Hikvision Defaulted Devices Getting Hacked

Author: Brian Karas, Published on Mar 02, 2017

Hikvision devices with default passwords and remote network access enabled (via DDNS, public IPs, etc.) have experienced wide spread hacking over the past month locking out users, IPVM has confirmed.

This is new, and from what has been reported by those affected, appears to be different than Mirai. During the Mirai botnet attacks in 2016, there were no reports of Hikvision devices being hacked.

[UPDATE: 4 hours after IPVM's report was released, Hikvision sent an email to its dealers admitting this.]

Reported Infections

US, UK and New Zealand integrators have all reported cases of Hikvision recorders being attacked, at least hundreds of devices in the past month from just these reports:

Today lots of Hikvision customers dvr/nvrs, used till now with default password (12345), seem to have changed password by themselves.

We are HiKVision OEM partner. These DVRs will have been hacked. Over the last week we have had over 150 customer DVRs that have been hacked and the password changed.

I just experienced my first one this week. Symptom was DVR not accessible via browser or app, password didn't work. I had to go on site and run the password reset. Was an older firmware and it let me. When I got back in I found this: I never created a "system" account.

I have had a couple Interlogix cameras (same thing as Hikvision renamed) do the same thing and we had to go out and physically factory default the camera. The weird think about it is that they are attached to an Avigilon VMS and not open to the Internet. Something very odd going on here and I can't figure it out.

We've had four customers in the last couple of weeks locked out of their Hikvision recorders by what looks like bot. All clients were on old firmware with default admin password of 12345 and default ports -I know, I know, they were all installs from years ago who we hadn't visited since. In all cases the admin password has changed and a new SYSTEM user has been added. Our Hikvision distributor has been inundated with pw reset code requests.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Most of our calls (20-30) were HIK OEM’s (KT&C rebrands TVL series) HD-TVI recorders.

In every case reported so far, the recorders were using the default admin password "12345", and had remote access to the web interface on port 8000. Firmware versions affected are unknown, but are likely older versions before Hikvision forced users to set their own admin password.

The attack changes the default admin password, and adds a new account, "system" to the device. So far there is no evidence the recorders have been used in any kind of botnet attack.

Stopping / Handling This

Botnets move fast across the Internet - iterating over the finite number of public IP addresses is straightforward, and tools like Shodan plus Hikvision's Online still unfixed enumeration vulnerability make it easy to find devices that may be susceptible to a known exploit. Chances are, if your Hikvision recorder has an admin password of "12345", or an easily guessed password, and is accessible via the public Internet, it has already been hacked.

If your recorder has a "system" account in the user list that was not added on purpose, it has been affected:

If you have been hacked, you will need to restore the admin password to gain access to the device. One integrator reported success using Hikvision's password reset function, others have done a physical restore/reset on the device.

If you have not been hacked, ensure the admin password is set to something uncommon and not easily guessed. Additionally, ensure firmware is kept up to date, check Hikvision's firmware directory for latest versions.

Attack Details

Because affected devices have not had ports like telnet or SSH open, or were running firmware builds known to have these services disabled, the most likely scenario is that the attack utilizes the web UI to create the new account and alter the admin password.

The attack can most likely try passwords other than "12345", similar to how Mirai has a list of common username/password combinations it tries on each device it attacks.

This attack also has the potential to infect many more devices than Mirai did, as it only requires remote access to the standard user interface, and does not require telnet or SSH access. Where Mirai relied on devices with no firewall, or poorly configured firewalls, this attack can target devices that are behind a firewall, as long as they have basic remote access enabled.

Purpose/Extent Of Exploit Unknown

What the attack does that may not be visible, such as upload scripts or files intended to be called later, after enough devices are infected to create a strong botnet army, is not yet known. Because of this, the best course of action would be to completely reset the device, upgrade to latest firmware, and set a strong admin password before putting it back online.

Responsibility

While Hikvision is responsible for making such equipment, the integrators and users involved are responsible, both for not having upgraded their equipment in 2 years or more since these risks were made clear by Hikvision, and by incidents like the Mirai botnet that relied on poorly secured devices.

Market Impact

While Hikvision can rightfully point to its efforts to improve in the past 2 years, they will still suffer from the various integrators and end users who are impacted by this botnet hacking, and having to spend time resetting or restoring affected units.

UPDATE: Hikvision Admits

Hikvision has obviously known about this for weeks. If IPVM is getting a half dozen reports, that means Hikvision must have gotten 500 or 5,000 reports. However, instead of doing the right thing and letting people know immediately about this, they choose to hide it until IPVM's report forced them to acknowledge it. By delaying, they have put more users at risk.

4 hours after IPVM's report was released, Hikvision (USA) sent an email to its dealers admitting this:

Here is Hikvision's full "Defense' statement about the attacks.

Vote / Poll

10 reports cite this report:

Canon Responds To IP Camera Hacks on May 30, 2018
Canon cameras made international news earlier this month, with reports of them being hacked in Japan (e.g., Hackers disable scores of Canon-made...
Hikvision Happy With Bad Security Unless Hit With Bad Press on Aug 28, 2017
Hikvision is happy to have bad cyber security unless they are hit with bad press, as we detail inside. When you look at the pattern of their...
Hikvision Responds To Cracked Security Codes on Aug 15, 2017
Hikvision has responded to IPVM's report on Hikvision's security code being cracked, both with a 2 page update to dealers and communication...
Morten Tor Nielsen Defends Hikvision on Jun 12, 2017
Morten Tor Nielsen, veteran software developer for Prescienta working for OnSSI, has posted "In Defence of Hikvision". As Nielsen explains...
Hikvision Backdoor Confirmed on May 08, 2017
The US Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory for...
Manufacturers Cheer ISC West 2017 Performance on Apr 11, 2017
ISC West 2017 showed strong satisfaction results from manufacturers, similar to 2016's ISC West. 100 manufacturers rated their impressions of ISC...
Q1 2017 Video Surveillance Market Review on Mar 30, 2017
These are the most notable moves and events for January - March 2017 in the video surveillance market. Cybersecurity Rising Cybersecurity, once...
Uniview Weak Local / Strong Remote Password Policy Tested on Mar 14, 2017
With the continuing onslaught of cyber-security breaches (see Dahua backdoor recently discovered, Hikvision defaulted devices getting hacked)...
Who Is Hacking Hikvision Devices? on Mar 06, 2017
Someone or organization is mass hacking Hikvision devices, actively and systematically running a script / program across the Internet that looks...
Dahua Backdoor Uncovered on Mar 06, 2017
A major cyber security vulnerability across many Dahua products has been discovered by an independent researcher, reported on IPVM, verified by...
Comments (82) : PRO Members only. Login. or Join.

Related Reports

Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Pelco Favorability Results 2019 on Jan 11, 2019
Pelco had a significant favorability problem amongst integrators in our previous study (see 2016 Pelco results). Now, in the first edition of our...
Last Chance - Winter 2019 IP Networking Course on Jan 10, 2019
Today is the last day to register for the Winter 2019 IP Networking course. This is the only networking course designed specifically for video...
The Battle For The VSaaS Market Begins 2019 - Alarm.com, Arcules, Eagle Eye, OpenEye, Qumulex, Verkada, More on Jan 02, 2019
2019 will be the year that VSaaS finally becomes a real factor for professional video surveillance. While Video Surveillance as a Service (VSaaS)...
US Gov China Ban Rules Process, SIA Lobbies Against 'Blacklisting', For 'Risk-Based Protocol' on Dec 27, 2018
Details have emerged about when the rules implementing the federal ban on Hikvision, Dahua, Huawei and others will be made public for official...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates? Earlier in 2018, a...
Top 2019 Trend - AI Video Analytics on Dec 10, 2018
160+ Integrators answered: What do you think the top industry trend will be in 2019? Why? AI / video analytics was the run-away winner with...
ADT Wins Fire Death Suit But Faces Appeal on Dec 05, 2018
ADT/Protection 1 has won a wrongful death court case in which it was sued by the estate of a deceased customer. However, the attorney for the...
ADT Promotes DIFY - "Do It For You" on Nov 30, 2018
"Do It Yourself" (DIY) is a popular expression and has become such a common word that it has even made the Cambridge English dictionary. But why...

Most Recent Industry Reports

Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Gorilla Technology AI Provider, Raises $15 Million, Profiled on Jan 15, 2019
Gorilla Technology is a Taiwanese video analytics manufacturer that recently announced a $15 million investment from SBI Group, saying this...
2019 IP Networking Book Released on Jan 14, 2019
The new IP Networking Book 2019 is a 285 page in-depth guide that teaches you how IT and telecom technologies impact modern security...
Arecont Costar Layoffs on Jan 14, 2019
Arecont Vision, a Costar Company, has laid off more than 10% of their workforce in a move the company described to IPVM as a result of "important...
The False SCMP Story on Hikvision NYC AI on Jan 14, 2019
In the past week, one of Asia's largest publications, the South China Morning Post (SCMP), posted an article about "Chinese [facial recognition]...
WDR Tutorial on Jan 11, 2019
Understanding wide dynamic range (WDR) is critical to capturing high quality images in demanding conditions. However, with no real standards, any...
Pelco Favorability Results 2019 on Jan 11, 2019
Pelco had a significant favorability problem amongst integrators in our previous study (see 2016 Pelco results). Now, in the first edition of our...
Bad: Dahua Villa Video Doorbell Tested on Jan 11, 2019
Doorbells are one of the hottest segments in the residential market but Dahua's Villa Video Doorbell is the worst we have tested.   We bought and...
Last Chance - Winter 2019 IP Networking Course on Jan 10, 2019
Today is the last day to register for the Winter 2019 IP Networking course. This is the only networking course designed specifically for video...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact