How To Hack Your Company's Hikvision Recorder

By IPVM Team, Published on May 29, 2017

Here's how easy it is to hack your company's Hikvision recorder:

  • It does not matter how hard or secret the admin password is.
  • Hikvision will happily help you.
  • Hikvision will let anyone do it with no verification.
  • You cannot disable this 'feature'.
  • You do not need to even physically get to the recorder.

In this note, we share our test result findings and examines the benefits and risks of this approach.

Executive Summary

Hikvision sends a reset code to override the password and access the recorder by simply sending them the recorder's serial number. Then anyone with physical access to the recorder (e.g., at a company) can hack into the recorder, regardless of how strong the password is.

Demonstrated

We simply followed Hikvision's own instructional video.

[UPDATE: Hikvision has removed the instructional video but not fixed the problem.]

One simply fills out a form on the password reset page and Hikvision emails the secure code.

Remote Password Reset Using SADP

Using the Hikvision SADP software, scan the local network for Hikvision recorders:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Using the export function after clicking "Forgot Password", create the XML file.

In the password reset form input the information required including the XML file generated from the "export" button.

A confirmation E-mail is sent to let you know that a ticket is open.

~10 minutes later another e-mail is sent containing the reset code.

After selecting "input key" just type in (or copy/paste) the code Hikvision provided and choose your new password.

You will have just performed a successful password reset completely over LAN.

Test Results

We tested this a number of times and had no problems. We submitted under fake names, including a request 'from' Hikvision's Chairman and Communist Party Secretary Chen Zongnian.

We even requested the same serial number under different fake names and received the secure code promptly. We received responses within a half hour electronically as well as getting a code over the phone in a few minutes. Below is an example of one response:

No Verification Required

Hikvision makes no attempt at verifying or determining if the user is authorized, the actual buyer, etc.

No Disabling

The 'feature' cannot be disabled, so users who view this as a security risk or want to harden the device have no option.

Upside

The clear upside is that it is easy for anyone locked out to get access to their Hikvision recorder. This minimizes delays or problems in accessing a recorder.

Downside

The downside is that anyone who can physically access the recorder can easily get admin access / control of the recorder.

Vote - Verify Requests

Vote - Option To Disable

7 reports cite this report:

IFSEC 2019 Show Report on Jun 19, 2019
The UK's largest trade show, IFSEC, is underway and IPVM has been examining...
Hikvision Security Code Cracked on Aug 08, 2017
Hikvision's 'security code' feature has been cracked and a program generating...
Hikvision USA Head of Cybersecurity Exits on Jul 18, 2017
Hikvision USA's Head of Cybersecurity has exited the company. In this note,...
QSR Video Surveillance Best Practices on Jun 21, 2017
Fast food restaurants or QSRs (quick service restaurants), are frequent...
Hikvision: IPVM Is "Destined To Fail" on Jun 14, 2017
Hikvision has accused IPVM of 'cyberbullying' them, declaring IPVM 'destined...
Morten Tor Nielsen Defends Hikvision on Jun 12, 2017
Morten Tor Nielsen, veteran software developer for Prescienta working for...
Gas Station Surveillance Best Practices on Jun 07, 2017
Gas stations are a frequent crime target. They tend to be open late at night,...
Comments (33) : Members only. Login. or Join.

Related Reports

Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Access Control Levels and Schedules Tutorial on Sep 29, 2020
Configuring access levels and setting up schedules is central to maintaining...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
Favorite Network Switches 2020 on Aug 31, 2020
Cisco has long been the gorilla of network switches but would an upstart...
Avigilon Social Distancing Analytics Tested on Aug 26, 2020
Avigilon released its social distancing analytics in response to the...
Integrator Acquisitions 'A Good Market' During COVID-19, Says Greybeards on Jul 28, 2020
Industry broker Ron Davis of the "Greybeards" says that the integrator and...
Hanwha Face Mask Detection Tested on Jul 01, 2020
Face mask detection or, more specifically lack-of-face-mask detection, is an...
UN Agency Buys 'Swiss' Fever Cams From Firm That Faked Accreditation, Sales, Marketing on Oct 06, 2020
A Swiss company claims to have "fully designed and manufactured" the world's...

Recent Reports

Recruiters Online Show LIVE Today! on Oct 29, 2020
IPVM's 7th online show resumes today with 12 recruiters presenting themselves...
Hikvision AcuSense G2 Camera Test on Oct 29, 2020
Hikvision has released their next generation of AcuSense analytic cameras...
Biggest Problems Selling Access Control 2020 on Oct 29, 2020
Access control can cause integrators big headaches. What practical issues do...
Taiwan Geovision AI Analytics and NDAA Examined on Oct 29, 2020
Taiwan manufacturer Geovision's revenue has been falling for years. However,...
Bedside Cough and Sneeze Detector (Sound Intelligence and CLB) on Oct 28, 2020
Coronavirus has increased interest in detecting symptoms such as fever and...
Fever Tablet Thermal Sensors Examined (Melexis) on Oct 28, 2020
Fever tablet suppliers heavily rely on the accuracy and specs of...
Verkada Fires 3 on Oct 28, 2020
Verkada has fired three employees over an incident where female colleagues...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...