How To Hack Your Company's Hikvision Recorder

By IPVM Team, Published May 29, 2017, 08:00am EDT

Here's how easy it is to hack your company's Hikvision recorder:

  • It does not matter how hard or secret the admin password is.
  • Hikvision will happily help you.
  • Hikvision will let anyone do it with no verification.
  • You cannot disable this 'feature'.
  • You do not need to even physically get to the recorder.

In this note, we share our test result findings and examines the benefits and risks of this approach.

Executive Summary

Hikvision sends a reset code to override the password and access the recorder by simply sending them the recorder's serial number. Then anyone with physical access to the recorder (e.g., at a company) can hack into the recorder, regardless of how strong the password is.

Demonstrated

We simply followed Hikvision's own instructional video.

[UPDATE: Hikvision has removed the instructional video but not fixed the problem.]

One simply fills out a form on the password reset page and Hikvision emails the secure code.

Remote Password Reset Using SADP

Using the Hikvision SADP software, scan the local network for Hikvision recorders:

Join IPVM Newsletter?

IPVM is the #1 authority in video surveillance news, in-depth tests, and training courses. Get emails, once a day, Monday to Friday.

Using the export function after clicking "Forgot Password", create the XML file.

In the password reset form input the information required including the XML file generated from the "export" button.

A confirmation E-mail is sent to let you know that a ticket is open.

~10 minutes later another e-mail is sent containing the reset code.

After selecting "input key" just type in (or copy/paste) the code Hikvision provided and choose your new password.

You will have just performed a successful password reset completely over LAN.

Test Results

We tested this a number of times and had no problems. We submitted under fake names, including a request 'from' Hikvision's Chairman and Communist Party Secretary Chen Zongnian.

We even requested the same serial number under different fake names and received the secure code promptly. We received responses within a half hour electronically as well as getting a code over the phone in a few minutes. Below is an example of one response:

No Verification Required

Hikvision makes no attempt at verifying or determining if the user is authorized, the actual buyer, etc.

No Disabling

The 'feature' cannot be disabled, so users who view this as a security risk or want to harden the device have no option.

Upside

The clear upside is that it is easy for anyone locked out to get access to their Hikvision recorder. This minimizes delays or problems in accessing a recorder.

Downside

The downside is that anyone who can physically access the recorder can easily get admin access / control of the recorder.

Vote - Verify Requests

Vote - Option To Disable

7 reports cite this report:

IFSEC 2019 Show Report on Jun 19, 2019
The UK's largest trade show, IFSEC, is underway and IPVM has been examining...
Hikvision Security Code Cracked on Aug 08, 2017
Hikvision's 'security code' feature has been cracked and a program generating...
Hikvision USA Head of Cybersecurity Exits on Jul 18, 2017
Hikvision USA's Head of Cybersecurity has exited the company. In this note,...
QSR Video Surveillance Best Practices on Jun 21, 2017
Fast food restaurants or QSRs (quick service restaurants), are frequent...
Hikvision: IPVM Is "Destined To Fail" on Jun 14, 2017
Hikvision has accused IPVM of 'cyberbullying' them, declaring IPVM 'destined...
Morten Tor Nielsen Defends Hikvision on Jun 12, 2017
Morten Tor Nielsen, veteran software developer for Prescienta working for...
Gas Station Surveillance Best Practices on Jun 07, 2017
Gas stations are a frequent crime target. They tend to be open late at night,...
Comments (33) : Subscribers only. Login. or Join.
Loading Related Reports