Hikvision Backdoor Confirmed

By: Brian Karas, Published on May 08, 2017

The US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory for vulnerabilities to Hikvision cameras, crediting and confirming the work of researcher Montecrypto who originally disclosed the backdoor in Hikvision cameras.

Backdoor Disclosure

On March 5, 2017, Montecrypto declared:

I would like to confirm that there is a backdoor in many popular Hikvision products that makes it possible to gain full admin access to the device.

Confirming one week later that:

One can remotely escalate their privileges from anonymous web surfer to admin.

DHS Advisory On Hikvision

The US Department of Homeland Security gave the Hikvision cameras its worst / highest score - a 10.0 out of 10.0 - confirming that it is "remotely exploitable/low skill level to exploit" for "improper authentication." Moreover, DHS additionally confirmed a "password in configuration file", scoring it a critical 8.8 out of 10.0.

Hikvision Response

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

On March 12, Hikvision sent a notice of a 'privilege escalating vulnerability' and issued firmware upgrades for 200+ Hikvision IP cameras addressing the vulnerabilities. IPVM estimates easily millions of cameras have these vulnerabilities given Hikvision's own regular declarations of shipping tens of millions of cameras.

On May 4, Hikvision sent an update on that notice declaring:

Hikvision is honored to work with the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center in our ongoing cybersecurity best practice efforts. 

Grey Market No Solution

No solution is available for those who have bought 'grey market' Hikvision cameras as, depending on the variant, upgrading firmware could revert the device, be blocked or brick the camera.

No Fix Yet For Password In Config File

The DHS advisory also notes:

Hikvision has not mitigated the password in configuration file vulnerability.

It is not clear if or when Hikvision will fix this.

No Proof Of Concept Released But Verified

While the US DHS has verified these vulnerabilities, no proof of concept code has been released for them. The lack of one should reduce the amount of exploits.

Hikvision users should certainly take this seriously and upgrade all devices. In describing this exploit to IPVM when it was first discovered, montecrypto stated:

If you can access login screen, you can log in as an admin or event recover admin's password without knowing it.

"No Backdoors" Claim

In early 2017, Hivision declared that:

Hikvision never has, does or would intentionally contribute to the placement of “backdoors” in its products.

The company will likely argue that this backdoor is not intentional though this depends on trusting them since verifying intent is difficult.

Hikvision Previous Hardening Efforts

Since 2015, Hikvision has made multiple statements about its commitment to cyber security, in response to previous incidents, in a special Security Center Website section, and establishing a Network and Information Security Lab and engaging security audit firm Rapid7. Despite these stated efforts to improve cybersecurity, these vulnerabilities lasted into 2017 and the report of the independent researcher montecrypto.

Track Record of Hikvision Cybersecurity Problems

Hikvision has a long history of cybersecurity vulnerabilities affecting their products: 

In the 2016 Cyber Security For Video Surveillance Study, integrators gave Hikvision the worst cyber security rating among manufacturers. While Dahua's own backdoor will give Hikvision competition, Hikvision's new vulnerabilities here will increase their own challenges.

23 reports cite this report:

Intersec 2019 Show Report on Jan 23, 2019
The 2019 Intersec show, held annually in Dubai, is now complete. IPVM attended for 3 days, interviewing numerous Chinese and Western video...
Huawei Hisilicon Quietly Powering Tens of Millions of Western IoT Devices on Dec 12, 2018
Huawei Hisilicon chips are powering, at least, tens of millions of Western IoT devices, such as IP cameras and surveillance recorders, a fact that...
"New Zealand Govt Uses Chinese Cameras Banned In US", Considers Security Audit on Oct 12, 2018
Newsroom NZ has issued a report: "NZ Govt uses Chinese cameras banned in US": This comes after the US federal government banned purchases of...
Cybersecurity Startup VDOO Disclosing 10 Manufacturer Vulnerabilities Starting With Axis And Foscam on Jun 20, 2018
Cybersecurity startup VDOO has uncovered significant vulnerabilities in Axis cameras along with many others not yet disclosed. In this report, we...
French National Police Buy 10,400 Hikvision Body Cameras on May 31, 2018
France’s national police forces bought 10,400 Hikvision body cameras earlier this year, in a high-profile deal that’s coming into effect as the...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated regularly. We have summarized exploits by date and by manufacturer,...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available,...
Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks on Dec 12, 2017
The Chinese manufacturer whose products were primarily responsible for the 2016 Mirai botnet attack has a new critical vulnerability, confirmed by...
Hikvision Backdoor Exploit on Sep 03, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...
Fortune 500 Company Bars Dahua and Hikvision on Aug 30, 2017
A Fortune 500 company has barred Dahua and Hikvision cameras from a large RFP due to cyber security concerns, IPVM has confirmed with the...
Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text on Aug 28, 2017
Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond...
Hikvision USA Head of Cybersecurity Exits on Jul 18, 2017
Hikvision USA's Head of Cybersecurity has exited the company. In this note, we review the move, share Hikvision's feedback and examine the...
Hikvision Hits Record 'ALL PRODUCTS' Sales Run on Jun 30, 2017
Hikvision has a new record. This one is for the most times a video surveillance manufacturer has put all their products on sale in 2 months....
Hikvision: IPVM Is "Destined To Fail" on Jun 14, 2017
Hikvision has accused IPVM of 'cyberbullying' them, declaring IPVM 'destined to fail.' This is the 3rd anti-IPVM Hikvision post in 2 weeks,...
Morten Tor Nielsen Defends Hikvision on Jun 12, 2017
Morten Tor Nielsen, veteran software developer for Prescienta working for OnSSI, has posted "In Defence of Hikvision". As Nielsen explains...
Hikvision Hardening Guide Recommends Port Forwarding on Jun 09, 2017
Hikvision's Network Security Hardening Guide recommends port forwarding as a 'standard configuration', highlighted below: In this note, we...
Hikvision Gives IPVM An 'F' on Jun 06, 2017
Two weeks after Hikvision called IPVM 'absolutely unethical' and 'anti-everything', Hikvision has given IPVM, in their words, an 'F'. Hikvision...
Milestone Entry Level Mobile Password Vulnerability Disclosed on May 24, 2017
While many manufacturers have only addressed cybersecurity vulnerabilities after public disclosures were made (or threatened), Milestone has...
Hikvision Marketer Caught Spamming, Fails at Coverup, Fired on May 23, 2017
A Hikvision marketing employee was caught by IPCamTalk trying to surreptitiously disparage IPVM and IPCamTalk. This is an outgrowth of Hikvision's...
Forget The Backdoor, "ALL HIKVISION PRODUCTS" On Sale on May 18, 2017
Less than 2 weeks after the Hikvision Backdoor was confirmed, Hikvision has launched a sale "ON ALL HIKVISION PRODUCTS". In this note, we examine...
Cisco: Hikvision Hired Us on May 16, 2017
The day after Hikvision's backdoor was confirmed by the US Department of Homeland Security, Hikvision issued a press release about a...
Hikvision Blaming Backdoor On Others, Cannot Hide From DHS on May 11, 2017
Numerous Hikvision employees are blaming their backdoor on others but Hikvision cannot hide from the US Department of Homeland Security. Blaming...
Hikvision 'Privilege-Escalating' Security Vulnerability, Actually a Backdoor on Mar 13, 2017
Hikvision has disclosed a new security vulnerability that affects 200+ of their IP cameras over the past few years. In this note, we examine the...
Comments (67) : PRO Members only. Login. or Join.

Related Reports on Hacking

Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Register Now - Fall 2019 IP Networking Course on May 02, 2019
Register for the Fall 2019 IP Networking Course. For early registration save $50 off the course's normal $299 price. This is the only networking...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Silicon Valley Cybersecurity Insurance Startup Coalition Profile on Mar 20, 2019
Many industry people believe cybersecurity insurance is not worth it, as the voting and debate in our Cybersecurity Insurance For Security...
Hikvision Favorability Results 2019 on Mar 18, 2019
Hikvision favorability results declined significantly in IPVM's 2019 study of 200+ integrators. While in 2017 Hikvision's favorability was...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates? Earlier in 2018, a...
No GDPR Penalties For UK Swann 'Spying Hack' on Nov 20, 2018
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...

Most Recent Industry Reports

Uniview Beats Intel In Trademark Lawsuit on Aug 19, 2019
Uniview has won a long-running trademark lawsuit brought by Intel, with Beijing's highest court reversing an earlier Intel win, centered on...
Suprema Biometric Mass Leak Examined on Aug 19, 2019
While Suprema is rarely discussed even within the physical security market, the South Korean biometrics manufacturer made global news this past...
Verkada People And Face Analytics Tested on Aug 16, 2019
This week, Verkada released "People Analytics", including face analytics that they describe is a "game-changing feature" that "pushes the...
Dahua OEM Directory 2019 on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Installation Course - Register Now on Aug 15, 2019
Register Now for the September 2019 Video Surveillance Install Course. This is a unique installation course in a market where little practical...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
Hikvision Scrutinized In The Netherlands on Aug 15, 2019
Hikvision is facing unprecedented scrutiny in the Netherlands, at the same time the US government ban has taken effect. This week, a Dutch...
Axis 4K Camera Shootout 2019 on Aug 14, 2019
Axis' 4K Q3518-LVE claims the "best video quality possible", with Lightfinder super low light performance, Axis' high end Forensic WDR, and...
CheckMySystems Company Profile on Aug 14, 2019
CheckMySystems says that too many users respond, "I get an email when something is wrong" when talking about their video system maintenance plan,...
Hikvision OEM Directory on Aug 13, 2019
The Chinese government-owned and US-government banned Hikvision has become the world's largest video surveillance manufacturer and generally hidden...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact