80+ OEMs Verified Vulnerable To Hikvision Backdoor

By: Brian Karas, Published on Sep 22, 2017

Over 80 Hikvision OEM partners, including ADI, Interlogix, LTS, and Northern Video, have been verified as having products vulnerable to the Hikvision backdoor, deployed and exploitable over the public Internet.

IPVM ran tests to verify this using public data and the signature of the backdoor. Our test results found ~40% of all vulnerable devices were from OEMs, with the balance 60% being Hikvision own's branded products. In total, we estimate at least 250,000 devices vulnerable on the public Internet.

This vulnerability is particularly severe because it is simple to exploit and allows attackers to take over the camera by changing the admin password, view images, default the device, brick it, etc.

Demo

Our video below shows how even non-technical users can literally just copy/paste the backdoor string on to the end of a URL to vulnerable Hikvision and OEM partner cameras:

Top Brands Impacted

The following brands, ranked from highest to lowest, were the Top 10 most seen, making up ~30% of the total OEM units responding:

All 85 Brands Impacted

The following OEM brands, determined by associating model numbers returned in the query to specific companies, were identified in a global scan of online devices from a Shodan query

**** ** ********* *** partners, ********* ***, **********, LTS, *** ******** *****, have **** ******** ** having ****************** ** *** ********* backdoor, ******** *** *********** over *** ****** ********.

**** *** ***** ** verify **** ***** ****** data *** *** ********* of *** ********. *** test ******* ***** ~**% of *** ********** ******* were **** ****, **** the ******* **% ***** Hikvision ***'* ******* ********. In *****, ** ******** at ***** ***,*** ******* ********** on *** ****** ********.

**** ************* ** ************ severe ******* ** ** simple ** ******* *** allows ********* ** **** over *** ****** ** changing *** ***** ********, view ******, ******* *** device, ***** **, ***.

****

*** ***** ***** ***** how **** ***-********* ***** can ********* **** ****/***** *** backdoor ****** ** ** the *** ** * URL ** ********** ********* and *** ******* *******:

Top ****** ********

*** ********* ******, ****** from ******* ** ******, were *** *** ** most ****, ****** ** ~30% ** *** ***** OEM ***** **********:

All 85 ****** ********

*** ********* *** ******, determined ** *********** ***** numbers ******** ** *** query ** ******** *********, were ********** ** * global **** ** ****** devices **** * ****** *****

[***************]

  • *******
  • ****
  • *******
  • *********
  • *******
  • *****
  • *****
  • ******
  • ******** ***** *********
  • *****
  • *********
  • *****
  • **** **********
  • ****
  • ****** ********
  • ** ********
  • ***** ********
  • ***
  • ********
  • *******
  • *********
  • ******* ********
  • **********
  • *****
  • ***
  • ******
  • ***********
  • **** *****
  • ***** ****
  • *****
  • *******
  • *****
  • *******
  • *********
  • ** ******
  • **** ****
  • *******
  • *****
  • **********
  • *****
  • ******
  • ******
  • **&*
  • ******
  • ***** (***** ******** **** current *********)
  • ***
  • ***
  • *****
  • ******
  • ****
  • *****’* ********
  • *********
  • *******
  • ***** **********
  • *******
  • ***
  • ******
  • **** *******
  • ****** **
  • *******
  • ********* ***
  • *** ******
  • **********
  • ***
  • ******
  • *********
  • ********
  • ****** *********
  • ********
  • ***** **********
  • *****
  • ******
  • ********
  • ****
  • *******
  • *******
  • ******
  • ***** *******
  • ************
  • *-***
  • ******* ***** **********
  • *****
  • *******
  • ***

OEMs ***** ********* ******** *****

******* ** *** ***** show **** **** ******** consists ********* ** ******** differences ** ********** ** product ************** *******, *** the **** ********, *** weaknesses ****** **, *** shared ****** *** ******.

**** ****, **** ** Interlogix, **** ******* **** they *** ********** ***** security ******** ** *****, and ***** **** *** be **** ** **** cases, ** **** *** mean **** **** **** eliminated *** *************** ******** in *********'* ******** ********.

OEM ********* ********* ****

**********, ********* ***** ********* OEM ****** **** * ******* risk than ********* ***** *********-******* equipment. **** ** ********* due ** *** ********* reasons:

  • *********'* **** ************** ****** vulnerabilities, releasing "******* *********" **** after ********* *** **** public ** **** ** elsewhere (********* ***** **** *** Security ****** *** **** Bad *****)
  • **** *** ********* ****** to **** ******** *******/******* on ***** ***, *** must **** *** ********* to ******* ******* ******** to ****.
  • *** ***-***** **** ****** not ***** ***** ******** are actually made ** *********, **** they ** *** **** of *************** *** "***-***", even ****** "***-***" ** really **** * ********* unit **** * ****** model ******.

Updated ******** ***** *** *********

**** ** *** ******** OEMs **** ***** *** released ******* ********. *** example, *** ******** **-******* ****** ******** ** ~**% of *** ******* *** TrendNet, **** ******* ****** reporting *** **.*.* ***** that ***** ** *** latest ********* ******** ** TrendNet's *******, ******** ** August ****, ****** ***** Hikvision ******** ***** *** fixed ********. **** ********* that *** ****** ******** from **** *** *** Hikvision's *** ******** *************, leaving **** *** ***** customers ********** *** * longer ****** ** ****.

Firmware ******** ********

** ********* ***** ***** for *** ******** *****, the ******** ****** ******** versions **** * **** old. ***** **** ** these ***** *** ************, and *** *** **** updates *********, **** **** available ******* ****** *** not ********.

Methodology ****

****'* ******* *********** ********* of:

  • ****** ** **,*** ******* from****** ***** *** ********* cameras
  • ***** **** ****** *** device **** ***** ******** exploit (*.*.: ****** **** **** our ********* **** **** Camera [**** ** ****** available]) ** ****** *************
  • *** ***** ******* ******** to ******** ********* ****** (e.g.: **-* = *********, TV-IP* = ********, **-* = *-***, ***.)
  • ******* **** ** ****** brands
  • ******* ****** ** *********** of **** ***** ** total ******* ** ********* most ******

What ** ** ** **** ***** ** ** *** ****

[******] - **** ******* was ****** ***** ******* publication, ***** ** * comment **** "*********** **********#*" to ******* **** *** impacted ********* ******* ****** be made trustworthy, *** ********** **** to ** ******* ***** security ** * *******. 

** ********* *** ******* your ******** ** ********* if **** **** ** in **** * ********* OEM (** **** ** these ****** ****** ******* over ****, ** ****** from ******** ****). ** you ** **** * Hikvision *******, *** **** reliable ******** ***** ** to ******* ** **** a **** ****** *******. Barring ****, *********** ******* access ** *** ******, and ******* ****** ** to * ********* **** that ** ***** *****, non-security ****, *** ****** will ****** *** ******* of **********.

**** *** ** ******** to ******** ****** *************, as **** ***** *** to ******* ** **** such *********** **** **** their *** *********. *** can **** **** **** device ** *** ** it ** ********** ** pasting *** ****** "****://*************:****/*****-****/********?****=************" into * *******, ********* "youripaddress" **** *** ******'* LAN ** ** *** are ******* **********, ** with *** *** ** or ******** ** ******* externally.

 

Comments (30)

Great Work, thanks Brian for your research!

This is great.  I'd love to see this list for Dahua as well.  

How ironic is it that TrendNet is the most widely vulnerable Hikvision OEM in this study?

Recall - FTC Approves Final Order Settling Charges Against TRENDnet, Inc., money quote:

In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.

But without this bug, how can we be sure the unit is really a Hik? ;)

In this case you have to wait for the next exploit to be published to be 100% sure  :-)

Simple task!

Most of the cases you could use the three first octets in the MAC address to determine the origin, most OEM's don't change this, so it's still Hikvisions.

You can find plenty of MAC / OUI sites if you asking Ms. Google nicely.

One randomly selected here: https://aruljohn.com/mac.pl

 [EDIT]

https://aruljohn.com/mac/vendor/Hikvision

And compare with the three first octets in your device MAC address.

 

 

In all seriousness, you can try the same URLs, and should get a login popup instead of the camera just giving up its details for free.  If you try the URL and get a 404, it is most likely not a Hikvision camera.

 

Additionally, and especially if you cannot get a definitive response from your supplier, we recommend ensuring that none of those IP cameras are publicly accessible and that those IP cameras are on their own dedicated VLAN that no other local, non-security user, can access.

Pardon me but I recall this solution was deemed 'un-useful' in yesterday's story line and agreed with by IPVM, regarding the CEO of Genetec and his personal opinions. Does IPVM agree with what was published yesterday or today? I consider this a 'waffle', being a casual reader, that this story line is repeated over and over when ever Hikvision can be injected into a headline. Why not rename your site 'hikvision news by IPVM' as this is at the least 50% of your material? You might get more subscribers as hikvision is liked by so many more dealers than dis-liked.

Most industry followers know that hikvision makes the  cameras for 100+ OEMs and it does not take a rocket scientist to figure if one firmware has an issue others could quite possibly follow suite that are manufactured by the same company, this in itself is not 'news'.

 

The best recommendation if you have any concerns for network security would be to simply remove these Hikvsion/OEM cameras, destroy them, and purchase something more secure. That is the only way you can be sure you are not exposed to Hikvision's security flaws, by removing them from your network entirely.

Pardon me but I recall this solution was deemed 'un-useful' in yesterday's story line 

I think you need to re-read that post and take a minute to think it through more thoroughly. Also, the 'opinions' of Genetec's CEO in regards to insider threat risk are widely held by many information security professionals.

VLANs can help reduce threats posed by placing untrustworthy devices, like Hikvision cameras, on a network, but they do not eliminate it, and should not be considered sufficient protection, nor should firewalls.

Thank you for asking for this clarification, I have updated the conclusion to directly address the fact that these units should really be removed from service entirely for best security.

So all IP Cameras are good to go with the exception of Hikvison per your recommendation? I must ask, have you fallen or bumped your head lately? 

You are clearly highly biased towards Hikvision and refuse to evaluate Hikvision's multiple ongoing security vulnerabilities accurately. I did not say "all IP cameras are good to go", however there are a number of choices that offer significantly better track records than Hikvision, and if you are concerned about overall security then you would use these alternatives.

If you want to make a valid, reasoned argument, or put up some statistics (similar to how I did here) regarding Hikvision vs. other manufacturers, you are welcome to do so. But if you are going to entirely miss the point of these reports there is little reason to respond to your poor attempts to spin what is clearly laid out here.

If you isolate weak devices on a segmented network you simply remove the "oops my gear was caught on shodan" effect.  you do not remove the vulnerability.  Anything else on that network can still attack the device.  (And it's your SECURITY NETWORK - "who would think to look there?")

Isolating weak devices does mitigate this but you're still carrying around the risk.  Do you really want to explain to your CEO that you're one of the "risk creators" they have to worry about accepting the risk for?

I’m just here to see what Marty thinks about all this.

I’m just here to see what Marty thinks about all this.

I prefer responding to Marty when he posts undisclosed.  

That way its not personal.

Marty helped me real my addiction to the Avigilon stock blog for entertainment so I am indebted to him.   

Well, well thank you for the recognition. What do I think? I think it is absurd to say that ANY IP camera Hik-Dahua-Samsung-Cannon or anyone else that is made is any more vulnerable than any other. ANY camera can and could be manipulated by a human from the middle and be an issue so blaming the wonderful folks over at Hikvision is what it is, a hit grabber headline of desperation. It not Hikvisions fault that ethernet networks are designed as they are or anyones elses fault. Why dont you concede that it takes a human (A person) with malicious intent to make that Hikvision product do anything because it won't happen without actions of another and that another is not the  Hikvision camera.This is the same bullshit with the folks that hate guns, (takes a person to fire it). If you hate misspelled words the answer is to rid the world of pencils, right? or would it be best to just get rid of type "a" pencils? Same thing this is a headline grabber folks, dismiss it it as fodder.

Thats all I have to say about this so dont ask.

Instead of pencils, can we get rid of your keyboard?

Keyboards don't type crazy, crazy types crazy.

Can you show your cards and stop hiding behind UM 5? Can't take the heat? Scared someone will find out your true colors? What are you scared of? Make unhelpful, unprofessional, childish comments time and time again while hiding behind UM. At least I can face my detractors, have an open conversation and agree to disagree with anyone without disrespect, what about you?

 

can we get rid of your keyboard?

To #UM5, I disagree. I would encourage Marty to continue. Marty making statement that no camera is more vulnerable than others right after the details of Hikvision's backdoor disclosed is a benefit for others to hear. Why? Because it shows how hopelessly biased or uninformed about cybersecurity he is to say something like that in light of how simple and dangerous the Hikvision backdoor is.

At least I can face my detractors, have an open conversation

Be fair, Marty, you use undisclosed many times as well.

 

Marty, no, no and no.

In RECENT history, people have been able to EXPLOIT cyber security VULNERABILITES in Hik cams more often than other camera makes. This isn't FAKE NEWS.

And who really hates guns? 

If you run secure connections between your camera and the VMS there isn't an immediate "man in the middle" attack.  That's why we keep telling people to run properly deployed TLS.  And yes this applies to everything not just this week's IPVM-outed camera exploit.

I don't understand all the Hikvision fans coming to defend an exploit that is so elementary once discovered. Other exploits that are found in other cameras, even if they are bad, are often very difficult to implement by anyone with a computer and simple knowledge of how to use one. I would say that this is the sole reason why I prefer buying Hikvision as opposed to through OEM. The delay or sometimes non-existence of a firmware patch is always troubling.

This is also the same reason I have never liked Digital Watchdog being able to distribute Network Optix software. When there are bug fixes it can take months to actually be released by DW. If those fixes were security related, it becomes a big deal. Thankfully, as I have mentioned in the past, I like the fact that Network Optix has been able to support us when we have had serious issues.

I still continue to use and install Hikvision cameras, but they never publicly face the internet and they are generally on a secure VLAN. The cloud services are always disabled. 

I will say that I can't stand any manufacturer enabling cloud services by default. I just checked one of my personal Hikvision cameras that was having issues. I updated the firmware and the platform access that was disabled was found enabled again.

It be amazing if one day those that do like Hikvision would actually see AND agree that Hikvision's take on security needs significant attention and that they need to find a way to make sure OEM's have updated firmware available and that those OEM's properly alert everyone of the exploits.

I agree strongly with the OEM vs direct statement.  While I would personally never buy Hikvision direct or indirect I would think it is better to always buy from the source rather than someone who sticks their sticker on and claims to have developed the product.  The OEM will always have dated information and lag behind on firmware, assuming that company stays in business to even issue updates down the road.  I would wager many of these OEMs don't have the resources to deal with any type of significant fallout in terms of support resources.  While there are certainly some who could weather a storm is the $10/camera savings worth the effort of vetting them out?

 

Historical example: Laptop video cards using Nvidia or ATI used to be the same - The various OEM brands would have to pay for driver updates.  The OEM would frequently (almost never) fail to do so and the video card would underperform or become incompatible with new applications as a result.  Very rarely these prompted system vulnerabilities to never be remedied.  This didn't relent until people started hacking their own drivers from the desktop versions, usually via laptopvideo2go.com, and laptops became ubiquitous.

They talk trough their wallets. Clearly some of these have their futures relying on Hikvision and for that reason they will come up with the most ridiculous outbursts of loyalty to the Chinese State owned brand. Don't forget that these defenders of the shaky products have to deal with a seemingly large client base as well. A client base that bought all those products in good faith, or in some cases I can imagine were bullied in to buying it by very overpowering statements about the good Chinese people and their wonderful products. Imagine the if they find out that they paid a premium price for a very poor product when it comes to cyber security or integrity. Remember that some advocates, or actually one in particular, stated that he quotes his Hik solutions just below the competitors much more expensive solution to maximize his margin and profits?

he quotes his Hik solutions just below the competitors much more expensive solution to maximize his margin and profits

Background: Always Choose HIKVISION.

In fairness, though, #10, you are from the Hikvision competitor that Calhoun referenced in that post with that technique.

On the other hand, I do agree that the problem that many long-time Hikvision integrators are now in. If they go back and say "hey US military, I sold you these great low cost cameras that now turn out to have a backdoor in it and was manufactured by a subsidiary of the Chinese government", they risk a variety of scary problems.

What do you mean 'in fairness' John? How is that relevant 'in fairness'? He stated he does that in every scenario he comes across no matter what the other manufacturer is many times over. My comment above isn't simply based on that one time mention in that particular post,that would be a little shall we say 'narrow minded' would'nt it?

I'm not an integrator or installer, but have helped some friends get a camera or two up around the lake in years past. Getting calls for cameras not working...

 

I'd hate to be a company that has been putting these in non-stop for 4-5 years.

The sad news is that those companies that have been selling open equipment for 4-5 years will likely not be around in 4-5 more years to sell plug and play boxes if this continues.  As professionals we should bring more to the industry than being able to make long patch cables and slap a turret cam on the ceiling

Arlo and Ring type wifi devices will soon enough eradicate those who simply pull 100ft patch cables and anchor a one size fits all camera to a wall.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Honeywell Speaks On NDAA Ban, New Non-Banned Cameras and Cybersecurity on Aug 06, 2019
For years, Honeywell has depended on Dahua, a company with a poor cybersecurity track record and now banned by the US NDAA, for the development and...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Hikvision OEM Directory on Aug 13, 2019
The Chinese government-owned and US-government banned Hikvision has become the world's largest video surveillance manufacturer and generally hidden...
Dahua OEM Directory on Aug 16, 2019
US Government banned Dahua OEMs for dozens of companies. The following directory includes 40+ of those companies with a graphic and links to...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...

Most Recent Industry Reports

IronYun AI Analytics Tested on Feb 17, 2020
Taiwan startup IronYun has raised tens of millions for its "mission to be the leading Artificial Intelligence, big data video software as a service...
Access Control ADA and Disability Laws Tutorial on Feb 17, 2020
Safe access control is paramount, especially for those with disabilities. Most countries have codes to mandate safe building access for those...
ISC West 2020 Removes China Pavilion, No Plans To Cancel Or Postpone on Feb 17, 2020
ISC West plans to go on next month, amidst concerns over coronavirus. However, the Asia / China Pavilion has been removed, show organizers...
Hanwha Wisenet X Plus PTRZ Tested on Feb 14, 2020
Hanwha has released their PTRZ camera, the Wisenet X Plus XNV-6081Z, claiming the "modular design allows for easy installation". We bought and...
IPVM Conference 2020 on Feb 13, 2020
IPVM is excited to announce our 2020 conference. This is the first and only industry event that will be 100% sponsor-free. Like IPVM online, the...
Bosch Dropping Dahua on Feb 13, 2020
Bosch has confirmed to IPVM that it is in the process of dropping Dahua, over the next year, as both IP camera contract manufacturer and recorder...
BluB0X Alleges Lenel, S2, Software House Are Dinosaurs on Feb 13, 2020
BluB0X is running an ad campaign labeling Lenel, S2, Software House, Honeywell, AMAG and more as dinosaurs: In a follow-up email to IPVM,...
London Live Police Face Recognition Visited on Feb 13, 2020
London police have officially begun using live facial recognition in select areas of the UK capital, sparking significant controversy. IPVM...
Converged vs Dedicated Networks For Surveillance Tutorial on Feb 12, 2020
Use the existing network or deploy a new one? This is a critical choice in designing video surveillance systems. Though 'convergence' was a big...