Hikvision Default Password Hacking

By: John Honovich, Published on Mar 03, 2015

What was once just warnings and consumer concerns has exploded into a major problem for Hikvision.

A Chinese province's Hikvision devices have been hacked.

In this note, we examine what happened, what Hikvision says they are doing about this and what this means for the mega-manufacturer.

Update September 2015. Hikvision has suffered another major hack.

Hikvision Historical Security Problems

As background, Hikvision had already been hit with a number of security concerns / issues over the past few years. The most infamous was Wired's article on Hikvision: HACKERS TURN SECURITY CAMERA DVRS INTO WORST BITCOIN MINERS EVER. In addition, there was a buffer overflow vulnerability found later in 2014. Even more basically, since Hikvision historically did not force users to change default passwords, and since there are so many Hikvision products out there, Hikvision made itself an obvious target for even the least sophisticated hackers.

The Chinese Province Hack

Given the historical problems, what is important here is that this incident is hitting a government organization, where information security is critical.

The province is Jiangsu, on the East coast of China, with ~80 million people.

In a press release only posted on Hikvision's Chinese site (see google translation), Hikvision admits that their products were hacked inside the Jiangsu Province Internet Emergency Center. Hikvision claims that this was due to the use of weak passwords / default passwords. We cannot confirm that as we have no connection to the Jiangsu government.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

However it happened, the fact that government video surveillance equipment was hacked is a major problem. Indeed, this is even worse given the Chinese government's recent efforts to restrict foreign products that might expose them to hacking / attacks.

Hikvision's Response

In response, Hikvision USA Outlines Updates to Surveillance Products report has been released.

It summarizes steps they have already done in the past year and discloses a new release scheduled for later this month (5.3.0).

[[Note: This firmware has been released. See our full test of it here.]]

Key changes in this upcoming release include:

  • Forcing change of the default password (an obvious step and a key risk otherwise)
  • Disabling telnet access (telnet is considered quite vulnerable)
  • Lockouts after 5 incorrect login attempts (helpful to stop brute force attempts)

The Impact

Hikvision's stock dropped 7.5% in the first day of trading post the full disclosure (trading was actually halted Monday). In percentages terms, that is not huge but at their size, it is a drop of more than $1 billion USD in value. On the second day, the stock price rose slightly, indicating that the market does not view this as a major risk.

Update: June 25, 2015: Less than 3 months later, Hikvision's stock price is up more than 50% since the hacking announcement, showing that the market does not really care about this.

Since Hikvision is partially owned by the Chinese government and has deep connections, we doubt that this will be a fatal issue for Hikvision domestically. On the other hand, it is clearly a black eye for Hikvision and something that was hotly discussed inside of China.

In North America and Europe, we think the impact will be more severe. Rival manufacturers have already been hammering Hikvision as being 'spamware'. This will simply confirm it. On the lower end of the market, where Hikvision is most commonly used, outside of China, we suspect most will not care strongly as information security tends not to be a priority compared to price. However, as Hikvision tries to expand into the mid and high end markets, we think this will cause significant resistance, making it easy for rivals to declare, "Sure, you can buy Hikvision for half the price but with Axis you won't get hacked."

Hikvision Integrators / Users / OEMs

If you are a Hikvision integrator, user or OEM, you better very carefully review your deployed products and absolutely ensure that everything is upgraded immediately. Hikvision firmware upgrades are available here.

After a hack of this magnitude, it is going to be extremely hard to explain how you allowed your equipment to be hacked. And Hikvision products deployed before a year ago (and not upgraded) have many very basic / simple vulnerabilities. It is hard for us to tell if the upgrades solve every possible risk, but it is obvious that the older versions are significantly risk prone.

Poll

17 reports cite this report:

US Embassy Requires Hikvision Cameras on Aug 29, 2016
The US Embassy in Kabul Afghanistan has required only Hikvision cameras in a...
ADI Refuses to Fix Their OEM'd Hikvision Security Risks [Solved] on Mar 09, 2016
More than a year after massive hacks against Hikvision was disclosed; More...
Arecont and Bosch - Default Security Risk on Dec 14, 2015
Default passwords are a major security risk, enabling hackers around the...
Axis Cybersecurity Hardening Guide Examined on Nov 19, 2015
In most IT areas, 'hardening' guides are commonplace, providing best...
Hikvision Hires Pelco / G4S Exec Sam Belbina on Nov 10, 2015
Hikvision gets another major industry executive. He was most recently the...
Winners Losers Fall 2015 on Oct 12, 2015
There's a lot of losing right now, unfortunately. The industry is moving...
Dahua Finally Has A US Distributor on Oct 08, 2015
Finally. Billion dollar Dahua is the 'smaller' of the two mega Chinese...
Warning: ADI and Tri-Ed Video Products Major Security Risk on Sep 22, 2015
Recently, ADI and Tri-Ed both started OEMing Hikvision products. Reference -...
Hikvision Trojan Mobile App on Sep 22, 2015
With a vengeance. The last time, the industry mostly shook it off. This...
Anixter/Tri-Ed Northern Video Tested on Sep 18, 2015
ADI is an IP video manufacturer now (see IPVM's ADI W Box test results). And...
ADI's W Box Camera / NVR Gen 1 (Hikvision) Tested on Jul 22, 2015
ADI moves hundreds of millions of dollars worth video surveillance equipment...
Pros and Cons - Automating Firmware Updates on Jul 01, 2015
Firmware and software updates are one of the most tedious tasks in...
Hikvision Anti Hacking Firmware Tested on Jun 03, 2015
Hikvision has had historic hacking problems, with DVRs turned into Bitcoin...
Hikvision Hires Ex-Samsung / Panasonic Exec on May 18, 2015
Hikvision's expansion continues, with the mega Chinese manufacturer now...
Axis Cuts Prices 2015 on Mar 09, 2015
Axis has cut prices on a number of their most popular markets.  In this...
NMAPing IP Cameras on Mar 05, 2015
The Hikvision hack has increased security concerns. Indeed, most users do...
Avigilon 2014 Financials Disappoint Investors on Mar 04, 2015
Hikvision admits their equipment got hacked in a large government deployment...
Comments (46) : Members only. Login. or Join.

Related Reports

China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
Hikvision Global News Reports Directory on Aug 13, 2020
Hikvision has received the most global news reporting of any video...
Hikvision Put on US DoD "Communist Chinese Military Companies" List, Faces Risk of Presidential Sanctions on Jun 26, 2020
The US DoD has put Hikvision on a list of "Communist Chinese Military...
Coronavirus Impacting Hikvision and China Manufacturers on Feb 03, 2020
The coronavirus epidemic spreading through China has started to impact video...
2020 Mid Year Video Surveillance Industry Guide on Jul 27, 2020
The first half of 2020 has been shocking, for the world generally, and for...
Coronavirus Hits Manufacturers, Standing Now, Worse To Come on Apr 06, 2020
Coronavirus is hitting security manufacturers, though overall modestly for...
Dahua, Hikvision, ZKTeco Face Mask Detection Shootout on Jun 19, 2020
Temperature tablets with face mask detection are one of the hottest trends in...
Dangerous Hikvision Fever Screening Marketing In Africa on Sep 15, 2020
A multi-national African Hikvision distributor is marketing dangerously...
Bottom: Integrators Start To Stand Vs Coronavirus on Apr 20, 2020
Good news - IPVM integrator statistics show that while coronavirus has hit...
Faulty Hikvision Cali Colombia Fever Camera Implementation on Jul 20, 2020
The mayor of one of Colombia's largest cities has promoted a faulty Hikvision...
Hikvision Chairman Targeted For Sanctions As Federal Watchdog Calls Out Hikvision "Serious Religious Freedom Violations" on May 21, 2020
The US government's religious freedom watchdog has criticized Hikvision for...
Top Manufacturers Gaining and Losing 2019 on Nov 18, 2019
2019 has been an explosive year for video surveillance, with the world's two...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Uniview H1 2020 Financials Examined on Sep 08, 2020
While Dahua and Hikvision, helped by fever camera sales, are recovering from...
Worst NVR / VMS Manufacturers 2020 on Feb 10, 2020
For the second time in a row, a global manufacturer has been selected by...

Recent Reports

New Products Show Fall 2020 continues tomorrow with Genetec, Milestone, Avigilon, Microsoft and more! on Sep 29, 2020
IPVM's sixth online show continues tomorrow and will feature New Products...
Avigilon / Motorola VS Virtual ISC West on Sep 29, 2020
ISC West has historically been so dominant that no player would think of...
Dartmouth College Deploys K3 Temperature Screening on Sep 29, 2020
While Dartmouth College has a $6+ billion endowment, the College has bought...
Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...