How To Hack Your Company's Hikvision RecorderBy IPVM Team, Published on May 29, 2017
Here's how easy it is to hack your company's Hikvision recorder:
- It does not matter how hard or secret the admin password is.
- Hikvision will happily help you.
- Hikvision will let anyone do it with no verification.
- You cannot disable this 'feature'.
- You do not need to even physically get to the recorder.
In this note, we share our test result findings and examines the benefits and risks of this approach.
Hikvision sends a reset code to override the password and access the recorder by simply sending them the recorder's serial number. Then anyone with physical access to the recorder (e.g., at a company) can hack into the recorder, regardless of how strong the password is.
We simply followed Hikvision's own instructional video.
[UPDATE: Hikvision has removed the instructional video but not fixed the problem.]
One simply fills out a form on the password reset page and Hikvision emails the secure code.
Remote Password Reset Using SADP
Using the Hikvision SADP software, scan the local network for Hikvision recorders:
Using the export function after clicking "Forgot Password", create the XML file.
In the password reset form input the information required including the XML file generated from the "export" button.
A confirmation E-mail is sent to let you know that a ticket is open.
~10 minutes later another e-mail is sent containing the reset code.
After selecting "input key" just type in (or copy/paste) the code Hikvision provided and choose your new password.
You will have just performed a successful password reset completely over LAN.
We tested this a number of times and had no problems. We submitted under fake names, including a request 'from' Hikvision's Chairman and Communist Party Secretary Chen Zongnian.
We even requested the same serial number under different fake names and received the secure code promptly. We received responses within a half hour electronically as well as getting a code over the phone in a few minutes. Below is an example of one response:
No Verification Required
Hikvision makes no attempt at verifying or determining if the user is authorized, the actual buyer, etc.
The 'feature' cannot be disabled, so users who view this as a security risk or want to harden the device have no option.
The clear upside is that it is easy for anyone locked out to get access to their Hikvision recorder. This minimizes delays or problems in accessing a recorder.
The downside is that anyone who can physically access the recorder can easily get admin access / control of the recorder.
Vote - Verify Requests
Vote - Option To Disable