How To Hack Your Company's Hikvision Recorder

IT
IPVM Team
Published May 29, 2017 12:00 PM

Here's how easy it is to hack your company's Hikvision recorder:

  • It does not matter how hard or secret the admin password is.
  • Hikvision will happily help you.
  • Hikvision will let anyone do it with no verification.
  • You cannot disable this 'feature'.
  • You do not need to even physically get to the recorder.

In this note, we share our test result findings and examines the benefits and risks of this approach.

Executive Summary

Hikvision sends a reset code to override the password and access the recorder by simply sending them the recorder's serial number. Then anyone with physical access to the recorder (e.g., at a company) can hack into the recorder, regardless of how strong the password is.

Demonstrated

We simply followed Hikvision's own instructional video.

[UPDATE: Hikvision has removed the instructional video but not fixed the problem.]

One simply fills out a form on the password reset page and Hikvision emails the secure code.

Remote Password Reset Using SADP

Using the Hikvision SADP software, scan the local network for Hikvision recorders:

Using the export function after clicking "Forgot Password", create the XML file.

In the password reset form input the information required including the XML file generated from the "export" button.

A confirmation E-mail is sent to let you know that a ticket is open.

~10 minutes later another e-mail is sent containing the reset code.

After selecting "input key" just type in (or copy/paste) the code Hikvision provided and choose your new password.

You will have just performed a successful password reset completely over LAN.

Test Results

We tested this a number of times and had no problems. We submitted under fake names, including a request 'from' Hikvision's Chairman and Communist Party Secretary Chen Zongnian.

We even requested the same serial number under different fake names and received the secure code promptly. We received responses within a half hour electronically as well as getting a code over the phone in a few minutes. Below is an example of one response:

No Verification Required

Hikvision makes no attempt at verifying or determining if the user is authorized, the actual buyer, etc.

No Disabling

The 'feature' cannot be disabled, so users who view this as a security risk or want to harden the device have no option.

Upside

The clear upside is that it is easy for anyone locked out to get access to their Hikvision recorder. This minimizes delays or problems in accessing a recorder.

Downside

The downside is that anyone who can physically access the recorder can easily get admin access / control of the recorder.

Vote - Verify Requests

Vote - Option To Disable

Comments are shown for subscribers only. Login or Join