Hikvision Default Password Hacking
By John Honovich, Published Mar 03, 2015, 12:00am ESTWhat was once just warnings and consumer concerns has exploded into a major problem for Hikvision.
A Chinese province's Hikvision devices have been hacked.
In this note, we examine what happened, what Hikvision says they are doing about this and what this means for the mega-manufacturer.
Update September 2015. Hikvision has suffered another major hack.
Hikvision Historical Security Problems
As background, Hikvision had already been hit with a number of security concerns / issues over the past few years. The most infamous was Wired's article on Hikvision: HACKERS TURN SECURITY CAMERA DVRS INTO WORST BITCOIN MINERS EVER. In addition, there was a buffer overflow vulnerability found later in 2014. Even more basically, since Hikvision historically did not force users to change default passwords, and since there are so many Hikvision products out there, Hikvision made itself an obvious target for even the least sophisticated hackers.
The Chinese Province Hack
Given the historical problems, what is important here is that this incident is hitting a government organization, where information security is critical.
The province is Jiangsu, on the East coast of China, with ~80 million people.
In a press release only posted on Hikvision's Chinese site (see google translation), Hikvision admits that their products were hacked inside the Jiangsu Province Internet Emergency Center. Hikvision claims that this was due to the use of weak passwords / default passwords. We cannot confirm that as we have no connection to the Jiangsu government.
However it happened, the fact that government video surveillance equipment was hacked is a major problem. Indeed, this is even worse given the Chinese government's recent efforts to restrict foreign products that might expose them to hacking / attacks.
Hikvision's Response
In response, Hikvision USA Outlines Updates to Surveillance Products report has been released.
It summarizes steps they have already done in the past year and discloses a new release scheduled for later this month (5.3.0).
[[Note: This firmware has been released. See our full test of it here.]]
Key changes in this upcoming release include:
- Forcing change of the default password (an obvious step and a key risk otherwise)
- Disabling telnet access (telnet is considered quite vulnerable)
- Lockouts after 5 incorrect login attempts (helpful to stop brute force attempts)
The Impact
Hikvision's stock dropped 7.5% in the first day of trading post the full disclosure (trading was actually halted Monday). In percentages terms, that is not huge but at their size, it is a drop of more than $1 billion USD in value. On the second day, the stock price rose slightly, indicating that the market does not view this as a major risk.
Update: June 25, 2015: Less than 3 months later, Hikvision's stock price is up more than 50% since the hacking announcement, showing that the market does not really care about this.
Since Hikvision is partially owned by the Chinese government and has deep connections, we doubt that this will be a fatal issue for Hikvision domestically. On the other hand, it is clearly a black eye for Hikvision and something that was hotly discussed inside of China.
In North America and Europe, we think the impact will be more severe. Rival manufacturers have already been hammering Hikvision as being 'spamware'. This will simply confirm it. On the lower end of the market, where Hikvision is most commonly used, outside of China, we suspect most will not care strongly as information security tends not to be a priority compared to price. However, as Hikvision tries to expand into the mid and high end markets, we think this will cause significant resistance, making it easy for rivals to declare, "Sure, you can buy Hikvision for half the price but with Axis you won't get hacked."
Hikvision Integrators / Users / OEMs
If you are a Hikvision integrator, user or OEM, you better very carefully review your deployed products and absolutely ensure that everything is upgraded immediately. Hikvision firmware upgrades are available here.
After a hack of this magnitude, it is going to be extremely hard to explain how you allowed your equipment to be hacked. And Hikvision products deployed before a year ago (and not upgraded) have many very basic / simple vulnerabilities. It is hard for us to tell if the upgrades solve every possible risk, but it is obvious that the older versions are significantly risk prone.
Poll