How To Hack Your Company&#x27;s Hikvision Recorder

(Undisclosed Manufacturer 1 is a Dahua employee)

It is even easier to generate a password reset with Dahua, or any of their OEMs.

Reactions:

(3)

Undisclosed Integrator #2

(Serious Question)

How is this new news? I have done takeovers on HikVision Systems before and all I had to do was TFTP the NVR to a new firmware and sent in the request for a password. Before then I used the "HikVision Camera Admin Password Reset Tool" outlined on IpCamTalk form below and guessed/checked the date until I got lucky.

https://ipcamtalk.com/threads/hikvision-camera-admin-password-reset-tool.2837/

(On a side note I agree UM#1 Dahua's system is even easier to takeover and there are others that are probably just as simple)

Reactions:

(5)

(4)

Shay Fogel

Hikvision is not different then others - Dahua uses monthly reset password list for local access, and others use front panel key combination or similar methods. All assume that having physical access to the recorder means that you own it.

It is not acceptable in high security, but this practice is a better service for the installers and users who often forget or loose their password, than to those few who require high security but still expect to get it from such a recorder. They can restrict physical access to the recorder.

Almost all such level recorders I am familiar with, once you have physical access to one, you can take down the hard drive and install to a another same system and have full access to the recordings, meaning there is no encryption of index or video files.

Reactions:

Brian Karas

IPVM

In reply to Shay Fogel

I agree that in most things security-related, physical hands-on access trumps almost any security mechanisms. In this case though, you do not need hands-on access, you only need LAN access (of course, if you have physical access, it works from a local console too).

Personally, I could see many cases where a slightly tech-savvy and negatively motivated employee in smaller retailer using Hikvision recorders could use this to compromise the system, even if the recorder was "secure" in the managers back-room office.

Being able to reset a core security device over the LAN, even with secret codes provided by tech support, is a flawed design, IMO. Hikvision is not the only company that allows for this, but again, with them being a large manufacturer, and claiming commitments to cyber security, this is another massive oversight on their part.

Reactions:

(5)

Rob Dunham

Tailored IT Solutions

In reply to Brian Karas

I realize this is an old post, but anyone who installs an NVR on an accessible LAN is a bit of a hack anyway. Unauthorized personnel and machines shouldn't even have access to the box over the LAN to begin with. So really it's kind of a moot point.

I also realize that NVRs are installed this way and that smaller installations and budgets may prevent anything else. But we also have to recognize that cameras are not security unless they are truly closed circuit. Today's network attached cameras present the same liability as any other network attached device, and really moreso. They should NEVER be attached to any network with critical infrastructure to begin with and they should NEVER be relied upon for security. They are dependable strictly for surveillance. And if you don't physically secure access to the box and the network it lives on, then you have to assume the risks that come with that choice.

Decent routers aren't (at least not all) that expensive. Put the cameras and NVR on a separate subnet using a router with a built in firewall. Add a MAC filter and a basic ACL and you're done. Unless someone rips a camera off the wall and plugs in a laptop, you're pretty safe and you only need enough horsepower to provide throughout to a single interface. The world's smallest pfSense box would do the trick.

Reactions:

Michael Miller

In reply to Rob Dunham

I realize this is an old post, but anyone who installs an NVR on an accessible LAN is a bit of a hack anyway.

So client has 100 locations and wants to view all sites as one system your saying people are a hack for installing this?

Reactions:

Rob Dunham

In reply to Michael Miller

Tailored IT Solutions

That's a wildly big leap. How does that have anything at all to do with what I've said? Sorry if I'm missing the obvious but I don't see how those things are related.

Reactions:

Brian Karas

Pelican Zero

In reply to Rob Dunham

I realize this is an old post, but anyone who installs an NVR on an accessible LAN is a bit of a hack anyway. Unauthorized personnel and machines shouldn't even have access to the box over the LAN to begin with. So really it's kind of a moot point.

LANs are commonly made up of all kinds of devices - computers, printers, IP Phones, security equipment, and so forth. If you cannot choose and install a product with sufficient security, then you are a hack. There is nothing about an NVR as a device concept that requires it be a security risk to a common LAN. There are things about certain NVRs (and other devices) that make them a poor choice for any environment, regardless of network topology.

Reactions:

(2)

Undisclosed Distributor #3

The title of this piece is misleading, this is not a "hack". I would rather see this titled as "How to use Social Engineering to Access Your Company's Hikvision Recorder".

Reactions:

(8)

(1)

Undisclosed Integrator #5

In reply to Undisclosed Distributor #3

Social Engineering is hacking IMO.

Entertaining video using these hacking tools.

Reactions:

(5)

John Honovich

In reply to Undisclosed Distributor #3

IPVM

Social Engineering

This is not social engineering per its definition, i.e., "psychological manipulation of people into performing actions or divulging confidential information."

With Hikvision, there is no need to 'manipulate' them because they will gladly send the reset code to anyone who requests regardless of whether they use a real name, fake name, etc.

Indeed, Hikvision evidently does not believe this is 'confidential information' since they are happy to disclose it to anyone, without vetting.

That said, I agree with your underlying point that Hikvision should consider this confidential information and vet requesters.

Reactions:

(2)

(1)

Undisclosed Integrator #4

How could they verify a user? What's IPVMs suggested solution for this?

If you give the customer an option to disable password resets and they forget their password, then what?

I don't see another solution right now that wouldn't cause huge headaches or issues for customers with the products because many forget passwords, change integrators, or ownership simply changes.

To me, physical access to the LAN is physical access to a networked based device. If you don't want your employees accessing the NVR in this way, then it should be segregated anyways.

Reactions:

(1)

Brian Karas

In reply to Undisclosed Integrator #4

IPVM

How could they verify a user? What's IPVMs suggested solution for this?

There are a few options:

Remove this feature and rely on a physical reset button inside the case, making any kind of remote/LAN reset unavailable
Only offer the Self Serve Password Reset option
Require some form of proof of ownership (physical image of unit with serial #, along with other proof of ownership), similar to how some online banks or other organizations handle lost admin authentication credentials

To me, physical access to the LAN is physical access to a networked based device. If you don't want your employees accessing the NVR in this way, then it should be segregated anyways.

Reactions:

(8)

Rumen Palmov

In reply to Brian Karas

Remove this feature and rely on a physical reset button inside the case, making any kind of remote/LAN reset unavailable

Not a good idea. Neither the manufacturer, nor the installer/SI would want the user to disassemble the unit and meddle with the bare electronics inside.

Require some form of proof of ownership (physical image of unit with serial #, along with other proof of ownership), similar to how some online banks or other organizations handle lost admin authentication credentials

This also seems impractical and possible to cheat - after 5 min. search on the net you can get such physical images:

http://images.locanto.net/1375830265/HIKVISION-CCTV-DVR-with-4-RDS-Day-Night-Cameras-Imported_3.jpg

http://ipdaily.net/ipcamtalk/img2.jpg

https://camerahikvision.net/wp-content/uploads/2016/04/13318584_1183207298396167_75654126_n.jpg

From there on - it's another 5 min. of Photoshop work to overlay the code you want on the picture. And then if a Hikvision person has to physically confirm the picture - how many employees would be needed for that for the world market? And what about the case when you have bought a site/premise/building with the recorder inside - what kind of proof of ownership can you supply? Or when your IT/security guy has left the company taking the password with him?

The feature is a simple and useful mean to keep the device running saving a lot of time for both the user and the installers. We, as a distributor, have saved lots of time and efforts resetting many devices via this procedure, rather then sending a technician to investigate or asking the customer to waste time to bring the device to our office. For 90% of the cases this is OK for all parties involved. On many installations sites there is not a secure room for the recorder to be placed in, so having a reset button on the device would make it actually more vulnerable.

Indeed cyber security is an important aspect of the business, but let's not bring this to obsession or conspiracy paranoia levels.

Reactions:

(3)

(1)

Brian Karas

IPVM

In reply to Rumen Palmov

Not a good idea. Neither the manufacturer, nor the installer/SI would want the user to disassemble the unit and meddle with the bare electronics inside.

Possibly, though could be addressed through the internal component layout, or hiding the switch behind a small access cover so it was not "accidentally" reset.

From there on - it's another 5 min. of Photoshop work to overlay the code you want on the picture.

I think you are starting to get into very advanced/edge-case scenarios there. If we keep the assumption that Hikvision wants to allow/enable admin password resets, then there is going to be a level of weakness that goes along with that. The above situation could also be mitigated through a QR code on the device with the serial # that contained some form of checksum or other data not able to be computed by just what you can read over the LAN with SADP.

Indeed cyber security is an important aspect of the business, but let's not bring this to obsession or conspiracy paranoia levels.

I don't think that pointing out that Hikvision both allows a network-based admin password reset, and gives out the keys to perform that with no challenge to the person presenting the request is bringing this to obsession/paranoia levels.

In my experience, integrators and users with a security-minded approach would set the admin password to something secure, and then create individual accounts for specific users instead of using a general 'admin' account. This also makes it easier to recover lost/forgotten passwords since there is not a single admin account, and also users with this mindset in my experience have been less likely to forget passwords in general.

Your defense of Hikvision's approach leads me to think much of the product is going into lower-end installs. In that case I understand why this method exists, and why some people would not want it removed, though higher-end users should be made aware that this password reset method exists so they can properly judge if the equipment meets their own security standards.

Reactions:

(3)

Undisclosed Integrator #2

In reply to Brian Karas

Two Factor Authentication:

Have a button on the NVR/DVR that must be pressed while talking with tech-support to confirm that the user has physical access to the unit.

Reactions:

(1)

Jon Dillabaugh

In reply to Undisclosed Integrator #2

Pro Focus LLC

That's not really two factor. If they wanted to simply implement Google 2 Factor, it would be easy to do. That way, only the owner of the Google account could gain entry via a 6 digit code. If the person hacks both the Google account and gets help from Hikvision, then they were really determined and not much would have stopped them.

Reactions:

(3)

(1)

Undisclosed Integrator #2

In reply to Jon Dillabaugh

You are correct Jon this is not a truly secure 2FA system. I was just trying to describe a system that you could use which would still be able to be reset with physical access to the unit by allowing HikVision to verify a user had access to the unit.

Reactions:

Brian Karas

In reply to Undisclosed Integrator #2

IPVM

As long as you're not resetting the admin password to diagnose a lack of network connectivity.

Reactions:

(2)

Undisclosed Manufacturer #6

In reply to Undisclosed Integrator #4

Easy. On some NVR brands serious about security, the only way to reset the password is by physically gaining access to the NVR and then taking an additional action like hitting a micro switch somewhere hard-to-reach for several seconds, needing a special tool or paperclip\pin.

Convenient? No. Extremely secure? Yes, and that is what the professionals in the video security industry are striving for now.

In my perspective, if you are an installer that takes your profession (security) and business (security) seriously and does what is best for your customer (security), you choose a vendor that takes security seriously and doesn't have password reset algorithms, you will take precautions and be proactive in ensuring your customer does not lose access to their password, you install the NVR in a place with a physical barrier (locked and hidden is best) and you provide the best logical barrier you can with a hardened network and NVR configuration.

When it comes to securing a device being used to secure and protect assets and people, convenience should be low priority and is typically prioritized over high security standards because of ignorance, laziness or self-interest (profit)

Reactions:

(8)

(1)

Jon Dillabaugh

Pro Focus LLC

I was wondering what the next Hikvision headline would be. I don't even need to email anyone to get past a Dahua unit. And I don't need to change the password either, meaning you won't know I was there. Unless you dig through the logs, which I could also clear while I'm there.

Reactions:

(1)

(3)

Brian Hampton

In reply to Jon Dillabaugh

IPVMU Certified

I'm assuming your referring to the recent backdoor issue that was "supposedly" fixed with patches (although I feel it was not...)?

If the NVR was secured inside a lock box in a secured room with no network connectivity this would not be an issue, correct?

Reactions:

Jon Dillabaugh

In reply to Brian Hampton

Pro Focus LLC

No, I am referring to the Dahua daily password. AFAIK, that still remains. I will give it a try on a newer device that I have on hand.

Reactions:

Jon Dillabaugh

In reply to Jon Dillabaugh

Pro Focus LLC

After testing a new Dahua XVR, I can confirm that the daily code as we knew it no longer works. You have to know the answers to the secret questions in order to change the password. I'm unsure what you do if those aren't known/documented.

Reactions:

(1)

Michael Gonzalez

Confidential

"We tested this a number of times and had no problems. We submitted under fake names, including a request 'from' Hikvision's Chairman and Communist Party Secretary Chen Zongnian."

Haha, well played sir.

Reactions:

(3)

Undisclosed #7

You think this is insecure? You should've seen the Geovision PC-based DVRs from years ago.

I supported hundreds of these machines back in the day, and just like all the lower level Hikvision installs, convenience was the deciding factor (not security) in resetting the system PW if the customer either forgot or the only person who knew it left without telling anyone.

*NOTE: I also saw many instances of companies firing the only employee who knew the PW to the system before they made sure to get this PW first. duh.

Whenever we got a 'we don't know the PW' call, we simply remoted into the machine, went to the systems root folder on the C: drive and scrolled through the hundreds of files located here to the P's (they were in alphabetical order by default) looking for the 'Password.exe' icon (a key graphic).

All we had to do was run that .exe and it stripped the system of all existing PWs and reset the admin account (User Name: Admin) to no password at all (just like it came out of the box).

I don't know if the Geovision 'IP' systems have this same feature, but I'd be willing to bet a couple bucks that it's still there....

Any current Geovision integrators know if this is still the case?

Reactions:

(1)

Undisclosed Integrator #8

In reply to Undisclosed #7

Not certain as to how far back you are talking but if you did not check the very poorly translated "allow removing system password" box during install this was not an option as far back as I can remember.

That password uninstall executable required admin level access to run. If you already have admin level access to run executables on the machine there were other password bypass options available. There would also be more malicious actions that could be taken without even touching the Geovision software. Not to straw man your point but this is true of any windows based DVR, NVR, or VMS.

Reactions:

Undisclosed Integrator #8

In reply to Undisclosed Integrator #8

Also, the poorly translated part should say "allow removing password system".

Reactions:

Undisclosed #7

In reply to Undisclosed Integrator #8

"Not certain as to how far back you are talking but if you did not check the very poorly translated "allow removing system password" box during install this was not an option as far back as I can remember."

This was maybe 2006 or 2007..... and the old analog Geovision system (at least then) had no "allow removing system password" during install. I installed and uninstalled many of these systems and I don't remember ever seeing that even once. I believe we were using version 5 or 6 of the GV analog software.

"That password uninstall executable required admin level access to run."

Admin level access to what? The PC itself? When the integrator I worked for at the time built our PC-based DVRs (we also used Avermedia as a cheaper alternative [with similar functionality]) admin level access to the PC was standard - so anyone sitting at the machine could run the .exe file. (not saying that this was smart, btw) :)

"There would also be more malicious actions that could be taken without even touching the Geovision software. Not to straw man your point but this is true of any windows based DVR, NVR, or VMS."

While I do not disagree with this point, 'other malicious actions' are not the focus of this thread - the ability to change the system PW using system-provided tools is.

Reactions:

(1)

Undisclosed Integrator #8

In reply to Undisclosed #7

I believe we were using version 5 or 6 of the GV analog software.

That predates me using them. I can only refer back to 8.1 released in 2007.

Reactions:

Undisclosed #9

Anyone had to do a password reset on Mobotix? Uninstall the unit and send back to factory in Germany for reset. Now that is secure!!

Reactions:

(2)

(6)

Undisclosed Manufacturer #10

The responsible side of me would like to see Hik and the other bottom feeders fix this. The other side of me wants to just watch the world burn....

Reactions:

(2)

(4)

Undisclosed Integrator #11

What version of firmware was this tried on?

I have tried this on our machine over the LAN and it does not work - V3.4.82 build 161008 - the GUI is also different.

You story has stated "You do not need to even physically get to the recorder".

Is there somewhere else on this newer GUI that this feature is hidden?

Or has this been removed?

Reactions:

(2)

Undisclosed Integrator #2