80+ OEMs Verified Vulnerable To Hikvision Backdoor

Author: Brian Karas, Published on Sep 22, 2017

Over 80 Hikvision OEM partners, including ADI, Interlogix, LTS, and Northern Video, have been verified as having products vulnerable to the Hikvision backdoor, deployed and exploitable over the public Internet.

IPVM ran tests to verify this using public data and the signature of the backdoor. Our test results found ~40% of all vulnerable devices were from OEMs, with the balance 60% being Hikvision own's branded products. In total, we estimate at least 250,000 devices vulnerable on the public Internet.

This vulnerability is particularly severe because it is simple to exploit and allows attackers to take over the camera by changing the admin password, view images, default the device, brick it, etc.

Demo

Our video below shows how even non-technical users can literally just copy/paste the backdoor string on to the end of a URL to vulnerable Hikvision and OEM partner cameras:

Top Brands Impacted

The following brands, ranked from highest to lowest, were the Top 10 most seen, making up ~30% of the total OEM units responding:

All 85 Brands Impacted

The following OEM brands, determined by associating model numbers returned in the query to specific companies, were identified in a global scan of online devices from a Shodan query:

**** ** ********* *** ********, ********* ***, **********, ***, *** Northern *****, **** **** ******** ** ****** ****************** ** *** ********* ********, ******** *** *********** **** *** ****** ********.

**** *** ***** ** ****** **** ***** ****** **** *** the ********* ** *** ********. *** **** ******* ***** ~**% of *** ********** ******* **** **** ****, **** *** ******* 60% ***** ********* ***'* ******* ********. ** *****, ** ******** at ***** ***,*** ******* ********** ** *** ****** ********.

**** ************* ** ************ ****** ******* ** ** ****** ** exploit *** ****** ********* ** **** **** *** ****** ** changing *** ***** ********, **** ******, ******* *** ******, ***** it, ***.

****

*** ***** ***** ***** *** **** ***-********* ***** *** ********* just ****/***** *** ******** ****** ** ** *** *** ** a *** ** ********** ********* *** *** ******* *******:

Top ****** ********

*** ********* ******, ****** **** ******* ** ******, **** *** Top ** **** ****, ****** ** ~**% ** *** ***** OEM ***** **********:

All ** ****** ********

*** ********* *** ******, ********** ** *********** ***** ******* ******** in *** ***** ** ******** *********, **** ********** ** * global **** ** ****** ******* **** ******* *****:

[***************]

  • *******
  • ****
  • *******
  • *********
  • *******
  • *****
  • *****
  • ******
  • ******** ***** *********
  • *****
  • *********
  • *****
  • **** **********
  • ****
  • ****** ********
  • ** ********
  • ***** ********
  • ***
  • ********
  • *******
  • *********
  • ******* ********
  • **********
  • *****
  • ***
  • ******
  • ***********
  • **** *****
  • ***** ****
  • *****
  • *******
  • *****
  • *******
  • *********
  • ** ******
  • **** ****
  • *******
  • *****
  • **********
  • *****
  • ******
  • ******
  • **&*
  • ******
  • ***** (***** ******** **** ******* *********)
  • ***
  • ***
  • *****
  • ******
  • ****
  • *****’* ********
  • *********
  • *******
  • ***** **********
  • *******
  • ***
  • ******
  • **** *******
  • ****** **
  • *******
  • ********* ***
  • *** ******
  • **********
  • ***
  • ******
  • *********
  • ********
  • ****** *********
  • ********
  • ***** **********
  • *****
  • ******
  • ********
  • ****
  • *******
  • *******
  • ******
  • ***** *******
  • ************
  • *-***
  • ******* ***** **********
  • *****
  • *******
  • ***

OEMs ***** ********* ******** *****

******* ** *** ***** **** **** **** ******** ******** ********* of ******** *********** ** ********** ** ******* ************** *******, *** the **** ********, *** ********** ****** **, *** ****** ****** all ******.

**** ****, **** ** **********, **** ******* **** **** *** additional ***** ******** ******** ** *****, *** ***** **** *** be **** ** **** *****, ** **** *** **** **** they **** ********** *** *************** ******** ** *********'* ******** ********.

OEM ********* ********* ****

**********, ********* ***** ********* *** ****** **** * ******* **** than ********* ***** *********-******* *********. **** ** ********* *** ** the ********* *******:

  • *********'* **** ************** ****** ***************, ********* "******* *********" **** ***** incidents *** **** ****** ** **** ** ********* (********* ***** **** *** ******** ****** *** **** *** *****)
  • **** *** ********* ****** ** **** ******** *******/******* ** ***** own, *** **** **** *** ********* ** ******* ******* ******** to ****.
  • *** ***-***** **** ****** *** ***** ***** ******** *** ******** made ** *********, **** **** ** *** **** ** *************** for "***-***", **** ****** "***-***" ** ****** **** * ********* unit **** * ****** ***** ******.

Updated ******** ***** *** *********

**** ** *** ******** **** **** ***** *** ******** ******* firmware. *** *******, *********** **-************* ******** ** ~**% ** *** ******* *** ********, **** several ****** ********* *** **.*.* ***** **** ***** ** *** latest ********* ******** ** ********'* *******, ******** ** ****** ****, months ***** ********* ******** ***** *** ***** ********. **** ********* that *** ****** ******** **** **** *** *** *********'* *** software *************, ******* **** *** ***** ********* ********** *** * longer ****** ** ****.

Firmware ******** ********

** ********* ***** ***** *** *** ******** *****, *** ******** showed ******** ******** **** * **** ***. ***** **** ** these ***** *** ************, *** *** *** **** ******* *********, many **** ********* ******* ****** *** *** ********.

Methodology ****

****'* ******* *********** ********* **:

  • ****** ** **,*** ******* **** ******* ***** *** ********* *******
  • ***** **** ****** *** ****** **** ***** ******** ******* (*.*.:****** **** **** *** ********* **** **** ******) ** ****** *************
  • *** ***** ******* ******** ** ******** ********* ****** (*.*.: **-* = *********, **-*** = ********, **-* = *-***, ***.)
  • ******* **** ** ****** ******
  • ******* ****** ** *********** ** **** ***** ** ***** ******* to ********* **** ******

What ** ** ** **** ***** ** ** *** ****

[******] - **** ******* *** ****** ***** ******* ***********, ***** on * ******* **** "*********** **********#*" ** ******* **** *** impacted ********* ******* ****** ** **** ***********, *** ********** **** to ** ******* ***** ******** ** * *******.

** ********* *** ******* **** ******** ** ********* ** **** unit ** ** **** * ********* *** (** **** ** these ****** ****** ******* **** ****, ** ****** **** ******** OEMs). ** *** ** **** * ********* *******, *** **** reliable ******** ***** ** ** ******* ** **** * **** secure *******. ******* ****, *********** ******* ****** ** *** ******, and ******* ****** ** ** * ********* **** **** ** other *****, ***-******** ****, *** ****** **** ****** *** ******* of **********.

**** *** ** ******** ** ******** ****** *************, ** **** often *** ** ******* ** **** **** *********** **** **** their *** *********. *** *** **** **** **** ****** ** see ** ** ** ********** ** ******* *** ****** "****://*************:****/*****-****/********?****=************" into * *******, ********* "*************" **** *** ******'* *** ** if *** *** ******* **********, ** **** *** *** ** or ******** ** ******* **********.

Comments (30)

***** ****, ****** ***** *** **** ********!

**** ** *****. *'* **** ** *** **** **** *** Dahua ** ****.

*** ****** ** ** **** ******** ** *** **** ****** vulnerable ********* *** ** **** *****?

****** -*** ******** ***** ***** ******** ******* ******* ********, ***., ***** quote:

** ****, *** ******* *** ****** ******** **** **** **** open ** ****** *******, *** ** **** ********* *********, ** anyone **** *** *******’ ******** *******.

*** ******* **** ***, *** *** ** ** **** *** unit ** ****** * ***? ;)

** **** **** *** **** ** **** *** *** **** exploit ** ** ********* ** ** ***% **** :-)

****** ****!

**** ** *** ***** *** ***** *** *** ***** ***** octets ** *** *** ******* ** ********* *** ******, **** OEM's ***'* ****** ****, ** **'* ***** **********.

*** *** **** ****** ** *** / *** ***** ** you ****** **. ****** ******.

*** ******** ******** ****: *****://********.***/***.**

[****]

*****://********.***/***/******/*********

*** ******* **** *** ***** ***** ****** ** **** ****** MAC *******.

** *** ***********, *** *** *** *** **** ****, *** should *** * ***** ***** ******* ** *** ****** **** giving ** *** ******* *** ****. ** *** *** *** URL *** *** * ***, ** ** **** ****** *** a ********* ******.

************, *** ********** ** *** ****** *** * ********** ******** from **** ********, ** ********* ******** **** **** ** ***** IP ******* *** ******** ********** *** **** ***** ** ******* are ** ***** *** ********* **** **** ** ***** *****, non-security ****, *** ******.

****** ** *** * ****** **** ******** *** ****** '**-******' in *********'* ***** **** *** ****** **** ** ****, ********* the *** ** ******* *** *** ******** ********. **** **** agree **** **** *** ********* ********* ** *****? * ******** this * '******', ***** * ****** ******, **** **** ***** line ** ******** **** *** **** **** **** ********* *** be ******** **** * ********. *** *** ****** **** **** 'hikvision **** ** ****' ** **** ** ** *** ***** 50% ** **** ********? *** ***** *** **** *********** ** hikvision ** ***** ** ** **** **** ******* **** ***-*****.

**** ******** ********* **** **** ********* ***** *** ******* *** 100+ **** *** ** **** *** **** * ****** ********* to ****** ** *** ******** *** ** ***** ****** ***** quite ******** ****** ***** **** *** ************ ** *** **** company, **** ** ****** ** *** '****'.

*** **** ************** ** *** **** *** ******** *** ******* security ***** ** ** ****** ****** ***** ********/*** *******, ******* them, *** ******** ********* **** ******. **** ** *** **** way *** *** ** **** *** *** *** ******* ** Hikvision's ******** *****, ** ******** **** **** **** ******* ********.

****** ** *** * ****** **** ******** *** ****** '**-******' in *********'* ***** ****

* ***** *** **** ** **-**** **** **** *** **** a ****** ** ***** ** ******* **** **********. ****, *** 'opinions' ** *******'* *** ** ******* ** ******* ****** **** are ****** **** ** **** *********** ******** *************.

***** *** **** ****** ******* ***** ** ******* ************* *******, like ********* *******, ** * *******, *** **** ** *** eliminate **, *** ****** *** ** ********** ********** **********, *** should *********.

***** *** *** ****** *** **** *************, * **** ******* the ********** ** ******** ******* *** **** **** ***** ***** should ****** ** ******* **** ******* ******** *** **** ********.

** *** ** ******* *** **** ** ** **** *** exception ** ******** *** **** **************? * **** ***, **** you ****** ** ****** **** **** ******?

*** *** ******* ****** ****** ******* ********* *** ****** ** evaluate *********'* ******** ******* ******** *************** **********. * *** *** say "*** ** ******* *** **** ** **", ******* ***** are * ****** ** ******* **** ***** ************* ****** ***** records **** *********, *** ** *** *** ********* ***** ******* security **** *** ***** *** ***** ************.

** *** **** ** **** * *****, ******** ********, ** put ** **** ********** (******* ** *** * *** ****) regarding ********* **. ***** *************, *** *** ******* ** ** so. *** ** *** *** ***** ** ******** **** *** point ** ***** ******* ***** ** ****** ****** ** ******* to **** **** ******** ** **** **** ** ******* **** out ****.

** *** ******* **** ******* ** * ********* ******* *** simply ****** *** "**** ** **** *** ****** ** ******" effect. *** ** *** ****** *** *************. ******** **** ** that ******* *** ***** ****** *** ******. (*** **'* **** SECURITY ******* - "*** ***** ***** ** **** *****?")

********* **** ******* **** ******** **** *** ***'** ***** ******** around *** ****. ** *** ****** **** ** ******* ** your *** **** ***'** *** ** *** "**** ********" **** have ** ***** ***** ********* *** **** ***?

*’* **** **** ** *** **** ***** ****** ***** *** this.

*’* **** **** ** *** **** ***** ****** ***** *** this.

* ****** ********** ** ***** **** ** ***** ***********.

**** *** *** *** ********.

***** ****** ** **** ** ********* ** *** ******** ***** blog *** ************* ** * ** ******** ** ***.

****, **** ***** *** *** *** ***********. **** ** * think? * ***** ** ** ****** ** *** **** *** IP ****** ***-*****-*******-****** ** ****** **** **** ** **** ** any **** ********** **** *** *****. *** ****** *** *** could ** *********** ** * ***** **** *** ****** *** be ** ***** ** ******* *** ********* ***** **** ** Hikvision ** **** ** **, * *** ******* ******** ** desperation. ** *** ********** ***** **** ******** ******** *** ******** as **** *** ** ******* ***** *****. *** **** *** concede **** ** ***** * ***** (* ******) **** ********* intent ** **** **** ********* ******* ** ******** ******* ** won't ****** ******* ******* ** ******* *** **** ******* ** not *** ********* ******.**** ** *** **** ******** **** *** folks **** **** ****, (***** * ****** ** **** **). If *** **** ********** ***** *** ****** ** ** *** the ***** ** *******, *****? ** ***** ** ** **** to **** *** *** ** **** "*" *******? **** ***** this ** * ******** ******* *****, ******* ** ** ** fodder.

***** *** * **** ** *** ***** **** ** **** ask.

******* ** *******, *** ** *** *** ** **** ********?

********* ***'* **** *****, ***** ***** *****.

*** *** **** **** ***** *** **** ****** ****** ** 5? ***'* **** *** ****? ****** ******* **** **** *** your **** ******? **** *** *** ****** **? **** *********, unprofessional, ******** ******** **** *** **** ***** ***** ****** ****** UM. ** ***** * *** **** ** **********, **** ** open ************ *** ***** ** ******** **** ****** ******* **********, what ***** ***?

*** ** *** *** ** **** ********?

** #***, * ********. * ***** ********* ***** ** ********. Marty ****** ********* **** ** ****** ** **** ********** **** others ***** ***** *** ******* ** *********'* ******** ********* ** a ******* *** ****** ** ****. ***? ******* ** ***** how ********** ****** ** ********** ***** ************* ** ** ** say ********* **** **** ** ***** ** *** ****** *** dangerous *** ********* ******** **.

** ***** * *** **** ** **********, **** ** **** conversation

** ****, *****, *** *** *********** **** ***** ** ****.

*****, **, ** *** **.

** ****** *******, ****** **** **** **** ** ******* ***** security ************** ** *** **** **** ***** **** ***** ****** makes. **** ***'* **** ****.

*** *** ****** ***** ****?

** *** *** ****** *********** ******* **** ****** *** *** VMS ***** ***'* ** ********* "*** ** *** ******" ******. That's *** ** **** ******* ****** ** *** ******** ******** TLS. *** *** **** ******* ** ********** *** **** **** week's ****-***** ****** *******.

* ***'* ********** *** *** ********* **** ****** ** ****** an ******* **** ** ** ********** **** **********. ***** ******** that *** ***** ** ***** *******, **** ** **** *** bad, *** ***** **** ********* ** ********* ** ****** **** a ******** *** ****** ********* ** *** ** *** ***. I ***** *** **** **** ** *** **** ****** *** I ****** ****** ********* ** ******* ** ******* ***. *** delay ** ********* ***-********* ** * ******** ***** ** ****** troubling.

**** ** **** *** **** ****** * **** ***** ***** Digital ******** ***** **** ** ********** ******* ***** ********. **** there *** *** ***** ** *** **** ****** ** ******** be ******** ** **. ** ***** ***** **** ******** *******, it ******* * *** ****. **********, ** * **** ********* in *** ****, * **** *** **** **** ******* ***** has **** **** ** ******* ** **** ** **** *** serious ******.

* ***** ******** ** *** *** ******* ********* *******, *** they ***** ******** **** *** ******** *** **** *** ********* on * ****** ****. *** ***** ******** *** ****** ********.

* **** *** **** * ***'* ***** *** ************ ******** cloud ******** ** *******. * **** ******* *** ** ** personal ********* ******* **** *** ****** ******. * ******* *** firmware *** *** ******** ****** **** *** ******** *** ***** enabled *****.

** ** ******* ** *** *** ***** **** ** **** Hikvision ***** ******** *** *** ***** **** *********'* **** ** security ***** *********** ********* *** **** **** **** ** **** a *** ** **** **** ***'* **** ******* ******** ********* and **** ***** ***'* ******** ***** ******** ** *** ********.

* ***** ******** **** *** *** ** ****** *********. ***** I ***** ********** ***** *** ********* ****** ** ******** * would ***** ** ** ****** ** ****** *** **** *** source ****** **** ******* *** ****** ***** ******* ** *** claims ** **** ********* *** *******. *** *** **** ****** have ***** *********** *** *** ****** ** ********, ******** **** company ***** ** ******** ** **** ***** ******* **** *** road. * ***** ***** **** ** ***** **** ***'* **** the ********* ** **** **** *** **** ** *********** ******* in ***** ** ******* *********. ***** ***** *** ********* **** who ***** ******* * ***** ** *** $**/****** ******* ***** the ****** ** ******* **** ***?

********** *******: ****** ***** ***** ***** ****** ** *** **** to ** *** **** - *** ******* *** ****** ***** have ** *** *** ****** *******. *** *** ***** ********** (almost *****) **** ** ** ** *** *** ***** **** would ************ ** ****** ************ **** *** ************ ** * result. **** ****** ***** ******** ****** *************** ** ***** ** remedied. **** ****'* ****** ***** ****** ******* ******* ***** *** drivers **** *** ******* ********, ******* *** **************.***, *** ******* became **********.

**** **** ****** ***** *******. ******* **** ** ***** **** their ******* ******* ** ********* *** *** **** ****** **** will **** ** **** *** **** ********** ********* ** ******* to *** ******* ***** ***** *****. ***'* ****** **** ***** defenders ** *** ***** ******** **** ** **** **** * seemingly ***** ****** **** ** ****. * ****** **** **** bought *** ***** ******** ** **** *****, ** ** **** cases * *** ******* **** ******* ** ** ****** ** by **** ************ ********** ***** *** **** ******* ****** *** their ********* ********. ******* *** ** **** **** *** **** they **** * ******* ***** *** * **** **** ******* when ** ***** ** ***** ******** ** *********. ******** **** some *********, ** ******** *** ** **********, ****** **** ** quotes *** *** ********* **** ***** *** *********** **** **** expensive ******** ** ******** *** ****** *** *******?

** ****** *** *** ********* **** ***** *** *********** **** more ********* ******** ** ******** *** ****** *** *******

**********:****** ****** *********.

** ********, ******, #**, *** *** **** *** ********* ********** that ******* ********** ** **** **** **** **** *********.

** *** ***** ****, * ** ***** **** *** ******* that **** ****-**** ********* *********** *** *** **. ** **** go **** *** *** "*** ** ********, * **** *** these ***** *** **** ******* **** *** **** *** ** have * ******** ** ** *** *** ************ ** * subsidiary ** *** ******* **********", **** **** * ******* ** scary ********.

**** ** *** **** '** ********' ****? *** ** **** relevant '** ********'? ** ****** ** **** **** ** ***** scenario ** ***** ****** ** ****** **** *** ***** ************ is **** ***** ****. ** ******* ***** ***'* ****** ***** on **** *** **** ******* ** **** ********** ****,**** ***** be * ****** ***** ** *** '****** ******' *****'** **?

*'* *** ** ********** ** *********, *** **** ****** **** friends *** * ****** ** *** ** ****** *** **** in ***** ****. ******* ***** *** ******* *** *******...

*'* **** ** ** * ******* **** *** **** ******* these ** ***-**** *** *-* *****.

*** *** **** ** **** ***** ********* **** **** **** selling **** ********* *** *-* ***** **** ****** *** ** around ** *-* **** ***** ** **** **** *** **** boxes ** **** *********. ** ************* ** ****** ***** **** to *** ******** **** ***** **** ** **** **** ***** cables *** **** * ****** *** ** *** *******

**** *** **** **** **** ******* **** **** ****** ********* those *** ****** **** ***** ***** ****** *** ****** * one **** **** *** ****** ** * ****.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Anixter End User Sales Troubles on Oct 23, 2017
End user sales have and continue to be a major problem for Anixter's physical security business. Every year, according to various Anixter people,...
Assa Abloy Acquires August on Oct 23, 2017
The mega access control manufacturer, Assa Abbloy, has acquired one of the most well funded access control startups, smart lock...
Axis Q3 2017 Financial Results on Oct 23, 2017
A big issue for Axis this past quarter was their product shortage. Despite that, new Q3 numbers for Axis show solid financial results. In this...
Cisco Falling - Favorite Network Switches 2017 on Oct 20, 2017
1 major manufacturer fell and 1 outsider manufacturer gained as integrator favorites for network switches from more than 140 votes / explanations...
Uniview Recorder Backdoor Examined on Oct 20, 2017
A Chinese research group has identified a vulnerability in Uniview recorders that allows backdoor access in a method similar to the Dahua...
Hikvision Access Control Tested on Oct 19, 2017
Hikvision aggressive pricing and marketing combined with generally reliable hardware and free software has made them a major player in video...
Verkada, Silicon Valley VSaaS Startup, Targets Enterprise on Oct 19, 2017
Verkada says they are building an enterprise-class VSaaS offering, calling it "The new platform for video security". This is a departure from the...
Exacq Unbreaks Avigilon Integration on Oct 18, 2017
For nearly 4 years, Exacq had broken and effectively blocked use with Avigilon cameras, as IPVM reported in January 2014. Now, Exacq has...
Search More Important Than Live Monitoring - Statistics on Oct 18, 2017
Search is overall more important than live monitoring to integrators, according to new IPVM statistics.  The key themes found in integrator...
Axis 'Sold Out' P3707-PVE Multi-Imager Tested on Oct 18, 2017
Axis faced significant product shortages over the summer. Perhaps the most notorious and significantly sold out model was the Axis P3707-PE 8MP...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact