Hikvision Defaulted Devices Getting Hacked

By: Brian Karas, Published on Mar 02, 2017

Hikvision devices with default passwords and remote network access enabled (via DDNS, public IPs, etc.) have experienced wide spread hacking over the past month locking out users, IPVM has confirmed.

This is new, and from what has been reported by those affected, appears to be different than Mirai. During the Mirai botnet attacks in 2016, there were no reports of Hikvision devices being hacked.

[UPDATE: 4 hours after IPVM's report was released, Hikvision sent an email to its dealers admitting this.]

Reported Infections

US, UK and New Zealand integrators have all reported cases of Hikvision recorders being attacked, at least hundreds of devices in the past month from just these reports:

Today lots of Hikvision customers dvr/nvrs, used till now with default password (12345), seem to have changed password by themselves.

We are HiKVision OEM partner. These DVRs will have been hacked. Over the last week we have had over 150 customer DVRs that have been hacked and the password changed.

I just experienced my first one this week. Symptom was DVR not accessible via browser or app, password didn't work. I had to go on site and run the password reset. Was an older firmware and it let me. When I got back in I found this: I never created a "system" account.

I have had a couple Interlogix cameras (same thing as Hikvision renamed) do the same thing and we had to go out and physically factory default the camera. The weird think about it is that they are attached to an Avigilon VMS and not open to the Internet. Something very odd going on here and I can't figure it out.

We've had four customers in the last couple of weeks locked out of their Hikvision recorders by what looks like bot. All clients were on old firmware with default admin password of 12345 and default ports -I know, I know, they were all installs from years ago who we hadn't visited since. In all cases the admin password has changed and a new SYSTEM user has been added. Our Hikvision distributor has been inundated with pw reset code requests.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Most of our calls (20-30) were HIK OEM’s (KT&C rebrands TVL series) HD-TVI recorders.

In every case reported so far, the recorders were using the default admin password "12345", and had remote access to the web interface on port 8000. Firmware versions affected are unknown, but are likely older versions before Hikvision forced users to set their own admin password.

The attack changes the default admin password, and adds a new account, "system" to the device. So far there is no evidence the recorders have been used in any kind of botnet attack.

Stopping / Handling This

Botnets move fast across the Internet - iterating over the finite number of public IP addresses is straightforward, and tools like Shodan plus Hikvision's Online still unfixed enumeration vulnerability make it easy to find devices that may be susceptible to a known exploit. Chances are, if your Hikvision recorder has an admin password of "12345", or an easily guessed password, and is accessible via the public Internet, it has already been hacked.

If your recorder has a "system" account in the user list that was not added on purpose, it has been affected:

If you have been hacked, you will need to restore the admin password to gain access to the device. One integrator reported success using Hikvision's password reset function, others have done a physical restore/reset on the device.

If you have not been hacked, ensure the admin password is set to something uncommon and not easily guessed. Additionally, ensure firmware is kept up to date, check Hikvision's firmware directory [link no longer available] for latest versions.

Attack Details

Because affected devices have not had ports like telnet or SSH open, or were running firmware builds known to have these services disabled, the most likely scenario is that the attack utilizes the web UI to create the new account and alter the admin password.

The attack can most likely try passwords other than "12345", similar to how Mirai has a list of common username/password combinations it tries on each device it attacks.

This attack also has the potential to infect many more devices than Mirai did, as it only requires remote access to the standard user interface, and does not require telnet or SSH access. Where Mirai relied on devices with no firewall, or poorly configured firewalls, this attack can target devices that are behind a firewall, as long as they have basic remote access enabled.

Purpose/Extent Of Exploit Unknown

What the attack does that may not be visible, such as upload scripts or files intended to be called later, after enough devices are infected to create a strong botnet army, is not yet known. Because of this, the best course of action would be to completely reset the device, upgrade to latest firmware, and set a strong admin password before putting it back online.

Responsibility

While Hikvision is responsible for making such equipment, the integrators and users involved are responsible, both for not having upgraded their equipment in 2 years or more since these risks were made clear by Hikvision, and by incidents like the Mirai botnet that relied on poorly secured devices.

Market Impact

While Hikvision can rightfully point to its efforts to improve in the past 2 years, they will still suffer from the various integrators and end users who are impacted by this botnet hacking, and having to spend time resetting or restoring affected units.

UPDATE: Hikvision Admits

Hikvision has obviously known about this for weeks. If IPVM is getting a half dozen reports, that means Hikvision must have gotten 500 or 5,000 reports. However, instead of doing the right thing and letting people know immediately about this, they choose to hide it until IPVM's report forced them to acknowledge it. By delaying, they have put more users at risk.

4 hours after IPVM's report was released, Hikvision (USA) sent an email to its dealers admitting this:

Here is Hikvision's full "Defense' statement about the attacks.

Vote / Poll

10 reports cite this report:

Canon Responds To IP Camera Hacks on May 30, 2018
Canon cameras made international news earlier this month, with reports of...
Hikvision Happy With Bad Security Unless Hit With Bad Press on Aug 28, 2017
Hikvision is happy to have bad cyber security unless they are hit with bad...
Hikvision Responds To Cracked Security Codes on Aug 15, 2017
Hikvision has responded to IPVM's report on Hikvision's security code being...
Morten Tor Nielsen Defends Hikvision on Jun 12, 2017
Morten Tor Nielsen, veteran software developer for Prescienta working for...
Hikvision Backdoor Confirmed on May 08, 2017
The US Department of Homeland Security's Industrial Control Systems Cyber...
Manufacturers Cheer ISC West 2017 Performance on Apr 11, 2017
ISC West 2017 showed strong satisfaction results from manufacturers, similar...
Q1 2017 Video Surveillance Market Review on Mar 30, 2017
These are the most notable moves and events for January - March 2017 in the...
Uniview Weak Local / Strong Remote Password Policy Tested on Mar 14, 2017
With the continuing onslaught of cyber-security breaches (see Dahua backdoor...
Who Is Hacking Hikvision Devices? on Mar 06, 2017
Someone or organization is mass hacking Hikvision devices, actively and...
Dahua Backdoor Uncovered on Mar 06, 2017
A major cyber security vulnerability across many Dahua products has been...
Comments (82) : Members only. Login. or Join.

Related Reports

Favorite VSaaS Providers 2020 on Apr 17, 2020
VSaaS is starting to become mainstream but who are integrator's...
Worst Camera Manufacturers 2020 on May 06, 2020
Which camera manufacturer have integrators had the worst experience with in...
IPVM For PR / Marketing People on Apr 29, 2020
Since IPVM does not accept advertising nor sponsorships, etc., PR / marketing...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Add Door Operators To Fight Coronavirus on Mar 31, 2020
IPVM recommends that integrators advocate and end-users consider adding door...
Hikvision Global News Reports Directory on Jun 18, 2020
Hikvision has received the most global news reporting of any video...
Huawei Releases a 'Fever' Smartphone on Jun 16, 2020
Fever cameras, fever tablets, fever helmets, fever sunglasses, fever guns,...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could...
Masks Cause Major Facial Recognition Problems on Feb 24, 2020
Coronavirus is spurring an increase in the use of medical masks, which new...
Clinton Public View Monitor (PVM) Mask Detection Tested on Jul 09, 2020
Face mask detection, or more specifically not wearing one, is expanding...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
IPConfigure Presents Orchid Fusion VSaaS on Apr 30, 2020
IPConfigure presented Orchid Fusion VSaaS at the April 2020 IPVM New Products...
Resideo AlarmNet Has Major Outage on Mar 12, 2020
AlarmNet suffered a major outage yesterday, impacting Total Connect, Resideo,...
Hikvision AI Training In Xinjiang Paramilitary Base, Now Denies on Mar 10, 2020
Hikvision has been listing AI training in a Xinjiang paramilitary base that...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...