate them, Avigilon people think we hate them, Axis people think we hate them, on and on...
Our focus is large players that impact the market. So Hikvision and ADI and Anixter and Avigilon and Axis, etc. are going to take far more criticism than small players. This is for a simple reason - those big companies far more impact the professional market (which is what IPVM focuses on) than smaller players.
plethora of low-end IP camera manufacturers selling cheap cameras with poor or no cyber-security protections
For example, recall the recent 175,000 camera vulnerability for 'NeoCoolCam'. We saw this immediately and reviewed this. We decided not to do a post, not because we 'like' the 'NeoCoolCam' people (we have no idea who they are) but because we know our members overwhelmingly neither use nor compete with them, so it is irrelevant to what they do.
I hope that helps explain our editorial process. Happy to answer more questions here.
personal attacks
Steven, what type of 'personal attacks' specifically do you feel IPVM is making against anyone?
SB
Steven Burman
Aug 09, 2017Against HIK. If I were to count the total number of "negative" posts involving manufacturers, am I incorrect in postulating that the number of articles unfavorable to HIK would far outnumber articles referencing other manufacturers?
JH
John Honovich
Aug 09, 2017Steven,
We have plenty of positive posts about Hikvision, just from the summer so far:
- Hikvision Launching Deep Learning Recorders
- Hikvision Releases Network Cabling
- Hikvision H.265+ Tested
- Hikvision Stock Surges - Doubling In Past Year
We are going to have more positive and negative posts about Hikvision than we are going to have about almost any other company because of Hikvision's sheer size.
SB
Steven Burman
Aug 09, 2017Metrics such as this prove nothing. If you do a complete review, say for a period of 1 year, showing the number of favorable versus unfavorable results for the 5 most mentioned entities, what do you suppose that would show? My own perception is that you lean heavily towards the negative where HIK is concerned. I could be wrong, and it wouldn't even be the first time.
JH
John Honovich
Aug 09, 2017Steven,
You claim IPVM has made "personal attacks" and has "personal enmity" against Hikvision.
I have given you multiple examples of positive reporting that a reasonable person would conclude that someone with 'enmity' and 'personal attacks' would not do. And yet you dismiss it as, and I quote, 'nothing'.
IPVM criticizes lots of things and lots of companies and many companies are going to receive net negative criticism. But just because we are critical does not mean we are wrong or that we are 'personal' against them.
I am now asking you again - specifically what reporting that IPVM has made is 'personal' in nature against Hikvision?
SB
Steven Burman
Aug 09, 2017Because the number of articles unfavorable to HIK seems to heavily outweigh articles unfavorable to other manufacturers. And a reasonable person would want to weigh the number of negative articles over the summer compared to the number of positive ones, and use that as a metric to compare with the positive / negative ratio of articles concerning other manufacturers. Stating that you posted 4 "positive" articles over the summer has no merit whatsoever without the comparatives mentioned above. So your statement that I dismissed your 4 as "nothing" wasn't entirely accurate. Because any reasonable person would disregard the 4 positive articles if there were 25 negative ones, and unless the other vendors mentioned shared this >5/1 ratio, the same reasonable person would probably conclude that you did indeed have some personal enmity against them.
JH
John Honovich
Aug 10, 2017that you posted 4 "positive" articles over the summer has no merit whatsoever without the comparatives... disregard the 4 positive articles if there were 25 negative ones
Steven, be fair. We have not published anything close to 25 articles total on Hikvision this summer. If you want to criticize us that is fine, do it on facts, do not employe hypotheticals that are clearly false.
This summer, since June 21st, we have published 93 total articles, 12 of which have been on Hikvision, including this one here.
In addition to the 4 positive ones cited above, we have a positive comparison vs Dahua - Dahua 4K Turret Tested Vs Hikvision (N84BG44 ) and 2 other tests that are neutral to positive - Hikvision 8MP Low-Cost Camera Tested and Hikvision H.265+ Bullet Tested (2035).
So your hypothetical is clearly wrong.
That said, IPVM does not aim to be 50/50 on any company or topic. We don't have 'quotas' for 'positive' or 'negative' coverage. Our goal is to cover important topics to the industry accurately.
I will ask you a 3rd time Steven, beyond the sheer number of articles we write, what specifically in the actual reporting consists of 'personal attacks'?
U
Undisclosed #7
Aug 10, 2017Your argument, without evidence beyond your own opinion, incorrectly conflates 'numbers of negative posts' with 'bias'... it is not true just because you say it is true.
Further, imo, the remainder of your comments are then focused on knocking down that self-created 'bias' straw man.
Hik is the worlds largest surveillance equipment provider. THAT is the causation for 'numbers of posts'.
The higher number of negative posts in relation to lower number of positive posts can just as easily be ascribed to the way in which this company has historically handled/responded to repeated publicly exposed vulnerabilities in their own hardware/software.
If a company has experienced seemingly sustained occurrences of different vulnerabilities over a period of time - no matter what it is that this company produces - I find it hard to justify a claim of bias when the vast majority of news stories covering these sustained occurrences of vulnerabilities are negative.
SB
Steven Burman
Aug 10, 2017I guess you missed the whole "my perception is" and "my opinion is" in my posts. And your whole "knocking down the bias straw man" is funny. I do enjoy slapstick humor. But I've now wasted far more time on an inconsequential subject than I originally intended.
UI
Undisclosed Integrator #9
Aug 10, 2017The best way for Hikvision to avoid having negative news would be for them to fix their constant security breaches, government subsidization, and other items that are brought up. Complaining that someone calls them on it does not solve anything, solving and preventing these items does.
JH
John Honovich
Aug 09, 2017Note: Based on discussion here, we have started a new topic - Forgot Recorder Password, How To Recover?
Also, we are checking on the comment made about Dahua recovery method. Any inputs on other manufacturers, please add to this topic.
UM
Undisclosed Manufacturer #6
Aug 10, 2017I think that the issue is that their method of password recovery is considered a back door. This has been discussed here recently.
Many manufacturers I have worked with, when you default the device, all programming is wiped, so that an attacker doesn't get access to the settings. This way to someone watching the monitor, etc all appears normal while they p0wned it in the network side.
Here, the reset simply wipes the password giving you full access to the system as it was previously configured.
For best cyber security practices, this should be restricted to requiring physical access or out-of-bounds (OOB) access. A network device shouldnt allow a reset over the network.
Think about Cisco or other brand switches. You need physical access to press a button sequence and a console cable for local rs232 access.
Joseph Marotta
Aug 10, 2017Hikvision just sent out an email Special Bulletin regarding this issue. In it they said:
"The update is intended to clear up any misunderstandings stemming from an Aug. 9 online report of a so-called Hikvision 'security code' being 'cracked' via a security-code generating software program."
You don't think they are referring to IPVM's article, do you?! :^P
Brian Karas
Aug 10, 2017UPDATE:
Hikvision has responded, though not directly to us, they did send a Special Bulletin email out. We have updated the report to reflect this:
Hikvision Responds With "Password Reset Update"
On August 10, 2017, Hikvision sent a 'Special Bulletin' with a 2 page document entitled "Hikvision NVR/DVR Password Reset Update". It explains a history of evolving approaches to reseting passwords across various recorders. We have requested a call with Hikvision technical representatives to go through the details and plan to update the post accordingly.
Two immediate notes:
(1) Hikvision refers to the security codes as "so-called Hikvision 'security code'". To be clear, we use the term 'security code' because that is Hikvision's own term for this feature, e.g., see excerpt of Hikvision documents calling it a 'security code'.
(2) Hikvision neither denies nor confirms that their security code was cracked. Rather they emphasize a newer approach that would overcome this problem. This approach is what we will be reviewing in detail with Hikvision and then posting an update.
UM
Undisclosed Manufacturer #6
Aug 11, 2017The update clearly misses the mark. 1) The units CAN be reset by Hik or ANYONE else with the algorithm, which clearly has been cracked. As mentioned above, they don't want to really acknowledge that these codes exist, and anyone can call in and get one generated. 2) They want you to send them a GUID key. A properly locked down IP device that requires user authentication will NOT allow you to download this file via SADP, since you don't know the password and have not been authenticated. The only thing that should be exposed is by the discovery tool/protocol - IP address and that is it...
I believe the generic term for these types of codes are "One Time Use Passwords" meaning that they are based on the time/date of the unit and will expire in 24 hours. Of course, from the screenshot, HIK seems to be providing the codes for a few days, again making it even more dangerous.
UI
Undisclosed Integrator #10
Aug 14, 2017You can crack a windows machine admin login as well. Nothing new here.
GF
Giancarlo Favero
Sep 08, 2017I agree 100%.
I don't understand all this fuss.
The fact that you must be either physically plugged or on the same LAN, greatly decreases the risks.
And again, once you eventually reset the password and gain access to the DVR/NVR, you have access to some worthless, meaningless images that nobody cares about: only an idiot could spend time and effort pursuing that. You don't have access to personal data, credit card numbers, medical data, nothing. Once again, security in videosurveillance is way overestimated.
And thank God that you gave an utility to recover from lost passwords: last time a client of ours forgot the password of a Mobotix camera, he had to spend several hundred Euros to send the cameras to Mobotix in Germany, what the hell!!
P.S.: no big surprise Mobotix is virtually disappearing from the videosurveillance market and lost almost 60% of stack value in recent months.
I am beginning to be fed up by this completely biased, tabloid-style garbage journalism.
This time thumb completely down.
Giancarlo Favero
JH
John Honovich
Sep 08, 2017I don't understand all this fuss.
The fact that you must be either physically plugged or on the same LAN, greatly decreases the risks.
Yes, it is not as much a risk as the Hikvision backdoor.
However, it is certainly a risk and a risk that Hikvision was well aware of, that's why Hikvision changed the code generation process - Hikvision Responds To Cracked Security Codes.
Brian Karas
Aug 14, 2017UPDATE -
We had a technical update call with Hikvision on Friday August 11th to discuss the security code crack, and steps Hikvision has taken to make it more challenging to crack the security code. We will be publishing a new report tomorrow (August 15th) with our analysis of Hikvision's updated admin password reset process.
Sean Nelson
Aug 14, 2017Glad to see you guys are on speaking terms again. It does appear that the Hikvision reporting lately appears to be more objective than opinionated lately. Excellent.
U
Undisclosed #7
Aug 14, 2017Brian Karas
Aug 15, 2017Update - Good/Bad Analysis Of Hikvision Response And New Method
Our analysis of Hikvision's response and the new password reset method has been released: Hikvision Responds To Cracked Security Codes
DA
Dawid Adamczyk
Aug 15, 2017I guess you "like" HIK much. Try to test Dahua agains RAT cctv super password -gaining access to Dahua DVR/NVR is more than easy.
RS
Robert Shih
Aug 16, 2017I will neither confirm nor deny *shrugs*. Honestly, we just need physical reset buttons and just not have a password recovery method that's worth the time and effort altogether. Physical access should take care of everything. Then again, what do we do about physical theft?
JH
John Honovich
Aug 31, 2017UPDATE: W-Box fixed this in V3.4.2 build 170816 (download here). The option to request the code has been removed.
JH
John Honovich
Sep 08, 2017Update: Our new Interlogix test shows Interlogix recorders are still vulnerable to the cracked security code process:
Interlogix recorders' passwords may be reset using the Hikvision security code generator detailed in our report Hikvision Security Code Cracked. Entering a code from this tool in TruVision Device Manager resets the password to default (admin/1234). Note that Hikvision and other OEMs have removed this capability in new firmware.
