80+ OEMs Verified Vulnerable To Hikvision Backdoor

By Brian Karas, Published on Sep 22, 2017

Over 80 Hikvision OEM partners, including ADI, Interlogix, LTS, and Northern Video, have been verified as having products vulnerable to the Hikvision backdoor, deployed and exploitable over the public Internet.

IPVM ran tests to verify this using public data and the signature of the backdoor. Our test results found ~40% of all vulnerable devices were from OEMs, with the balance 60% being Hikvision own's branded products. In total, we estimate at least 250,000 devices vulnerable on the public Internet.

This vulnerability is particularly severe because it is simple to exploit and allows attackers to take over the camera by changing the admin password, view images, default the device, brick it, etc.

Demo

Our video below shows how even non-technical users can literally just copy/paste the backdoor string on to the end of a URL to vulnerable Hikvision and OEM partner cameras:

Top Brands Impacted

The following brands, ranked from highest to lowest, were the Top 10 most seen, making up ~30% of the total OEM units responding:

All 85 Brands Impacted

The following OEM brands, determined by associating model numbers returned in the query to specific companies, were identified in a global scan of online devices from a Shodan query:

  • *******
  • ****
  • *******
  • *********
  • *******
  • *****
  • *****
  • ******
  • ******** ***** *********
  • *****
  • *********
  • *****
  • **** **********
  • ****
  • ****** ********
  • ** ********
  • ***** ********
  • ***
  • ********
  • *******
  • *********
  • ******* ********
  • **********
  • *****
  • ***
  • ******
  • ***********
  • **** *****
  • ***** ****
  • *****
  • *******
  • *****
  • *******
  • *********
  • ** ******
  • **** ****
  • *******
  • *****
  • **********
  • *****
  • ******
  • ******
  • **&*
  • ******
  • ***** (***** ******** **** current *********)
  • ***
  • ***
  • *****
  • ******
  • ****
  • *****’* ********
  • *********
  • *******
  • ***** **********
  • *******
  • ***
  • ******
  • **** *******
  • ****** **
  • *******
  • ********* ***
  • *** ******
  • **********
  • ***
  • ******
  • *********
  • ********
  • ****** *********
  • ********
  • ***** **********
  • *****
  • ******
  • ********
  • ****
  • *******
  • *******
  • ******
  • ***** *******
  • ************
  • *-***
  • ******* ***** **********
  • *****
  • *******
  • ***

OEMs ***** ********* ******** *****

******* ** *** ***** show **** **** ******** consists ********* ** ******** differences ** ********** ** product ************** *******, *** the **** ********, *** weaknesses ****** **, *** shared ****** *** ******.

**** ****, **** ** Interlogix, **** ******* **** they *** ********** ***** security ******** ** *****, and ***** **** *** be **** ** **** cases, ** **** *** mean **** **** **** eliminated *** *************** ******** in *********'* ******** ********.

OEM ********* ********* ****

**********, ********* ***** ********* OEM ****** **** * greater **** **** ********* using *********-******* *********. **** is ********* *** ** the ********* *******:

  • *********'* **** ************** ****** vulnerabilities, ********* "******* *********" only ***** ********* *** made ****** ** **** or ********* (********* ***** **** *** Security ****** *** **** Bad *****)
  • **** *** ********* ****** to **** ******** *******/******* on ***** ***, *** must **** *** ********* to ******* ******* ******** to ****.
  • *** ***-***** **** ****** not ***** ***** ******** are ******** **** ** Hikvision, **** **** ** not **** ** *************** for "***-***", **** ****** "ABC-Cam" ** ****** **** a ********* **** **** a ****** ***** ******.

Updated ******** ***** *** *********

**** ** *** ******** OEMs **** ***** *** released ******* ********. *** example, *********** **-************* ******** ** ~**% of *** ******* *** TrendNet, **** ******* ****** reporting *** **.*.* ***** that ***** ** *** latest ********* ******** ** TrendNet's *******, ******** ** August ****, ****** ***** Hikvision ******** ***** *** fixed ********. **** ********* that *** ****** ******** from **** *** *** Hikvision's *** ******** *************, leaving **** *** ***** customers ********** *** * longer ****** ** ****.

Firmware ******** ********

** ********* ***** ***** for *** ******** *****, the ******** ****** ******** versions **** * **** old. ***** **** ** these ***** *** ************, and *** *** **** updates *********, **** **** available ******* ****** *** not ********.

Methodology ****

****'* ******* *********** ********* of:

  • ****** ** **,*** ******* from ******* ***** *** ********* cameras
  • ***** **** ****** *** device **** ***** ******** exploit (*.*.: ****** **** from *** ********* **** Demo ****** [**** ** longer *********]) ** ****** vulnerability
  • *** ***** ******* ******** to ******** ********* ****** (e.g.: **-* = *********, TV-IP* = ********, **-* = *-***, ***.)
  • ******* **** ** ****** brands
  • ******* ****** ** *********** of **** ***** ** total ******* ** ********* most ******

What ** ** ** **** ***** ** ** *** ****

[******] - **** ******* was ****** ***** ******* publication, ***** ** * comment **** "*********** **********#*" to ******* **** *** impacted ********* ******* ****** be **** ***********, *** ultimately **** ** ** removed ***** ******** ** a *******.

** ********* *** ******* your ******** ** ********* if **** **** ** in **** * ********* OEM (** **** ** these ****** ****** ******* over ****, ** ****** from ******** ****). ** you ** **** * Hikvision *******, *** **** reliable ******** ***** ** to ******* ** **** a **** ****** *******. Barring ****, *********** ******* access ** *** ******, and ******* ****** ** to * ********* **** that ** ***** *****, non-security ****, *** ****** will ****** *** ******* of **********.

**** *** ** ******** to ******** ****** *************, as **** ***** *** to ******* ** **** such *********** **** **** their *** *********. *** can **** **** **** device ** *** ** it ** ********** ** pasting *** ****** "****://*************:****/*****-****/********?****=************" into * *******, ********* "youripaddress" **** *** ******'* LAN ** ** *** are ******* **********, ** with *** *** ** or ******** ** ******* externally.

Comments (30)

Great Work, thanks Brian for your research!

This is great.  I'd love to see this list for Dahua as well.  

How ironic is it that TrendNet is the most widely vulnerable Hikvision OEM in this study?

Recall - FTC Approves Final Order Settling Charges Against TRENDnet, Inc., money quote:

In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.

But without this bug, how can we be sure the unit is really a Hik? ;)

In this case you have to wait for the next exploit to be published to be 100% sure  :-)

Simple task!

Most of the cases you could use the three first octets in the MAC address to determine the origin, most OEM's don't change this, so it's still Hikvisions.

You can find plenty of MAC / OUI sites if you asking Ms. Google nicely.

One randomly selected here: https://aruljohn.com/mac.pl

 [EDIT]

https://aruljohn.com/mac/vendor/Hikvision

And compare with the three first octets in your device MAC address.

 

 

In all seriousness, you can try the same URLs, and should get a login popup instead of the camera just giving up its details for free.  If you try the URL and get a 404, it is most likely not a Hikvision camera.

 

Additionally, and especially if you cannot get a definitive response from your supplier, we recommend ensuring that none of those IP cameras are publicly accessible and that those IP cameras are on their own dedicated VLAN that no other local, non-security user, can access.

Pardon me but I recall this solution was deemed 'un-useful' in yesterday's story line and agreed with by IPVM, regarding the CEO of Genetec and his personal opinions. Does IPVM agree with what was published yesterday or today? I consider this a 'waffle', being a casual reader, that this story line is repeated over and over when ever Hikvision can be injected into a headline. Why not rename your site 'hikvision news by IPVM' as this is at the least 50% of your material? You might get more subscribers as hikvision is liked by so many more dealers than dis-liked.

Most industry followers know that hikvision makes the  cameras for 100+ OEMs and it does not take a rocket scientist to figure if one firmware has an issue others could quite possibly follow suite that are manufactured by the same company, this in itself is not 'news'.

 

The best recommendation if you have any concerns for network security would be to simply remove these Hikvsion/OEM cameras, destroy them, and purchase something more secure. That is the only way you can be sure you are not exposed to Hikvision's security flaws, by removing them from your network entirely.

Pardon me but I recall this solution was deemed 'un-useful' in yesterday's story line 

I think you need to re-read that post and take a minute to think it through more thoroughly. Also, the 'opinions' of Genetec's CEO in regards to insider threat risk are widely held by many information security professionals.

VLANs can help reduce threats posed by placing untrustworthy devices, like Hikvision cameras, on a network, but they do not eliminate it, and should not be considered sufficient protection, nor should firewalls.

Thank you for asking for this clarification, I have updated the conclusion to directly address the fact that these units should really be removed from service entirely for best security.

So all IP Cameras are good to go with the exception of Hikvison per your recommendation? I must ask, have you fallen or bumped your head lately? 

You are clearly highly biased towards Hikvision and refuse to evaluate Hikvision's multiple ongoing security vulnerabilities accurately. I did not say "all IP cameras are good to go", however there are a number of choices that offer significantly better track records than Hikvision, and if you are concerned about overall security then you would use these alternatives.

If you want to make a valid, reasoned argument, or put up some statistics (similar to how I did here) regarding Hikvision vs. other manufacturers, you are welcome to do so. But if you are going to entirely miss the point of these reports there is little reason to respond to your poor attempts to spin what is clearly laid out here.

If you isolate weak devices on a segmented network you simply remove the "oops my gear was caught on shodan" effect.  you do not remove the vulnerability.  Anything else on that network can still attack the device.  (And it's your SECURITY NETWORK - "who would think to look there?")

Isolating weak devices does mitigate this but you're still carrying around the risk.  Do you really want to explain to your CEO that you're one of the "risk creators" they have to worry about accepting the risk for?

I’m just here to see what Marty thinks about all this.

I’m just here to see what Marty thinks about all this.

I prefer responding to Marty when he posts undisclosed.  

That way its not personal.

Marty helped me real my addiction to the Avigilon stock blog for entertainment so I am indebted to him.   

Well, well thank you for the recognition. What do I think? I think it is absurd to say that ANY IP camera Hik-Dahua-Samsung-Cannon or anyone else that is made is any more vulnerable than any other. ANY camera can and could be manipulated by a human from the middle and be an issue so blaming the wonderful folks over at Hikvision is what it is, a hit grabber headline of desperation. It not Hikvisions fault that ethernet networks are designed as they are or anyones elses fault. Why dont you concede that it takes a human (A person) with malicious intent to make that Hikvision product do anything because it won't happen without actions of another and that another is not the  Hikvision camera.This is the same bullshit with the folks that hate guns, (takes a person to fire it). If you hate misspelled words the answer is to rid the world of pencils, right? or would it be best to just get rid of type "a" pencils? Same thing this is a headline grabber folks, dismiss it it as fodder.

Thats all I have to say about this so dont ask.

Instead of pencils, can we get rid of your keyboard?

Keyboards don't type crazy, crazy types crazy.

Can you show your cards and stop hiding behind UM 5? Can't take the heat? Scared someone will find out your true colors? What are you scared of? Make unhelpful, unprofessional, childish comments time and time again while hiding behind UM. At least I can face my detractors, have an open conversation and agree to disagree with anyone without disrespect, what about you?

 

can we get rid of your keyboard?

To #UM5, I disagree. I would encourage Marty to continue. Marty making statement that no camera is more vulnerable than others right after the details of Hikvision's backdoor disclosed is a benefit for others to hear. Why? Because it shows how hopelessly biased or uninformed about cybersecurity he is to say something like that in light of how simple and dangerous the Hikvision backdoor is.

At least I can face my detractors, have an open conversation

Be fair, Marty, you use undisclosed many times as well.

 

Marty, no, no and no.

In RECENT history, people have been able to EXPLOIT cyber security VULNERABILITES in Hik cams more often than other camera makes. This isn't FAKE NEWS.

And who really hates guns? 

If you run secure connections between your camera and the VMS there isn't an immediate "man in the middle" attack.  That's why we keep telling people to run properly deployed TLS.  And yes this applies to everything not just this week's IPVM-outed camera exploit.

I don't understand all the Hikvision fans coming to defend an exploit that is so elementary once discovered. Other exploits that are found in other cameras, even if they are bad, are often very difficult to implement by anyone with a computer and simple knowledge of how to use one. I would say that this is the sole reason why I prefer buying Hikvision as opposed to through OEM. The delay or sometimes non-existence of a firmware patch is always troubling.

This is also the same reason I have never liked Digital Watchdog being able to distribute Network Optix software. When there are bug fixes it can take months to actually be released by DW. If those fixes were security related, it becomes a big deal. Thankfully, as I have mentioned in the past, I like the fact that Network Optix has been able to support us when we have had serious issues.

I still continue to use and install Hikvision cameras, but they never publicly face the internet and they are generally on a secure VLAN. The cloud services are always disabled. 

I will say that I can't stand any manufacturer enabling cloud services by default. I just checked one of my personal Hikvision cameras that was having issues. I updated the firmware and the platform access that was disabled was found enabled again.

It be amazing if one day those that do like Hikvision would actually see AND agree that Hikvision's take on security needs significant attention and that they need to find a way to make sure OEM's have updated firmware available and that those OEM's properly alert everyone of the exploits.

I agree strongly with the OEM vs direct statement.  While I would personally never buy Hikvision direct or indirect I would think it is better to always buy from the source rather than someone who sticks their sticker on and claims to have developed the product.  The OEM will always have dated information and lag behind on firmware, assuming that company stays in business to even issue updates down the road.  I would wager many of these OEMs don't have the resources to deal with any type of significant fallout in terms of support resources.  While there are certainly some who could weather a storm is the $10/camera savings worth the effort of vetting them out?

 

Historical example: Laptop video cards using Nvidia or ATI used to be the same - The various OEM brands would have to pay for driver updates.  The OEM would frequently (almost never) fail to do so and the video card would underperform or become incompatible with new applications as a result.  Very rarely these prompted system vulnerabilities to never be remedied.  This didn't relent until people started hacking their own drivers from the desktop versions, usually via laptopvideo2go.com, and laptops became ubiquitous.

They talk trough their wallets. Clearly some of these have their futures relying on Hikvision and for that reason they will come up with the most ridiculous outbursts of loyalty to the Chinese State owned brand. Don't forget that these defenders of the shaky products have to deal with a seemingly large client base as well. A client base that bought all those products in good faith, or in some cases I can imagine were bullied in to buying it by very overpowering statements about the good Chinese people and their wonderful products. Imagine the if they find out that they paid a premium price for a very poor product when it comes to cyber security or integrity. Remember that some advocates, or actually one in particular, stated that he quotes his Hik solutions just below the competitors much more expensive solution to maximize his margin and profits?

he quotes his Hik solutions just below the competitors much more expensive solution to maximize his margin and profits

Background: Always Choose HIKVISION.

In fairness, though, #10, you are from the Hikvision competitor that Calhoun referenced in that post with that technique.

On the other hand, I do agree that the problem that many long-time Hikvision integrators are now in. If they go back and say "hey US military, I sold you these great low cost cameras that now turn out to have a backdoor in it and was manufactured by a subsidiary of the Chinese government", they risk a variety of scary problems.

What do you mean 'in fairness' John? How is that relevant 'in fairness'? He stated he does that in every scenario he comes across no matter what the other manufacturer is many times over. My comment above isn't simply based on that one time mention in that particular post,that would be a little shall we say 'narrow minded' would'nt it?

I'm not an integrator or installer, but have helped some friends get a camera or two up around the lake in years past. Getting calls for cameras not working...

 

I'd hate to be a company that has been putting these in non-stop for 4-5 years.

The sad news is that those companies that have been selling open equipment for 4-5 years will likely not be around in 4-5 more years to sell plug and play boxes if this continues.  As professionals we should bring more to the industry than being able to make long patch cables and slap a turret cam on the ceiling

Arlo and Ring type wifi devices will soon enough eradicate those who simply pull 100ft patch cables and anchor a one size fits all camera to a wall.

Read this IPVM report for free.

This article is part of IPVM's 6,593 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Beware Rigged China Fever Cameras on Sep 08, 2020
Many China fever camera manufacturers have rigged algorithms dynamically...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Access Control and Video Integration Statistics 2020 on Oct 08, 2020
Video Surveillance and Access Control are two of the most common security...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
CDW Sells School District 36 Low-Res, No Blackbody Hikvision Fever Cameras With Federal Funds on Oct 01, 2020
Mega IT distributor CDW sold low-resolution Hikvision fever cameras with no...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Hikvision Impossible 30 People Simultaneously Fever Claim Dupes Baldwin Alabama on Sep 01, 2020
The Alabama school district which spent $1 million on Hikvision fever cameras...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Sunell is The First China Manufacturer to Market NDAA Compliance on Jul 30, 2020
Most China manufacturers are going to be impacted by the NDAA 'Blacklist...
FLIR Markets Windows Temperature Screening, Violates IEC And Causes Performance Problems on Jul 17, 2020
FLIR, one of the largest thermal screening manufacturers, is marketing...
Dangerous Hikvision Fever Screening Marketing In Africa on Sep 15, 2020
A multi-national African Hikvision distributor is marketing dangerously...
Nanchang, China "Sharp Eyes" Video Surveillance Project on Oct 05, 2020
China's Sharp Eyes project mandated 100% surveillance coverage of public...
ButterflyMX Raises $35 Million on Sep 30, 2020
Startup ButterflyMX has raised $35 million for its smartphone based intercom...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...

Recent Reports

ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
Avigilon Aggressive Trade-In Program Takes Aim At Competitors on Oct 20, 2020
Avigilon has launched one of the most aggressive trade-in programs the video...
Mexico Video Surveillance Market Overview 2020 on Oct 20, 2020
Despite being neighbors, there are key differences between the U.S. and...
Dahua Revenue Grows But Profits Down, Cause Unclear on Oct 20, 2020
While Dahua's overall revenue was up more than 12% in Q3 2020, a significant...
Illegal Hikvision Fever Screening Touted In Australia, Government Investigating, Temperature References Deleted on Oct 20, 2020
The Australian government told IPVM that they are investigating a Hikvision...
Panasonic Presents i-PRO Cameras and Video Analytics on Oct 19, 2020
Panasonic i-PRO presented its X-Series cameras and AI video analytics at the...
Augmented Reality (AR) Cameras From Hikvision and Dahua Examined on Oct 19, 2020
Hikvision, Dahua, and other China companies are marketing augmented reality...
18 TB Video Surveillance Drives (WD and Seagate) on Oct 19, 2020
Both Seagate and Western Digital recently announced 18TB hard drives...