80+ OEMs Verified Vulnerable To Hikvision Backdoor

Author: Brian Karas, Published on Sep 22, 2017

Over 80 Hikvision OEM partners, including ADI, Interlogix, LTS, and Northern Video, have been verified as having products vulnerable to the Hikvision backdoor, deployed and exploitable over the public Internet.

IPVM ran tests to verify this using public data and the signature of the backdoor. Our test results found ~40% of all vulnerable devices were from OEMs, with the balance 60% being Hikvision own's branded products. In total, we estimate at least 250,000 devices vulnerable on the public Internet.

This vulnerability is particularly severe because it is simple to exploit and allows attackers to take over the camera by changing the admin password, view images, default the device, brick it, etc.

Demo

Our video below shows how even non-technical users can literally just copy/paste the backdoor string on to the end of a URL to vulnerable Hikvision and OEM partner cameras:

Top Brands Impacted

The following brands, ranked from highest to lowest, were the Top 10 most seen, making up ~30% of the total OEM units responding:

All 85 Brands Impacted

The following OEM brands, determined by associating model numbers returned in the query to specific companies, were identified in a global scan of online devices from a Shodan query:

**** ** ********* *** ********, ********* ***, **********, ***, *** Northern *****, **** **** ******** ** ****** ****************** ** *** ********* ********, ******** *** *********** **** *** ****** ********.

**** *** ***** ** ****** **** ***** ****** **** *** the ********* ** *** ********. *** **** ******* ***** ~**% of *** ********** ******* **** **** ****, **** *** ******* 60% ***** ********* ***'* ******* ********. ** *****, ** ******** at ***** ***,*** ******* ********** ** *** ****** ********.

**** ************* ** ************ ****** ******* ** ** ****** ** exploit *** ****** ********* ** **** **** *** ****** ** changing *** ***** ********, **** ******, ******* *** ******, ***** it, ***.

****

*** ***** ***** ***** *** **** ***-********* ***** *** ********* just ****/***** *** ******** ****** ** ** *** *** ** a *** ** ********** ********* *** *** ******* *******:

Top ****** ********

*** ********* ******, ****** **** ******* ** ******, **** *** Top ** **** ****, ****** ** ~**% ** *** ***** OEM ***** **********:

All ** ****** ********

*** ********* *** ******, ********** ** *********** ***** ******* ******** in *** ***** ** ******** *********, **** ********** ** * global **** ** ****** ******* **** ******* *****:

[***************]

  • *******
  • ****
  • *******
  • *********
  • *******
  • *****
  • *****
  • ******
  • ******** ***** *********
  • *****
  • *********
  • *****
  • **** **********
  • ****
  • ****** ********
  • ** ********
  • ***** ********
  • ***
  • ********
  • *******
  • *********
  • ******* ********
  • **********
  • *****
  • ***
  • ******
  • ***********
  • **** *****
  • ***** ****
  • *****
  • *******
  • *****
  • *******
  • *********
  • ** ******
  • **** ****
  • *******
  • *****
  • **********
  • *****
  • ******
  • ******
  • **&*
  • ******
  • ***** (***** ******** **** ******* *********)
  • ***
  • ***
  • *****
  • ******
  • ****
  • *****’* ********
  • *********
  • *******
  • ***** **********
  • *******
  • ***
  • ******
  • **** *******
  • ****** **
  • *******
  • ********* ***
  • *** ******
  • **********
  • ***
  • ******
  • *********
  • ********
  • ****** *********
  • ********
  • ***** **********
  • *****
  • ******
  • ********
  • ****
  • *******
  • *******
  • ******
  • ***** *******
  • ************
  • *-***
  • ******* ***** **********
  • *****
  • *******
  • ***

OEMs ***** ********* ******** *****

******* ** *** ***** **** **** **** ******** ******** ********* of ******** *********** ** ********** ** ******* ************** *******, *** the **** ********, *** ********** ****** **, *** ****** ****** all ******.

**** ****, **** ** **********, **** ******* **** **** *** additional ***** ******** ******** ** *****, *** ***** **** *** be **** ** **** *****, ** **** *** **** **** they **** ********** *** *************** ******** ** *********'* ******** ********.

OEM ********* ********* ****

**********, ********* ***** ********* *** ****** **** * ******* **** than ********* ***** *********-******* *********. **** ** ********* *** ** the ********* *******:

  • *********'* **** ************** ****** ***************, ********* "******* *********" **** ***** incidents *** **** ****** ** **** ** ********* (********* ***** **** *** ******** ****** *** **** *** *****)
  • **** *** ********* ****** ** **** ******** *******/******* ** ***** own, *** **** **** *** ********* ** ******* ******* ******** to ****.
  • *** ***-***** **** ****** *** ***** ***** ******** *** ******** made ** *********, **** **** ** *** **** ** *************** for "***-***", **** ****** "***-***" ** ****** **** * ********* unit **** * ****** ***** ******.

Updated ******** ***** *** *********

**** ** *** ******** **** **** ***** *** ******** ******* firmware. *** *******, *********** **-************* ******** ** ~**% ** *** ******* *** ********, **** several ****** ********* *** **.*.* ***** **** ***** ** *** latest ********* ******** ** ********'* *******, ******** ** ****** ****, months ***** ********* ******** ***** *** ***** ********. **** ********* that *** ****** ******** **** **** *** *** *********'* *** software *************, ******* **** *** ***** ********* ********** *** * longer ****** ** ****.

Firmware ******** ********

** ********* ***** ***** *** *** ******** *****, *** ******** showed ******** ******** **** * **** ***. ***** **** ** these ***** *** ************, *** *** *** **** ******* *********, many **** ********* ******* ****** *** *** ********.

Methodology ****

****'* ******* *********** ********* **:

  • ****** ** **,*** ******* **** ******* ***** *** ********* *******
  • ***** **** ****** *** ****** **** ***** ******** ******* (*.*.:****** **** **** *** ********* **** **** ******) ** ****** *************
  • *** ***** ******* ******** ** ******** ********* ****** (*.*.: **-* = *********, **-*** = ********, **-* = *-***, ***.)
  • ******* **** ** ****** ******
  • ******* ****** ** *********** ** **** ***** ** ***** ******* to ********* **** ******

What ** ** ** **** ***** ** ** *** ****

[******] - **** ******* *** ****** ***** ******* ***********, ***** on * ******* **** "*********** **********#*" ** ******* **** *** impacted ********* ******* ****** ** **** ***********, *** ********** **** to ** ******* ***** ******** ** * *******.

** ********* *** ******* **** ******** ** ********* ** **** unit ** ** **** * ********* *** (** **** ** these ****** ****** ******* **** ****, ** ****** **** ******** OEMs). ** *** ** **** * ********* *******, *** **** reliable ******** ***** ** ** ******* ** **** * **** secure *******. ******* ****, *********** ******* ****** ** *** ******, and ******* ****** ** ** * ********* **** **** ** other *****, ***-******** ****, *** ****** **** ****** *** ******* of **********.

**** *** ** ******** ** ******** ****** *************, ** **** often *** ** ******* ** **** **** *********** **** **** their *** *********. *** *** **** **** **** ****** ** see ** ** ** ********** ** ******* *** ****** "****://*************:****/*****-****/********?****=************" into * *******, ********* "*************" **** *** ******'* *** ** if *** *** ******* **********, ** **** *** *** ** or ******** ** ******* **********.

Comments (30)

***** ****, ****** ***** *** **** ********!

**** ** *****. *'* **** ** *** **** **** *** Dahua ** ****.

*** ****** ** ** **** ******** ** *** **** ****** vulnerable ********* *** ** **** *****?

****** -*** ******** ***** ***** ******** ******* ******* ********, ***., ***** quote:

** ****, *** ******* *** ****** ******** **** **** **** open ** ****** *******, *** ** **** ********* *********, ** anyone **** *** *******’ ******** *******.

*** ******* **** ***, *** *** ** ** **** *** unit ** ****** * ***? ;)

** **** **** *** **** ** **** *** *** **** exploit ** ** ********* ** ** ***% **** :-)

****** ****!

**** ** *** ***** *** ***** *** *** ***** ***** octets ** *** *** ******* ** ********* *** ******, **** OEM's ***'* ****** ****, ** **'* ***** **********.

*** *** **** ****** ** *** / *** ***** ** you ****** **. ****** ******.

*** ******** ******** ****: *****://********.***/***.**

[****]

*****://********.***/***/******/*********

*** ******* **** *** ***** ***** ****** ** **** ****** MAC *******.

** *** ***********, *** *** *** *** **** ****, *** should *** * ***** ***** ******* ** *** ****** **** giving ** *** ******* *** ****. ** *** *** *** URL *** *** * ***, ** ** **** ****** *** a ********* ******.

************, *** ********** ** *** ****** *** * ********** ******** from **** ********, ** ********* ******** **** **** ** ***** IP ******* *** ******** ********** *** **** ***** ** ******* are ** ***** *** ********* **** **** ** ***** *****, non-security ****, *** ******.

****** ** *** * ****** **** ******** *** ****** '**-******' in *********'* ***** **** *** ****** **** ** ****, ********* the *** ** ******* *** *** ******** ********. **** **** agree **** **** *** ********* ********* ** *****? * ******** this * '******', ***** * ****** ******, **** **** ***** line ** ******** **** *** **** **** **** ********* *** be ******** **** * ********. *** *** ****** **** **** 'hikvision **** ** ****' ** **** ** ** *** ***** 50% ** **** ********? *** ***** *** **** *********** ** hikvision ** ***** ** ** **** **** ******* **** ***-*****.

**** ******** ********* **** **** ********* ***** *** ******* *** 100+ **** *** ** **** *** **** * ****** ********* to ****** ** *** ******** *** ** ***** ****** ***** quite ******** ****** ***** **** *** ************ ** *** **** company, **** ** ****** ** *** '****'.

*** **** ************** ** *** **** *** ******** *** ******* security ***** ** ** ****** ****** ***** ********/*** *******, ******* them, *** ******** ********* **** ******. **** ** *** **** way *** *** ** **** *** *** *** ******* ** Hikvision's ******** *****, ** ******** **** **** **** ******* ********.

****** ** *** * ****** **** ******** *** ****** '**-******' in *********'* ***** ****

* ***** *** **** ** **-**** **** **** *** **** a ****** ** ***** ** ******* **** **********. ****, *** 'opinions' ** *******'* *** ** ******* ** ******* ****** **** are ****** **** ** **** *********** ******** *************.

***** *** **** ****** ******* ***** ** ******* ************* *******, like ********* *******, ** * *******, *** **** ** *** eliminate **, *** ****** *** ** ********** ********** **********, *** should *********.

***** *** *** ****** *** **** *************, * **** ******* the ********** ** ******** ******* *** **** **** ***** ***** should ****** ** ******* **** ******* ******** *** **** ********.

** *** ** ******* *** **** ** ** **** *** exception ** ******** *** **** **************? * **** ***, **** you ****** ** ****** **** **** ******?

*** *** ******* ****** ****** ******* ********* *** ****** ** evaluate *********'* ******** ******* ******** *************** **********. * *** *** say "*** ** ******* *** **** ** **", ******* ***** are * ****** ** ******* **** ***** ************* ****** ***** records **** *********, *** ** *** *** ********* ***** ******* security **** *** ***** *** ***** ************.

** *** **** ** **** * *****, ******** ********, ** put ** **** ********** (******* ** *** * *** ****) regarding ********* **. ***** *************, *** *** ******* ** ** so. *** ** *** *** ***** ** ******** **** *** point ** ***** ******* ***** ** ****** ****** ** ******* to **** **** ******** ** **** **** ** ******* **** out ****.

** *** ******* **** ******* ** * ********* ******* *** simply ****** *** "**** ** **** *** ****** ** ******" effect. *** ** *** ****** *** *************. ******** **** ** that ******* *** ***** ****** *** ******. (*** **'* **** SECURITY ******* - "*** ***** ***** ** **** *****?")

********* **** ******* **** ******** **** *** ***'** ***** ******** around *** ****. ** *** ****** **** ** ******* ** your *** **** ***'** *** ** *** "**** ********" **** have ** ***** ***** ********* *** **** ***?

*’* **** **** ** *** **** ***** ****** ***** *** this.

*’* **** **** ** *** **** ***** ****** ***** *** this.

* ****** ********** ** ***** **** ** ***** ***********.

**** *** *** *** ********.

***** ****** ** **** ** ********* ** *** ******** ***** blog *** ************* ** * ** ******** ** ***.

****, **** ***** *** *** *** ***********. **** ** * think? * ***** ** ** ****** ** *** **** *** IP ****** ***-*****-*******-****** ** ****** **** **** ** **** ** any **** ********** **** *** *****. *** ****** *** *** could ** *********** ** * ***** **** *** ****** *** be ** ***** ** ******* *** ********* ***** **** ** Hikvision ** **** ** **, * *** ******* ******** ** desperation. ** *** ********** ***** **** ******** ******** *** ******** as **** *** ** ******* ***** *****. *** **** *** concede **** ** ***** * ***** (* ******) **** ********* intent ** **** **** ********* ******* ** ******** ******* ** won't ****** ******* ******* ** ******* *** **** ******* ** not *** ********* ******.**** ** *** **** ******** **** *** folks **** **** ****, (***** * ****** ** **** **). If *** **** ********** ***** *** ****** ** ** *** the ***** ** *******, *****? ** ***** ** ** **** to **** *** *** ** **** "*" *******? **** ***** this ** * ******** ******* *****, ******* ** ** ** fodder.

***** *** * **** ** *** ***** **** ** **** ask.

******* ** *******, *** ** *** *** ** **** ********?

********* ***'* **** *****, ***** ***** *****.

*** *** **** **** ***** *** **** ****** ****** ** 5? ***'* **** *** ****? ****** ******* **** **** *** your **** ******? **** *** *** ****** **? **** *********, unprofessional, ******** ******** **** *** **** ***** ***** ****** ****** UM. ** ***** * *** **** ** **********, **** ** open ************ *** ***** ** ******** **** ****** ******* **********, what ***** ***?

*** ** *** *** ** **** ********?

** #***, * ********. * ***** ********* ***** ** ********. Marty ****** ********* **** ** ****** ** **** ********** **** others ***** ***** *** ******* ** *********'* ******** ********* ** a ******* *** ****** ** ****. ***? ******* ** ***** how ********** ****** ** ********** ***** ************* ** ** ** say ********* **** **** ** ***** ** *** ****** *** dangerous *** ********* ******** **.

** ***** * *** **** ** **********, **** ** **** conversation

** ****, *****, *** *** *********** **** ***** ** ****.

*****, **, ** *** **.

** ****** *******, ****** **** **** **** ** ******* ***** security ************** ** *** **** **** ***** **** ***** ****** makes. **** ***'* **** ****.

*** *** ****** ***** ****?

** *** *** ****** *********** ******* **** ****** *** *** VMS ***** ***'* ** ********* "*** ** *** ******" ******. That's *** ** **** ******* ****** ** *** ******** ******** TLS. *** *** **** ******* ** ********** *** **** **** week's ****-***** ****** *******.

* ***'* ********** *** *** ********* **** ****** ** ****** an ******* **** ** ** ********** **** **********. ***** ******** that *** ***** ** ***** *******, **** ** **** *** bad, *** ***** **** ********* ** ********* ** ****** **** a ******** *** ****** ********* ** *** ** *** ***. I ***** *** **** **** ** *** **** ****** *** I ****** ****** ********* ** ******* ** ******* ***. *** delay ** ********* ***-********* ** * ******** ***** ** ****** troubling.

**** ** **** *** **** ****** * **** ***** ***** Digital ******** ***** **** ** ********** ******* ***** ********. **** there *** *** ***** ** *** **** ****** ** ******** be ******** ** **. ** ***** ***** **** ******** *******, it ******* * *** ****. **********, ** * **** ********* in *** ****, * **** *** **** **** ******* ***** has **** **** ** ******* ** **** ** **** *** serious ******.

* ***** ******** ** *** *** ******* ********* *******, *** they ***** ******** **** *** ******** *** **** *** ********* on * ****** ****. *** ***** ******** *** ****** ********.

* **** *** **** * ***'* ***** *** ************ ******** cloud ******** ** *******. * **** ******* *** ** ** personal ********* ******* **** *** ****** ******. * ******* *** firmware *** *** ******** ****** **** *** ******** *** ***** enabled *****.

** ** ******* ** *** *** ***** **** ** **** Hikvision ***** ******** *** *** ***** **** *********'* **** ** security ***** *********** ********* *** **** **** **** ** **** a *** ** **** **** ***'* **** ******* ******** ********* and **** ***** ***'* ******** ***** ******** ** *** ********.

* ***** ******** **** *** *** ** ****** *********. ***** I ***** ********** ***** *** ********* ****** ** ******** * would ***** ** ** ****** ** ****** *** **** *** source ****** **** ******* *** ****** ***** ******* ** *** claims ** **** ********* *** *******. *** *** **** ****** have ***** *********** *** *** ****** ** ********, ******** **** company ***** ** ******** ** **** ***** ******* **** *** road. * ***** ***** **** ** ***** **** ***'* **** the ********* ** **** **** *** **** ** *********** ******* in ***** ** ******* *********. ***** ***** *** ********* **** who ***** ******* * ***** ** *** $**/****** ******* ***** the ****** ** ******* **** ***?

********** *******: ****** ***** ***** ***** ****** ** *** **** to ** *** **** - *** ******* *** ****** ***** have ** *** *** ****** *******. *** *** ***** ********** (almost *****) **** ** ** ** *** *** ***** **** would ************ ** ****** ************ **** *** ************ ** * result. **** ****** ***** ******** ****** *************** ** ***** ** remedied. **** ****'* ****** ***** ****** ******* ******* ***** *** drivers **** *** ******* ********, ******* *** **************.***, *** ******* became **********.

**** **** ****** ***** *******. ******* **** ** ***** **** their ******* ******* ** ********* *** *** **** ****** **** will **** ** **** *** **** ********** ********* ** ******* to *** ******* ***** ***** *****. ***'* ****** **** ***** defenders ** *** ***** ******** **** ** **** **** * seemingly ***** ****** **** ** ****. * ****** **** **** bought *** ***** ******** ** **** *****, ** ** **** cases * *** ******* **** ******* ** ** ****** ** by **** ************ ********** ***** *** **** ******* ****** *** their ********* ********. ******* *** ** **** **** *** **** they **** * ******* ***** *** * **** **** ******* when ** ***** ** ***** ******** ** *********. ******** **** some *********, ** ******** *** ** **********, ****** **** ** quotes *** *** ********* **** ***** *** *********** **** **** expensive ******** ** ******** *** ****** *** *******?

** ****** *** *** ********* **** ***** *** *********** **** more ********* ******** ** ******** *** ****** *** *******

**********:****** ****** *********.

** ********, ******, #**, *** *** **** *** ********* ********** that ******* ********** ** **** **** **** **** *********.

** *** ***** ****, * ** ***** **** *** ******* that **** ****-**** ********* *********** *** *** **. ** **** go **** *** *** "*** ** ********, * **** *** these ***** *** **** ******* **** *** **** *** ** have * ******** ** ** *** *** ************ ** * subsidiary ** *** ******* **********", **** **** * ******* ** scary ********.

**** ** *** **** '** ********' ****? *** ** **** relevant '** ********'? ** ****** ** **** **** ** ***** scenario ** ***** ****** ** ****** **** *** ***** ************ is **** ***** ****. ** ******* ***** ***'* ****** ***** on **** *** **** ******* ** **** ********** ****,**** ***** be * ****** ***** ** *** '****** ******' *****'** **?

*'* *** ** ********** ** *********, *** **** ****** **** friends *** * ****** ** *** ** ****** *** **** in ***** ****. ******* ***** *** ******* *** *******...

*'* **** ** ** * ******* **** *** **** ******* these ** ***-**** *** *-* *****.

*** *** **** ** **** ***** ********* **** **** **** selling **** ********* *** *-* ***** **** ****** *** ** around ** *-* **** ***** ** **** **** *** **** boxes ** **** *********. ** ************* ** ****** ***** **** to *** ******** **** ***** **** ** **** **** ***** cables *** **** * ****** *** ** *** *******

**** *** **** **** **** ******* **** **** ****** ********* those *** ****** **** ***** ***** ****** *** ****** * one **** **** *** ****** ** * ****.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

PoE Powered Access Control Tutorial on Jan 19, 2018
Powering access control with Power over Ethernet is becoming increasingly common.  However, access requires more power than cameras, and the...
If You Have 4 Cameras, You Can Throw Them Away, If You Have 400, They Throw You Away on Jan 19, 2018
Do users care about anything but price? Do user care about cybersecurity? Do users care about trusting their supplier? These have become...
Chinese Government Hikvision Surveillance System On US Government Network on Jan 18, 2018
Hikvision, the Chinese government-owned manufacturer, has publicly claimed that their products are running on a US government network. Moreover,...
Winter 2018 Camera Course on Jan 18, 2018
Learn video surveillance and get certified. Register now. Save $50 on the course, ending this Thursday the 18th, plus get access to 2 class times...
VSaaS Usage Statistics 2018 on Jan 18, 2018
VSaaS has been a 'next big thing' for more than a decade. The prospect of managing, storing and streaming video from the cloud rather than...
Vivint Streety Video Strengthens Door Knocking on Jan 17, 2018
Vivint is famous (or infamous depending on your perspective) for mastering large scale door to door selling. The company has skyrocketed from a...
Axis: "It’s A Question Of Trust And Who You Want To Be Associated With" on Jan 17, 2018
Who do you trust? Who do you want to be associated with? Axis is raising hard questions to start 2018. In this note, we examine these questions,...
Software House Vulnerability Allows Inside Attacker To Open Doors on Jan 17, 2018
A vulnerability in Software House IP-ACM modules allows an attacker to potentially unlock doors, or perform other actions, on affected systems....
'Defiant' Hikvision 'Strikes Back' At WSJ And US on Jan 16, 2018
The fight is on. Hikvision and their owner, the Chinese government, 'strikes back' against the Wall Street Journal and US politicians raising...
The 2018 Surveillance Industry Guide on Jan 16, 2018
The 300 page, 2018 Video Surveillance Industry Guide, covering the key events and the future of the video surveillance market, is now available,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact