80+ OEMs Verified Vulnerable To Hikvision Backdoor

Author: Brian Karas, Published on Sep 22, 2017

Over 80 Hikvision OEM partners, including ADI, Interlogix, LTS, and Northern Video, have been verified as having products vulnerable to the Hikvision backdoor, deployed and exploitable over the public Internet.

IPVM ran tests to verify this using public data and the signature of the backdoor. Our test results found ~40% of all vulnerable devices were from OEMs, with the balance 60% being Hikvision own's branded products. In total, we estimate at least 250,000 devices vulnerable on the public Internet.

This vulnerability is particularly severe because it is simple to exploit and allows attackers to take over the camera by changing the admin password, view images, default the device, brick it, etc.

Demo

Our video below shows how even non-technical users can literally just copy/paste the backdoor string on to the end of a URL to vulnerable Hikvision and OEM partner cameras:

Top Brands Impacted

The following brands, ranked from highest to lowest, were the Top 10 most seen, making up ~30% of the total OEM units responding:

All 85 Brands Impacted

The following OEM brands, determined by associating model numbers returned in the query to specific companies, were identified in a global scan of online devices from a Shodan query:

**** ** ********* *** ********, ********* ***, **********, ***, *** Northern *****, **** **** ******** ** ****** ****************** ** *** ********* ********, ******** *** *********** **** *** ****** ********.

**** *** ***** ** ****** **** ***** ****** **** *** the ********* ** *** ********. *** **** ******* ***** ~**% of *** ********** ******* **** **** ****, **** *** ******* 60% ***** ********* ***'* ******* ********. ** *****, ** ******** at ***** ***,*** ******* ********** ** *** ****** ********.

**** ************* ** ************ ****** ******* ** ** ****** ** exploit *** ****** ********* ** **** **** *** ****** ** changing *** ***** ********, **** ******, ******* *** ******, ***** it, ***.

****

*** ***** ***** ***** *** **** ***-********* ***** *** ********* just ****/***** *** ******** ****** ** ** *** *** ** a *** ** ********** ********* *** *** ******* *******:

Top ****** ********

*** ********* ******, ****** **** ******* ** ******, **** *** Top ** **** ****, ****** ** ~**% ** *** ***** OEM ***** **********:

All ** ****** ********

*** ********* *** ******, ********** ** *********** ***** ******* ******** in *** ***** ** ******** *********, **** ********** ** * global **** ** ****** ******* **** ******* *****:

[***************]

  • *******
  • ****
  • *******
  • *********
  • *******
  • *****
  • *****
  • ******
  • ******** ***** *********
  • *****
  • *********
  • *****
  • **** **********
  • ****
  • ****** ********
  • ** ********
  • ***** ********
  • ***
  • ********
  • *******
  • *********
  • ******* ********
  • **********
  • *****
  • ***
  • ******
  • ***********
  • **** *****
  • ***** ****
  • *****
  • *******
  • *****
  • *******
  • *********
  • ** ******
  • **** ****
  • *******
  • *****
  • **********
  • *****
  • ******
  • ******
  • **&*
  • ******
  • ***** (***** ******** **** ******* *********)
  • ***
  • ***
  • *****
  • ******
  • ****
  • *****’* ********
  • *********
  • *******
  • ***** **********
  • *******
  • ***
  • ******
  • **** *******
  • ****** **
  • *******
  • ********* ***
  • *** ******
  • **********
  • ***
  • ******
  • *********
  • ********
  • ****** *********
  • ********
  • ***** **********
  • *****
  • ******
  • ********
  • ****
  • *******
  • *******
  • ******
  • ***** *******
  • ************
  • *-***
  • ******* ***** **********
  • *****
  • *******
  • ***

OEMs ***** ********* ******** *****

******* ** *** ***** **** **** **** ******** ******** ********* of ******** *********** ** ********** ** ******* ************** *******, *** the **** ********, *** ********** ****** **, *** ****** ****** all ******.

**** ****, **** ** **********, **** ******* **** **** *** additional ***** ******** ******** ** *****, *** ***** **** *** be **** ** **** *****, ** **** *** **** **** they **** ********** *** *************** ******** ** *********'* ******** ********.

OEM ********* ********* ****

**********, ********* ***** ********* *** ****** **** * ******* **** than ********* ***** *********-******* *********. **** ** ********* *** ** the ********* *******:

  • *********'* **** ************** ****** ***************, ********* "******* *********" **** ***** incidents *** **** ****** ** **** ** ********* (********* ***** **** *** ******** ****** *** **** *** *****)
  • **** *** ********* ****** ** **** ******** *******/******* ** ***** own, *** **** **** *** ********* ** ******* ******* ******** to ****.
  • *** ***-***** **** ****** *** ***** ***** ******** *** ******** made ** *********, **** **** ** *** **** ** *************** for "***-***", **** ****** "***-***" ** ****** **** * ********* unit **** * ****** ***** ******.

Updated ******** ***** *** *********

**** ** *** ******** **** **** ***** *** ******** ******* firmware. *** *******, *********** **-************* ******** ** ~**% ** *** ******* *** ********, **** several ****** ********* *** **.*.* ***** **** ***** ** *** latest ********* ******** ** ********'* *******, ******** ** ****** ****, months ***** ********* ******** ***** *** ***** ********. **** ********* that *** ****** ******** **** **** *** *** *********'* *** software *************, ******* **** *** ***** ********* ********** *** * longer ****** ** ****.

Firmware ******** ********

** ********* ***** ***** *** *** ******** *****, *** ******** showed ******** ******** **** * **** ***. ***** **** ** these ***** *** ************, *** *** *** **** ******* *********, many **** ********* ******* ****** *** *** ********.

Methodology ****

****'* ******* *********** ********* **:

  • ****** ** **,*** ******* **** ******* ***** *** ********* *******
  • ***** **** ****** *** ****** **** ***** ******** ******* (*.*.:****** **** **** *** ********* **** **** ******) ** ****** *************
  • *** ***** ******* ******** ** ******** ********* ****** (*.*.: **-* = *********, **-*** = ********, **-* = *-***, ***.)
  • ******* **** ** ****** ******
  • ******* ****** ** *********** ** **** ***** ** ***** ******* to ********* **** ******

What ** ** ** **** ***** ** ** *** ****

[******] - **** ******* *** ****** ***** ******* ***********, ***** on * ******* **** "*********** **********#*" ** ******* **** *** impacted ********* ******* ****** ** **** ***********, *** ********** **** to ** ******* ***** ******** ** * *******.

** ********* *** ******* **** ******** ** ********* ** **** unit ** ** **** * ********* *** (** **** ** these ****** ****** ******* **** ****, ** ****** **** ******** OEMs). ** *** ** **** * ********* *******, *** **** reliable ******** ***** ** ** ******* ** **** * **** secure *******. ******* ****, *********** ******* ****** ** *** ******, and ******* ****** ** ** * ********* **** **** ** other *****, ***-******** ****, *** ****** **** ****** *** ******* of **********.

**** *** ** ******** ** ******** ****** *************, ** **** often *** ** ******* ** **** **** *********** **** **** their *** *********. *** *** **** **** **** ****** ** see ** ** ** ********** ** ******* *** ****** "****://*************:****/*****-****/********?****=************" into * *******, ********* "*************" **** *** ******'* *** ** if *** *** ******* **********, ** **** *** *** ** or ******** ** ******* **********.

Comments (30)

***** ****, ****** ***** *** **** ********!

**** ** *****. *'* **** ** *** **** **** *** Dahua ** ****.

*** ****** ** ** **** ******** ** *** **** ****** vulnerable ********* *** ** **** *****?

****** -*** ******** ***** ***** ******** ******* ******* ********, ***., ***** quote:

** ****, *** ******* *** ****** ******** **** **** **** open ** ****** *******, *** ** **** ********* *********, ** anyone **** *** *******’ ******** *******.

*** ******* **** ***, *** *** ** ** **** *** unit ** ****** * ***? ;)

** **** **** *** **** ** **** *** *** **** exploit ** ** ********* ** ** ***% **** :-)

****** ****!

**** ** *** ***** *** ***** *** *** ***** ***** octets ** *** *** ******* ** ********* *** ******, **** OEM's ***'* ****** ****, ** **'* ***** **********.

*** *** **** ****** ** *** / *** ***** ** you ****** **. ****** ******.

*** ******** ******** ****: *****://********.***/***.**

[****]

*****://********.***/***/******/*********

*** ******* **** *** ***** ***** ****** ** **** ****** MAC *******.

** *** ***********, *** *** *** *** **** ****, *** should *** * ***** ***** ******* ** *** ****** **** giving ** *** ******* *** ****. ** *** *** *** URL *** *** * ***, ** ** **** ****** *** a ********* ******.

************, *** ********** ** *** ****** *** * ********** ******** from **** ********, ** ********* ******** **** **** ** ***** IP ******* *** ******** ********** *** **** ***** ** ******* are ** ***** *** ********* **** **** ** ***** *****, non-security ****, *** ******.

****** ** *** * ****** **** ******** *** ****** '**-******' in *********'* ***** **** *** ****** **** ** ****, ********* the *** ** ******* *** *** ******** ********. **** **** agree **** **** *** ********* ********* ** *****? * ******** this * '******', ***** * ****** ******, **** **** ***** line ** ******** **** *** **** **** **** ********* *** be ******** **** * ********. *** *** ****** **** **** 'hikvision **** ** ****' ** **** ** ** *** ***** 50% ** **** ********? *** ***** *** **** *********** ** hikvision ** ***** ** ** **** **** ******* **** ***-*****.

**** ******** ********* **** **** ********* ***** *** ******* *** 100+ **** *** ** **** *** **** * ****** ********* to ****** ** *** ******** *** ** ***** ****** ***** quite ******** ****** ***** **** *** ************ ** *** **** company, **** ** ****** ** *** '****'.

*** **** ************** ** *** **** *** ******** *** ******* security ***** ** ** ****** ****** ***** ********/*** *******, ******* them, *** ******** ********* **** ******. **** ** *** **** way *** *** ** **** *** *** *** ******* ** Hikvision's ******** *****, ** ******** **** **** **** ******* ********.

****** ** *** * ****** **** ******** *** ****** '**-******' in *********'* ***** ****

* ***** *** **** ** **-**** **** **** *** **** a ****** ** ***** ** ******* **** **********. ****, *** 'opinions' ** *******'* *** ** ******* ** ******* ****** **** are ****** **** ** **** *********** ******** *************.

***** *** **** ****** ******* ***** ** ******* ************* *******, like ********* *******, ** * *******, *** **** ** *** eliminate **, *** ****** *** ** ********** ********** **********, *** should *********.

***** *** *** ****** *** **** *************, * **** ******* the ********** ** ******** ******* *** **** **** ***** ***** should ****** ** ******* **** ******* ******** *** **** ********.

** *** ** ******* *** **** ** ** **** *** exception ** ******** *** **** **************? * **** ***, **** you ****** ** ****** **** **** ******?

*** *** ******* ****** ****** ******* ********* *** ****** ** evaluate *********'* ******** ******* ******** *************** **********. * *** *** say "*** ** ******* *** **** ** **", ******* ***** are * ****** ** ******* **** ***** ************* ****** ***** records **** *********, *** ** *** *** ********* ***** ******* security **** *** ***** *** ***** ************.

** *** **** ** **** * *****, ******** ********, ** put ** **** ********** (******* ** *** * *** ****) regarding ********* **. ***** *************, *** *** ******* ** ** so. *** ** *** *** ***** ** ******** **** *** point ** ***** ******* ***** ** ****** ****** ** ******* to **** **** ******** ** **** **** ** ******* **** out ****.

** *** ******* **** ******* ** * ********* ******* *** simply ****** *** "**** ** **** *** ****** ** ******" effect. *** ** *** ****** *** *************. ******** **** ** that ******* *** ***** ****** *** ******. (*** **'* **** SECURITY ******* - "*** ***** ***** ** **** *****?")

********* **** ******* **** ******** **** *** ***'** ***** ******** around *** ****. ** *** ****** **** ** ******* ** your *** **** ***'** *** ** *** "**** ********" **** have ** ***** ***** ********* *** **** ***?

*’* **** **** ** *** **** ***** ****** ***** *** this.

*’* **** **** ** *** **** ***** ****** ***** *** this.

* ****** ********** ** ***** **** ** ***** ***********.

**** *** *** *** ********.

***** ****** ** **** ** ********* ** *** ******** ***** blog *** ************* ** * ** ******** ** ***.

****, **** ***** *** *** *** ***********. **** ** * think? * ***** ** ** ****** ** *** **** *** IP ****** ***-*****-*******-****** ** ****** **** **** ** **** ** any **** ********** **** *** *****. *** ****** *** *** could ** *********** ** * ***** **** *** ****** *** be ** ***** ** ******* *** ********* ***** **** ** Hikvision ** **** ** **, * *** ******* ******** ** desperation. ** *** ********** ***** **** ******** ******** *** ******** as **** *** ** ******* ***** *****. *** **** *** concede **** ** ***** * ***** (* ******) **** ********* intent ** **** **** ********* ******* ** ******** ******* ** won't ****** ******* ******* ** ******* *** **** ******* ** not *** ********* ******.**** ** *** **** ******** **** *** folks **** **** ****, (***** * ****** ** **** **). If *** **** ********** ***** *** ****** ** ** *** the ***** ** *******, *****? ** ***** ** ** **** to **** *** *** ** **** "*" *******? **** ***** this ** * ******** ******* *****, ******* ** ** ** fodder.

***** *** * **** ** *** ***** **** ** **** ask.

******* ** *******, *** ** *** *** ** **** ********?

********* ***'* **** *****, ***** ***** *****.

*** *** **** **** ***** *** **** ****** ****** ** 5? ***'* **** *** ****? ****** ******* **** **** *** your **** ******? **** *** *** ****** **? **** *********, unprofessional, ******** ******** **** *** **** ***** ***** ****** ****** UM. ** ***** * *** **** ** **********, **** ** open ************ *** ***** ** ******** **** ****** ******* **********, what ***** ***?

*** ** *** *** ** **** ********?

** #***, * ********. * ***** ********* ***** ** ********. Marty ****** ********* **** ** ****** ** **** ********** **** others ***** ***** *** ******* ** *********'* ******** ********* ** a ******* *** ****** ** ****. ***? ******* ** ***** how ********** ****** ** ********** ***** ************* ** ** ** say ********* **** **** ** ***** ** *** ****** *** dangerous *** ********* ******** **.

** ***** * *** **** ** **********, **** ** **** conversation

** ****, *****, *** *** *********** **** ***** ** ****.

*****, **, ** *** **.

** ****** *******, ****** **** **** **** ** ******* ***** security ************** ** *** **** **** ***** **** ***** ****** makes. **** ***'* **** ****.

*** *** ****** ***** ****?

** *** *** ****** *********** ******* **** ****** *** *** VMS ***** ***'* ** ********* "*** ** *** ******" ******. That's *** ** **** ******* ****** ** *** ******** ******** TLS. *** *** **** ******* ** ********** *** **** **** week's ****-***** ****** *******.

* ***'* ********** *** *** ********* **** ****** ** ****** an ******* **** ** ** ********** **** **********. ***** ******** that *** ***** ** ***** *******, **** ** **** *** bad, *** ***** **** ********* ** ********* ** ****** **** a ******** *** ****** ********* ** *** ** *** ***. I ***** *** **** **** ** *** **** ****** *** I ****** ****** ********* ** ******* ** ******* ***. *** delay ** ********* ***-********* ** * ******** ***** ** ****** troubling.

**** ** **** *** **** ****** * **** ***** ***** Digital ******** ***** **** ** ********** ******* ***** ********. **** there *** *** ***** ** *** **** ****** ** ******** be ******** ** **. ** ***** ***** **** ******** *******, it ******* * *** ****. **********, ** * **** ********* in *** ****, * **** *** **** **** ******* ***** has **** **** ** ******* ** **** ** **** *** serious ******.

* ***** ******** ** *** *** ******* ********* *******, *** they ***** ******** **** *** ******** *** **** *** ********* on * ****** ****. *** ***** ******** *** ****** ********.

* **** *** **** * ***'* ***** *** ************ ******** cloud ******** ** *******. * **** ******* *** ** ** personal ********* ******* **** *** ****** ******. * ******* *** firmware *** *** ******** ****** **** *** ******** *** ***** enabled *****.

** ** ******* ** *** *** ***** **** ** **** Hikvision ***** ******** *** *** ***** **** *********'* **** ** security ***** *********** ********* *** **** **** **** ** **** a *** ** **** **** ***'* **** ******* ******** ********* and **** ***** ***'* ******** ***** ******** ** *** ********.

* ***** ******** **** *** *** ** ****** *********. ***** I ***** ********** ***** *** ********* ****** ** ******** * would ***** ** ** ****** ** ****** *** **** *** source ****** **** ******* *** ****** ***** ******* ** *** claims ** **** ********* *** *******. *** *** **** ****** have ***** *********** *** *** ****** ** ********, ******** **** company ***** ** ******** ** **** ***** ******* **** *** road. * ***** ***** **** ** ***** **** ***'* **** the ********* ** **** **** *** **** ** *********** ******* in ***** ** ******* *********. ***** ***** *** ********* **** who ***** ******* * ***** ** *** $**/****** ******* ***** the ****** ** ******* **** ***?

********** *******: ****** ***** ***** ***** ****** ** *** **** to ** *** **** - *** ******* *** ****** ***** have ** *** *** ****** *******. *** *** ***** ********** (almost *****) **** ** ** ** *** *** ***** **** would ************ ** ****** ************ **** *** ************ ** * result. **** ****** ***** ******** ****** *************** ** ***** ** remedied. **** ****'* ****** ***** ****** ******* ******* ***** *** drivers **** *** ******* ********, ******* *** **************.***, *** ******* became **********.

**** **** ****** ***** *******. ******* **** ** ***** **** their ******* ******* ** ********* *** *** **** ****** **** will **** ** **** *** **** ********** ********* ** ******* to *** ******* ***** ***** *****. ***'* ****** **** ***** defenders ** *** ***** ******** **** ** **** **** * seemingly ***** ****** **** ** ****. * ****** **** **** bought *** ***** ******** ** **** *****, ** ** **** cases * *** ******* **** ******* ** ** ****** ** by **** ************ ********** ***** *** **** ******* ****** *** their ********* ********. ******* *** ** **** **** *** **** they **** * ******* ***** *** * **** **** ******* when ** ***** ** ***** ******** ** *********. ******** **** some *********, ** ******** *** ** **********, ****** **** ** quotes *** *** ********* **** ***** *** *********** **** **** expensive ******** ** ******** *** ****** *** *******?

** ****** *** *** ********* **** ***** *** *********** **** more ********* ******** ** ******** *** ****** *** *******

**********:****** ****** *********.

** ********, ******, #**, *** *** **** *** ********* ********** that ******* ********** ** **** **** **** **** *********.

** *** ***** ****, * ** ***** **** *** ******* that **** ****-**** ********* *********** *** *** **. ** **** go **** *** *** "*** ** ********, * **** *** these ***** *** **** ******* **** *** **** *** ** have * ******** ** ** *** *** ************ ** * subsidiary ** *** ******* **********", **** **** * ******* ** scary ********.

**** ** *** **** '** ********' ****? *** ** **** relevant '** ********'? ** ****** ** **** **** ** ***** scenario ** ***** ****** ** ****** **** *** ***** ************ is **** ***** ****. ** ******* ***** ***'* ****** ***** on **** *** **** ******* ** **** ********** ****,**** ***** be * ****** ***** ** *** '****** ******' *****'** **?

*'* *** ** ********** ** *********, *** **** ****** **** friends *** * ****** ** *** ** ****** *** **** in ***** ****. ******* ***** *** ******* *** *******...

*'* **** ** ** * ******* **** *** **** ******* these ** ***-**** *** *-* *****.

*** *** **** ** **** ***** ********* **** **** **** selling **** ********* *** *-* ***** **** ****** *** ** around ** *-* **** ***** ** **** **** *** **** boxes ** **** *********. ** ************* ** ****** ***** **** to *** ******** **** ***** **** ** **** **** ***** cables *** **** * ****** *** ** *** *******

**** *** **** **** **** ******* **** **** ****** ********* those *** ****** **** ***** ***** ****** *** ****** * one **** **** *** ****** ** * ****.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Most Recent Industry Reports

Video Analytics Integration Guide on Aug 16, 2018
Video analytics is hot again (at least conceptually) but integrating video analytics with VMSes can be challenging. This is especially significant...
Hikvision IP Camera Critical Vulnerability 2018 Disclosed on Aug 16, 2018
The same day that the US government passed a prohibition on Hikvision cameras, Hikvision disclosed a critical vulnerability for its IP...
ISS VMS / Video Analytics Company Profile on Aug 16, 2018
Who is ISS? In the past few months, they had one of the craziest ISC West promo items in years. Then, they hired industry veteran and ex-Dahua...
Chinese OEM Avycon Gets ADI Push on Aug 15, 2018
Who is Avycon? An American company? A Korean company? A couple of guys relabelling Chinese products? The latter is the best explanation. While...
Backboxes for Video Surveillance Tutorial on Aug 15, 2018
Backboxes are a necessity in surveillance, whether for managing cable whips, recessing cameras, adding wireless radios. But it can be confusing to...
Genetec Stratocast / Comcast 'Motion Insights' Examined on Aug 15, 2018
Comcast recently announced "SmartOffice Motion Insights", an extension to their Genetec OEMed cloud video service (covered by IPVM here). This...
Ban of Dahua and Hikvision Is Now US Gov Law on Aug 13, 2018
The US President has signed the 2019 NDAA into law, banning the use of Dahua and Hikvision (and their OEMs) for the US government, for US...
Cut Milestone Licensing Costs 80% By Using Hikvision and Dahua NVRs (Tested) on Aug 13, 2018
Enterprise VMS licensing can be quite expensive, with $200 or more per channel common, meaning a 100 camera system can cost $20,000 in VMS...
Nortek Sues SDS, Battle Over Unpaid Bill and Cancelled Lines on Aug 13, 2018
Nortek and SDS legal battle continues. As IPVM reported, SDS sued Nortek alleging bribery and antitrust violation. However, Wave fired back at SDS,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact