Hikvision Backdoor Confirmed

By: Brian Karas, Published on May 08, 2017

The US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory for vulnerabilities to Hikvision cameras, crediting and confirming the work of researcher Montecrypto who originally disclosed the backdoor in Hikvision cameras.

Backdoor Disclosure

On March 5, 2017, Montecrypto declared:

I would like to confirm that there is a backdoor in many popular Hikvision products that makes it possible to gain full admin access to the device.

Confirming one week later that:

One can remotely escalate their privileges from anonymous web surfer to admin.

DHS Advisory On Hikvision

The US Department of Homeland Security gave the Hikvision cameras its worst / highest score - a 10.0 out of 10.0 - confirming that it is "remotely exploitable/low skill level to exploit" for "improper authentication." Moreover, DHS additionally confirmed a "password in configuration file", scoring it a critical 8.8 out of 10.0.

Hikvision Response

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

On March 12, Hikvision sent a notice of a 'privilege escalating vulnerability' and issued firmware upgrades for 200+ Hikvision IP cameras addressing the vulnerabilities. IPVM estimates easily millions of cameras have these vulnerabilities given Hikvision's own regular declarations of shipping tens of millions of cameras.

On May 4, Hikvision sent an update on that notice declaring [link no longer available]:

Hikvision is honored to work with the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center in our ongoing cybersecurity best practice efforts.

Grey Market No Solution

No solution is available for those who have bought 'grey market' Hikvision cameras as, depending on the variant, upgrading firmware could revert the device, be blocked or brick the camera.

No Fix Yet For Password In Config File

The DHS advisory also notes:

Hikvision has not mitigated the password in configuration file vulnerability.

It is not clear if or when Hikvision will fix this.

No Proof Of Concept Released But Verified

While the US DHS has verified these vulnerabilities, no proof of concept code has been released for them. The lack of one should reduce the amount of exploits.

Hikvision users should certainly take this seriously and upgrade all devices. In describing this exploit to IPVM when it was first discovered, montecrypto stated:

If you can access login screen, you can log in as an admin or event recover admin's password without knowing it.

"No Backdoors" Claim

In early 2017, Hivision declared that:

Hikvision never has, does or would intentionally contribute to the placement of “backdoors” in its products.

The company will likely argue that this backdoor is not intentional though this depends on trusting them since verifying intent is difficult.

Hikvision Previous Hardening Efforts

Since 2015, Hikvision has made multiple statements about its commitment to cyber security, in response to previous incidents [link no longer available], in a special Security Center [link no longer available] Website section, and establishing a Network and Information Security Lab and engaging security audit firm Rapid7. Despite these stated efforts to improve cybersecurity, these vulnerabilities lasted into 2017 and the report of the independent researcher montecrypto.

Track Record of Hikvision Cybersecurity Problems

Hikvision has a long history of cybersecurity vulnerabilities affecting their products:

In the 2016 Cyber Security For Video Surveillance Study, integrators gave Hikvision the worst cyber security rating among manufacturers. While Dahua's own backdoor will give Hikvision competition, Hikvision's new vulnerabilities here will increase their own challenges.

23 reports cite this report:

Intersec 2019 Show Report on Jan 23, 2019
The 2019 Intersec show, held annually in Dubai, is now complete. IPVM...
Huawei Hisilicon Quietly Powering Tens of Millions of Western IoT Devices on Dec 12, 2018
Huawei Hisilicon chips are powering, at least, tens of millions of Western...
"New Zealand Govt Uses Chinese Cameras Banned In US", Considers Security Audit on Oct 12, 2018
Newsroom NZ has issued a report: "NZ Govt uses Chinese cameras banned in...
Cybersecurity Startup VDOO Disclosing 10 Manufacturer Vulnerabilities Starting With Axis And Foscam on Jun 20, 2018
Cybersecurity startup VDOO has uncovered significant vulnerabilities in Axis...
French National Police Buy 10,400 Hikvision Body Cameras on May 31, 2018
France’s national police forces bought 10,400 Hikvision body cameras...
Directory of Video Surveillance Cybersecurity Vulnerabilities and Exploits on May 02, 2018
This list compiles reported exploits for security products, and is updated...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events...
Xiongmai New Critical Vulnerability - Same Manufacturer Whose Products Drove Mirai Botnet Attacks on Dec 12, 2017
The Chinese manufacturer whose products were primarily responsible for...
Hikvision Backdoor Exploit on Sep 03, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy...
Fortune 500 Company Bars Dahua and Hikvision on Aug 30, 2017
A Fortune 500 company has barred Dahua and Hikvision cameras from a large RFP...
Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text on Aug 28, 2017
Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local,...
Hikvision USA Head of Cybersecurity Exits on Jul 18, 2017
Hikvision USA's Head of Cybersecurity has exited the company. In this note,...
Hikvision Hits Record 'ALL PRODUCTS' Sales Run on Jun 30, 2017
Hikvision has a new record. This one is for the most times a video...
Hikvision: IPVM Is "Destined To Fail" on Jun 14, 2017
Hikvision has accused IPVM of 'cyberbullying' them, declaring IPVM 'destined...
Morten Tor Nielsen Defends Hikvision on Jun 12, 2017
Morten Tor Nielsen, veteran software developer for Prescienta working for...
Hikvision Hardening Guide Recommends Port Forwarding on Jun 09, 2017
Hikvision's Network Security Hardening Guide recommends port forwarding as a...
Hikvision Gives IPVM An 'F' on Jun 06, 2017
Two weeks after Hikvision called IPVM 'absolutely unethical' and...
Milestone Entry Level Mobile Password Vulnerability Disclosed on May 24, 2017
While many manufacturers have only addressed cybersecurity vulnerabilities...
Hikvision Marketer Caught Spamming, Fails at Coverup, Fired on May 23, 2017
A Hikvision marketing employee was caught by IPCamTalk trying to...
Forget The Backdoor, "ALL HIKVISION PRODUCTS" On Sale on May 18, 2017
Less than 2 weeks after the Hikvision Backdoor was confirmed, Hikvision has...
Cisco: Hikvision Hired Us on May 16, 2017
The day after Hikvision's backdoor was confirmed by the US Department of...
Hikvision Blaming Backdoor On Others, Cannot Hide From DHS on May 11, 2017
Numerous Hikvision employees are blaming their backdoor on others but...
Hikvision 'Privilege-Escalating' Security Vulnerability, Actually a Backdoor on Mar 13, 2017
Hikvision has disclosed a new security vulnerability that affects 200+ of...
Comments (67) : Members only. Login. or Join.

Related Reports

Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
HID Presents Mercury Security & Aero Access Controllers on Aug 25, 2020
HID presented Mercury Security & Aero Access Controllers at the 2020 IPVM...
Defendry Presents AI Active Shooter Security System on Jul 14, 2020
Defendry presented its Active Shooter security system at the May 2020 IPVM...
Euklis Presents AI Analytics on May 05, 2020
Euklis presented its AI facial recognition, LPR, and object recognition...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
ISS Presents Face As A Credential and UVSS on Apr 30, 2020
ISS presented its security platform, including access control integration,...
SenseB4 Presents Cloud Network Device Monitoring on Jun 09, 2020
SenseB4 presented its cybersecurity and network health monitoring products at...
Camect Presents Residential Market Smart NVR with AI Analytics on Aug 19, 2020
Camect presented its AI video analytics enhanced NVR at the May 2020 IPVM...
ZKTeco Presents SpeedFace Recognition + Body Temperature Detection on Apr 21, 2020
ZKTeco presented its SF1008+ reader with body temperature and face mask...
Dormakaba Presents Switch Tech Smartlocks on May 01, 2020
Dormakaba presented its Switch Tech smartlock at the April 2020 IPVM New...
IPConfigure Presents Orchid Fusion VSaaS on Apr 30, 2020
IPConfigure presented Orchid Fusion VSaaS at the April 2020 IPVM New Products...
Camio Presents Coronavirus Social Distancing Analytics on Apr 20, 2020
Camio presented its social distancing analytics for responding to coronavirus...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...

Recent Reports

FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...
Mobile Access Control Usage Statistics 2020 on Sep 21, 2020
Most smartphones can be used as access control credentials, but how...
Axis Compares Fever Camera Sellers to 9/11 on Sep 18, 2020
Axis Communications, the West's largest surveillance camera manufacturer, has...
Avigilon Elevated Temperature Detection Camera Tested on Sep 17, 2020
Avigilon has entered the temperature screening market with the release of...
Chilean Official Investigated for Motorola And Hikvision Contracts on Sep 17, 2020
A corruption investigation is underway in Chile after a crime prevention...
Huawei HiSilicon Production Shut Down on Sep 17, 2020
Huawei HiSilicon chips are no longer being manufactured or supplied to...
Virtual ISC West and GSX+ Exhibiting Contrasted on Sep 17, 2020
Both ISC West and ASIS GSX are going virtual this year, just weeks apart, but...
X.Labs Sues FLIR on Sep 16, 2020
X.Labs, the maker of Feevr, has sued FLIR, the publicly traded thermal...
Video Surveillance 101 September Course - Last Chance on Sep 16, 2020
Today is the last chance to sign up for the Fall Video Surveillance 101...
No Blackbody Mistake, Half Million Dollar, Hikvision Fever Camera System in Georgia on Sep 16, 2020
A Georgia school district touted buying Hikvision fever screening "about...
Costar Technologies / Arecont H1 2020 Financials Examined on Sep 16, 2020
Costar's financial results have been hit by the coronavirus with the company...
Startup Cawamo Presents Live Alerts With Edge AI and Cloud VMS on Sep 15, 2020
Cawamo, an Israeli edge-to-cloud analytics and VMS startup, presented its...