How To Hack Your Company's Hikvision Recorder

By: IPVM Team, Published on May 29, 2017

Here's how easy it is to hack your company's Hikvision recorder:

  • It does not matter how hard or secret the admin password is.
  • Hikvision will happily help you.
  • Hikvision will let anyone do it with no verification.
  • You cannot disable this 'feature'.
  • You do not need to even physically get to the recorder.

In this note, we share our test result findings and examines the benefits and risks of this approach.

****'* *** **** ** is ** **** **** company's ********* ********:

  • ** **** *** ****** how **** ** ****** the ***** ******** **.
  • ********* **** ******* **** you.
  • ********* **** *** ****** do ** **** ** verification.
  • *** ****** ******* **** 'feature'.
  • *** ** *** **** to **** ********** *** to *** ********.

** **** ****, ** share *** **** ****** findings *** ******** *** benefits *** ***** ** this ********.

[***************]

Executive *******

********* ***** * ***** code ** ******** *** password *** ****** *** recorder ** ****** ******* them *** ********'* ****** number. **** ****** **** physical ****** ** *** recorder (*.*., ** * company) *** **** **** the ********, ********** ** how ****** *** ******** is.

************

** ****** ******** *********'* own ************* *****.

[******: ********* *** ******* the ************* ***** *** not ***** *** *******.]

*** ****** ***** *** a **** ** *** password ***** **** *** Hikvision ****** *** ****** code.

Remote ******** ***** ***** ****

***** *** ********* **** software, **** *** ***** network *** ********* *********:

***** *** ****** ******** after ******** "****** ********", create *** *** ****.

** *** ******** ***** form ***** *** *********** required ********* *** *** file ********* **** *** "export" ******.

* ************ *-**** ** sent ** *** *** know **** * ****** is ****.

~** ******* ***** ******* e-mail ** **** ********** the ***** ****.

***** ********* "***** ***" just **** ** (** copy/paste) *** **** ********* provided *** ****** **** new ********.

*** **** **** **** performed * ********** ******** reset ********** **** ***.

Test *******

** ****** **** * number ** ***** *** had ** ********. ** submitted ***** **** *****, including * ******* '****'*********'* ******** *** ********* Party ********* **** ********.

** **** ********* *** same ****** ****** ***** different **** ***** *** received *** ****** **** promptly. ** ******** ********* within * **** **** electronically ** **** ** getting * **** **** the ***** ** * few *******. ***** ** an ******* ** *** response:

No ************ ********

********* ***** ** ******* at ********* ** *********** if *** **** ** authorized, *** ****** *****, etc.

No *********

*** '*******' ****** ** disabled, ** ***** *** view **** ** * security **** ** **** to ****** *** ****** have ** ******.

******

*** ***** ****** ** that ** ** **** for ****** ****** *** to *** ****** ** their ********* ********. **** minimizes ****** ** ******** in ********* * ********.

********

*** ******** ** **** anyone *** *** ********** access *** ******** *** easily *** ***** ****** / ******* ** *** recorder.

Vote - ****** ********

Vote - ****** ** *******

Comments (33)

(Undisclosed Manufacturer 1 is a Dahua employee)

It is even easier to generate a password reset with Dahua, or any of their OEMs.

(Serious Question)

How is this new news? I have done takeovers on HikVision Systems before and all I had to do was TFTP the NVR to a new firmware and sent in the request for a password. Before then I used the "HikVision Camera Admin Password Reset Tool" outlined on IpCamTalk form below and guessed/checked the date until I got lucky.

https://ipcamtalk.com/threads/hikvision-camera-admin-password-reset-tool.2837/

(On a side note I agree UM#1 Dahua's system is even easier to takeover and there are others that are probably just as simple)

Hikvision is not different then others - Dahua uses monthly reset password list for local access, and others use front panel key combination or similar methods. All assume that having physical access to the recorder means that you own it.

It is not acceptable in high security, but this practice is a better service for the installers and users who often forget or loose their password, than to those few who require high security but still expect to get it from such a recorder. They can restrict physical access to the recorder.

Almost all such level recorders I am familiar with, once you have physical access to one, you can take down the hard drive and install to a another same system and have full access to the recordings, meaning there is no encryption of index or video files.

I agree that in most things security-related, physical hands-on access trumps almost any security mechanisms. In this case though, you do not need hands-on access, you only need LAN access (of course, if you have physical access, it works from a local console too).

Personally, I could see many cases where a slightly tech-savvy and negatively motivated employee in smaller retailer using Hikvision recorders could use this to compromise the system, even if the recorder was "secure" in the managers back-room office.

Being able to reset a core security device over the LAN, even with secret codes provided by tech support, is a flawed design, IMO. Hikvision is not the only company that allows for this, but again, with them being a large manufacturer, and claiming commitments to cyber security, this is another massive oversight on their part.

The title of this piece is misleading, this is not a "hack". I would rather see this titled as "How to use Social Engineering to Access Your Company's Hikvision Recorder".

Social Engineering is hacking IMO.

Entertaining video using these hacking tools.

Social Engineering

This is not social engineering per its definition, i.e., "psychological manipulation of people into performing actions or divulging confidential information."

With Hikvision, there is no need to 'manipulate' them because they will gladly send the reset code to anyone who requests regardless of whether they use a real name, fake name, etc.

Indeed, Hikvision evidently does not believe this is 'confidential information' since they are happy to disclose it to anyone, without vetting.

That said, I agree with your underlying point that Hikvision should consider this confidential information and vet requesters.

How could they verify a user? What's IPVMs suggested solution for this?

If you give the customer an option to disable password resets and they forget their password, then what?

I don't see another solution right now that wouldn't cause huge headaches or issues for customers with the products because many forget passwords, change integrators, or ownership simply changes.

To me, physical access to the LAN is physical access to a networked based device. If you don't want your employees accessing the NVR in this way, then it should be segregated anyways.

How could they verify a user? What's IPVMs suggested solution for this?

There are a few options:

  • Remove this feature and rely on a physical reset button inside the case, making any kind of remote/LAN reset unavailable
  • Only offer the Self Serve Password Reset option
  • Require some form of proof of ownership (physical image of unit with serial #, along with other proof of ownership), similar to how some online banks or other organizations handle lost admin authentication credentials

To me, physical access to the LAN is physical access to a networked based device. If you don't want your employees accessing the NVR in this way, then it should be segregated anyways.

  • Remove this feature and rely on a physical reset button inside the case, making any kind of remote/LAN reset unavailable

Not a good idea. Neither the manufacturer, nor the installer/SI would want the user to disassemble the unit and meddle with the bare electronics inside.

  • Require some form of proof of ownership (physical image of unit with serial #, along with other proof of ownership), similar to how some online banks or other organizations handle lost admin authentication credentials

This also seems impractical and possible to cheat - after 5 min. search on the net you can get such physical images:

http://images.locanto.net/1375830265/HIKVISION-CCTV-DVR-with-4-RDS-Day-Night-Cameras-Imported_3.jpg

http://ipdaily.net/ipcamtalk/img2.jpg

https://camerahikvision.net/wp-content/uploads/2016/04/13318584_1183207298396167_75654126_n.jpg

From there on - it's another 5 min. of Photoshop work to overlay the code you want on the picture. And then if a Hikvision person has to physically confirm the picture - how many employees would be needed for that for the world market? And what about the case when you have bought a site/premise/building with the recorder inside - what kind of proof of ownership can you supply? Or when your IT/security guy has left the company taking the password with him?

The feature is a simple and useful mean to keep the device running saving a lot of time for both the user and the installers. We, as a distributor, have saved lots of time and efforts resetting many devices via this procedure, rather then sending a technician to investigate or asking the customer to waste time to bring the device to our office. For 90% of the cases this is OK for all parties involved. On many installations sites there is not a secure room for the recorder to be placed in, so having a reset button on the device would make it actually more vulnerable.

Indeed cyber security is an important aspect of the business, but let's not bring this to obsession or conspiracy paranoia levels.

Not a good idea. Neither the manufacturer, nor the installer/SI would want the user to disassemble the unit and meddle with the bare electronics inside.

Possibly, though could be addressed through the internal component layout, or hiding the switch behind a small access cover so it was not "accidentally" reset.

From there on - it's another 5 min. of Photoshop work to overlay the code you want on the picture.

I think you are starting to get into very advanced/edge-case scenarios there. If we keep the assumption that Hikvision wants to allow/enable admin password resets, then there is going to be a level of weakness that goes along with that. The above situation could also be mitigated through a QR code on the device with the serial # that contained some form of checksum or other data not able to be computed by just what you can read over the LAN with SADP.

Indeed cyber security is an important aspect of the business, but let's not bring this to obsession or conspiracy paranoia levels.

I don't think that pointing out that Hikvision both allows a network-based admin password reset, and gives out the keys to perform that with no challenge to the person presenting the request is bringing this to obsession/paranoia levels.

In my experience, integrators and users with a security-minded approach would set the admin password to something secure, and then create individual accounts for specific users instead of using a general 'admin' account. This also makes it easier to recover lost/forgotten passwords since there is not a single admin account, and also users with this mindset in my experience have been less likely to forget passwords in general.

Your defense of Hikvision's approach leads me to think much of the product is going into lower-end installs. In that case I understand why this method exists, and why some people would not want it removed, though higher-end users should be made aware that this password reset method exists so they can properly judge if the equipment meets their own security standards.

Two Factor Authentication:

Have a button on the NVR/DVR that must be pressed while talking with tech-support to confirm that the user has physical access to the unit.

That's not really two factor. If they wanted to simply implement Google 2 Factor, it would be easy to do. That way, only the owner of the Google account could gain entry via a 6 digit code. If the person hacks both the Google account and gets help from Hikvision, then they were really determined and not much would have stopped them.

You are correct Jon this is not a truly secure 2FA system. I was just trying to describe a system that you could use which would still be able to be reset with physical access to the unit by allowing HikVision to verify a user had access to the unit.

As long as you're not resetting the admin password to diagnose a lack of network connectivity.

Easy. On some NVR brands serious about security, the only way to reset the password is by physically gaining access to the NVR and then taking an additional action like hitting a micro switch somewhere hard-to-reach for several seconds, needing a special tool or paperclip\pin.

Convenient? No. Extremely secure? Yes, and that is what the professionals in the video security industry are striving for now.

In my perspective, if you are an installer that takes your profession (security) and business (security) seriously and does what is best for your customer (security), you choose a vendor that takes security seriously and doesn't have password reset algorithms, you will take precautions and be proactive in ensuring your customer does not lose access to their password, you install the NVR in a place with a physical barrier (locked and hidden is best) and you provide the best logical barrier you can with a hardened network and NVR configuration.

When it comes to securing a device being used to secure and protect assets and people, convenience should be low priority and is typically prioritized over high security standards because of ignorance, laziness or self-interest (profit)

I was wondering what the next Hikvision headline would be. I don't even need to email anyone to get past a Dahua unit. And I don't need to change the password either, meaning you won't know I was there. Unless you dig through the logs, which I could also clear while I'm there.

I'm assuming your referring to the recent backdoor issue that was "supposedly" fixed with patches (although I feel it was not...)?

If the NVR was secured inside a lock box in a secured room with no network connectivity this would not be an issue, correct?

No, I am referring to the Dahua daily password. AFAIK, that still remains. I will give it a try on a newer device that I have on hand.

After testing a new Dahua XVR, I can confirm that the daily code as we knew it no longer works. You have to know the answers to the secret questions in order to change the password. I'm unsure what you do if those aren't known/documented.

"We tested this a number of times and had no problems. We submitted under fake names, including a request 'from' Hikvision's Chairman and Communist Party Secretary Chen Zongnian."

Haha, well played sir.

Image result for troll so hard

You think this is insecure? You should've seen the Geovision PC-based DVRs from years ago.

I supported hundreds of these machines back in the day, and just like all the lower level Hikvision installs, convenience was the deciding factor (not security) in resetting the system PW if the customer either forgot or the only person who knew it left without telling anyone.

*NOTE: I also saw many instances of companies firing the only employee who knew the PW to the system before they made sure to get this PW first. duh.

Whenever we got a 'we don't know the PW' call, we simply remoted into the machine, went to the systems root folder on the C: drive and scrolled through the hundreds of files located here to the P's (they were in alphabetical order by default) looking for the 'Password.exe' icon (a key graphic).

All we had to do was run that .exe and it stripped the system of all existing PWs and reset the admin account (User Name: Admin) to no password at all (just like it came out of the box).

I don't know if the Geovision 'IP' systems have this same feature, but I'd be willing to bet a couple bucks that it's still there....

Any current Geovision integrators know if this is still the case?

Not certain as to how far back you are talking but if you did not check the very poorly translated "allow removing system password" box during install this was not an option as far back as I can remember.

That password uninstall executable required admin level access to run. If you already have admin level access to run executables on the machine there were other password bypass options available. There would also be more malicious actions that could be taken without even touching the Geovision software. Not to straw man your point but this is true of any windows based DVR, NVR, or VMS.

Also, the poorly translated part should say "allow removing password system".

"Not certain as to how far back you are talking but if you did not check the very poorly translated "allow removing system password" box during install this was not an option as far back as I can remember."

This was maybe 2006 or 2007..... and the old analog Geovision system (at least then) had no "allow removing system password" during install. I installed and uninstalled many of these systems and I don't remember ever seeing that even once. I believe we were using version 5 or 6 of the GV analog software.

"That password uninstall executable required admin level access to run."

Admin level access to what? The PC itself? When the integrator I worked for at the time built our PC-based DVRs (we also used Avermedia as a cheaper alternative [with similar functionality]) admin level access to the PC was standard - so anyone sitting at the machine could run the .exe file. (not saying that this was smart, btw) :)

"There would also be more malicious actions that could be taken without even touching the Geovision software. Not to straw man your point but this is true of any windows based DVR, NVR, or VMS."

While I do not disagree with this point, 'other malicious actions' are not the focus of this thread - the ability to change the system PW using system-provided tools is.

I believe we were using version 5 or 6 of the GV analog software.

That predates me using them. I can only refer back to 8.1 released in 2007.

Anyone had to do a password reset on Mobotix? Uninstall the unit and send back to factory in Germany for reset. Now that is secure!!

The responsible side of me would like to see Hik and the other bottom feeders fix this. The other side of me wants to just watch the world burn....

What version of firmware was this tried on?

I have tried this on our machine over the LAN and it does not work - V3.4.82 build 161008 - the GUI is also different.

You story has stated "You do not need to even physically get to the recorder".

Is there somewhere else on this newer GUI that this feature is hidden?

Or has this been removed?

Remote Password Reset Using SADP

Using the Hikvision SADP software, one can scan the network for the NVR...

You need to be using SADP to access the password recovery option. Not the Web Based GUI.

In the VAST majority of smaller businesses that are likely to use a $300-500 nvr, the cameras are primarily for theft prevention and similar purposes in public areas. They are not guarding top secret information. Getting compromised from the outside is an issue. But easy operation from a non technical staff is even more critical.

Solidly 90% of these people are terrible at keeping track of their passwords. And there is no reasonable way that Hikvision could vett who asks for the reset.

So I think you have to accept that the Hikvision method is about as good as you can do to meet the goals of the small business market. You can reasonably protect the device from lan subnet and physical access if you want to. And it is reasonably simple to gain access when records are misplaced.

A larger company with critical security needs should not be using $500 nvr appliances to protect and monitor their operation. They need to manage a much larger device and user count. Hikvision NVR's are not for them.

This is a case of needing to match the solution to the customer. Hikvision as it stands is a low cost smb appropriate system.

#12, thanks for the thoughtful and informative comments. I agree that for the SMB, this feature is less of a risk, though I am curious how SMBs would feel that their employees could simply email Hikvision and get admin access to the recorder.

Hikvision as it stands is a low cost smb appropriate system.

I agree with that assessment. However, Hikvision does not see themselves as that. They clearly want to be an enterprise / premium provider who does more than sell "$300-500 nvr(s)" to SMB. To that end, if they want to move upmarket (in the West) they should consider more robust security measures than unverified / un-disable admin password reset.

EZVIZ DIY system does it the same way.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Hacking

LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Registration Closed - Spring 2019 IP Networking Course on May 02, 2019
Register now for the Spring 2019 IP Networking course here - Closed. Last chance now.   This is the only networking course designed specifically...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Silicon Valley Cybersecurity Insurance Startup Coalition Profile on Mar 20, 2019
Many industry people believe cybersecurity insurance is not worth it, as the voting and debate in our Cybersecurity Insurance For Security...
Hikvision Favorability Results 2019 on Mar 18, 2019
Hikvision favorability results declined significantly in IPVM's 2019 study of 200+ integrators. While in 2017 Hikvision's favorability was...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates? Earlier in 2018, a...
No GDPR Penalties For UK Swann 'Spying Hack' on Nov 20, 2018
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...
"New Zealand Govt Uses Chinese Cameras Banned In US", Considers Security Audit on Oct 12, 2018
Newsroom NZ has issued a report: "NZ Govt uses Chinese cameras banned in US": This comes after the US federal government banned purchases of...

Most Recent Industry Reports

Axis ~$150 Outdoor Camera Tested on May 21, 2019
Axis has released the latest in their Companion camera line, the outdoor Companion Dome Mini LE, a 1080p integrated IR model aiming to compete with...
Covert Facial Recognition Using Axis and Amazon By NYTimes on May 20, 2019
What if you took a 33MP Axis camera covering one of the busiest parks in the US and ran Amazon Facial Recognition against it? That is what the...
Amazon Ring Public Subsidy Program Aims To Dominate Residential Security on May 20, 2019
Amazon dominates market after market. Quitely, but increasingly, they are doing so in residential security, through a combination of significant...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Facial Recognition Systems Fail Simple Liveness Detection Test on May 17, 2019
Facial recognition is being widely promoted as a solution to physical access control but we were able to simply spoof 3 systems because they had no...
Inside Look Into Scam Market Research on May 17, 2019
Scam market research has exploded over the last few years becoming the most commonly cited 'statistics' for most industries, despite there clearly...
Maglock Selection Guide on May 16, 2019
One of the most misunderstood yet valuable pieces of electrified hardware is the maglock. Few locks are stronger, but myths and confusion surround...
Panasonic 32MP Multi Imager Camera Tested (WV-X8570N) on May 16, 2019
Panasonic has released their first multi imager models including the 32MP (4x4K) WV-X8570N, claiming "Extreme image quality for evidence capturing...
Trump Signs 'Huawei Ban' - Executive Order Targeting Foreign Adversary Technology on May 16, 2019
US President Donald Trump has signed an executive order targeting technology provided by 'foreign adversaries', in what is widely being called a...
Bank Security Manager Interview on May 15, 2019
Bank security contends with many significant threats - from fraudsters to robbers and more. In this interview, IPVM spoke with bank security...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact