Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text

By: Michael Budalich, Published on Aug 28, 2017

Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond by emailing the admin password in plain text.

This is different than the Hikvision recorder cracked security codes. Because it is for the iVMS-4200, exploiting this vulnerability would provide access to all devices connected to the iVMS-4200 including Hikvision cameras and recorders, as well as any 3rd party cameras connected through those recorders.

In this report we detail the vulnerability, explaining how it can be exploited and the security problems therein.

********* ****-**** ******* **** a ************* **** ****** anyone *****, ******* **************, to ******** * **** that ********* **** ******* by ******** *** ***** password ** ***** ****.

**** ** ********* **** the********* ******** ******* ******** codes. ******* ** ** for *** ****-****, ********** this ************* ***** ******* access ** *** ******* connected ** *** ****-**** including ********* ******* *** recorders, ** **** ** any *** ***** ******* connected ******* ***** *********.

** **** ****** ** detail *** *************, ********** how ** *** ** exploited *** *** ******** problems *******.

[***************]

iVMS-4200 ******** *************

*** ****-**** ****** ******** a "****** ********" ******:

******** "****** ********" ******* an "********* ******", ***** can ** ******* ** Hikvision ******* *** ******** recovery [**** ** ****** available]:

****** ** **** ** 'contact **** ******', ********* support ******* ***** ********* to ** ******* *** attempt ** ************** ** verification.

***** * ***** ****** (~30 ******* ** *** example), ********* ******* ****** the ****-**** ******'* ***** password ** ***** ****:

Multiple ******** *****

***** *** * *** security *****:

  • ** ************** *** ************
  • *** ****'* ******** ** emailed **** ** ***** text
  • ** ***** ** ******
  • ******* *********
  • *********** ********* *** ** cracked

No ************** *** ************

****** *** *** **** up ** * ******** with ****-**** ******** *** get *** ***** ******** directly. ***** ** ** email, ***** ****** ** any ***** ******* ** verify ** ************ *** requester ** **********. **** is ****** *** ****** universally ******* *******.

Plain **** ********

******** *** ******** ** plain **** ** ******* violation ** ***** ******** practices, **** ***** ***** that ******** **** *** change ** **** ***. Anyone *** *** ****** to **** *****, ****** on *** ******** ** sender's **** *** *** the ***** ******** *** the ******.

No ***** ** ******

**** ******** ******** ******* from ********* ******* **** more **** **** ******** password ******, ** ** provides *** ****** ***** password ** ** ************ person. **** ******** ***** functions, *** ***** ******** gets ***** ** * new *****, ******** ******** legitimate ***** **** ********* may ** ***** **** their ******** ***** *******.

Reusing *********

***** ******* ********* ****** devices ** *** ********, it ** ******. ** the ****** *** ***** the ****-**** *********** **** the **** ***** ******** on ***** ******* ** applications, *** ******** *** has *** ***** ******** to * ******* ** devices. **** ** *** iVMS-4200 ***** ******** ** unique, ********* *** ********* password *** ******* ***** into *** *** **** chooses *********, ****** ** easier ** **** ************ access ** ***** *******.

Recoverable ********* *** ** *******

*********'* '********* ******' *** the ******** *** ** cracked. ** *********** ******** analyst *** **** ** determine *** ********* ******* about *** ******* ****** a *** *****:

*** ***** ******** ** encrypted **** *** ** ECB ****, *** ** then ****** *******, ******* adding "***" *** "***". This ** *********** *** the **** ** ******* and ******** **** ******* passphrases. *** ** *** mode ** *********** ** a ********* ******** ******, allowing ** ******** ** determine *** *********, ******, and ******* ****** *** ciphertext. ** * ******, the ******** ***** ** able ** ********* *** key/password **** *** ********** and ***** **** ******* the **** *********.

** *********'* ******** ********** scheme **** *******, ********* could ** ******** ******* the **** ** ******* Hikvision *******, ****** ** even ****** *** ****** for ****-**** ******* ** be ***********.

Risk ** ********** ** ******** ********* *************

*** ***** ***** ******** users ***** *** **** PC/iVMS-4200 ************, ** ** effectively ********** ** ******** secure *** ******** **** lower-level ***** ********* *** admin ******** "********* ******" and ******* ** ** Hikvision ******* ** ******** the ***** ********.

********* *** ****** ********** user ********, ****** ** enterprises *** ****** *************, therefore ***** ********** ** risk ** ********* ********** admin ********* ******* **** vulnerability.

Hikvision

**** ***** ********* ** passwords *** ***** *********/******** were ****** ** * similar ****** ***** ********* passwords *** ***********, *** there ** * *** for ***** ** ******* the ******** ******** ** iVMS-4200. ********* *** *********** receipt ** *** *********, but *** *** ***** a ********, ** ************ when * ******** ***** be ********.

******

***** ********* *** *** respond ** *** ***** (sent ****** ****), **** released * "******* ********" and ******* ******* ** iVMS-4200 ***** (****** ****):

Mitigating ******** ******** ****

******* ********* ***** ** so **** *** ** unauthorized **** ** ******** an ****-**** ***** ********, users ** *** *********** need ** ******* ******* unauthorized ****** ** *** application. ****** ****** **** a **** ***** ******** and ******** ****** *********** should ** **** ** prevent ************ ***** **** launching *** *** *** retrieving *** ******** ***** code.

Hikvsion **** ******** ********

****** ********* ****** ** "understand *** ********** ** information ********" [**** ** longer *********], ***** ******* continually ***** *********. *************** have **** ***** ***********'* ****** ***,***** ********,*******/*********, *** *** ** application. ***** ********** *************** show **** *** ******* does *** ***** *********** security/cyber ******** ** * top ********, ****** * responsive ******* ** ********* approach ** ******** *********** security. ** ** ****** likely **** ***** ******* lines, **** ** ****** control ** *********, **** similar *************** **** *** customers ** ****. ***** of ********* ******** ** software ****** ******** ***** products **********, *** *** appropriate ******* ** ******* against ******** *** ******** exploit *************.

Comments (11)

(Insert Hikvision Special Bulletin security fix email here) 

While Hikvision did not respond to our email (sent August 24th), they released a "Special Bulletin" and updated version of iVMS-4200 today (August 28th):

 

iVMS-4200 Updated Software Download 

In addition to removing the "Forgot Password" function, Hikvision has stopped issuing password recovery requests. A request submitted after this report was released received the following response from Hikvision:

The response did not make it clear that the function/support was removed, nor did they recommend downloading the latest release with the "upgraded security structure".

 

 

Moot Point

Enterprise level customers would not be using the iVMS4200 platform, it is more realistic to use Hik-Central.

...it is more realistic to use Hik-Central.

Is that even a VMS?

It is a CMS solution. Centralized Management System not to be confused with a VMS OR  iVMS-4200.

Go ahead throw water on it, blame the Chinese government, blame all cyber-security problems over the last (10) years on Hik, throw the Kitchen sink at it, bring up everything that has been resolved but god forbid a non-partisan discussion of the software and its abilities without the 'Headline of the week' approach.

 

Marty,

Hik-Central was just released in the past few months which means very few customers, enterprise or otherwise are using Hik-Central.

Btw, what security vulnerability testing has Hik-Central been put through?

Enterprise level customers would not be using the iVMS4200 platform, it is more realistic to use Hik-Central. - M.C.

... very few customers, enterprise or otherwise are using Hik-Central. - J.H.

Both of these cannot be true, unless Hikvision has very few enterprise customers.

Marty is implying that enterprise level customers should be using Hik-Central.

Whether they should use Hik-Central or not, it just reached general availability less than 2 months ago:

So the reality is, regardless of what their customers should be using, overwhelming customers, enterprise or not, are using iVMS-4200 since Hik-Central is brand new.

Of course, raising Hik-Central is simply a smokescreen to the fact that Hikvision's poor cybersecurity policy allowed emailing admin passwords in plain test. 

Marty is implying that enterprise level customers should be using Hik-Central.

And so the Point only should be Moot.

Moot Point

How would it be a 'moot point' to send admin passwords in plain text to anyone?

Marty, you are welcome to say what you want but these type of responses reinforces that Hikvision and their dealers are not serious about cyber security and engage in shameful excuses.

Login to read this IPVM report.

Related Reports

Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Delayed Egress Access Control Tutorial on Feb 04, 2020
Delayed Egress marks one of the few times locking people into a building is...
Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
Faked Coronavirus Fever Detection, Athena Used Hikvision; Responds - Selling NDAA Compliant Cameras, Pledging 50% Of Profits to Victims on Mar 24, 2020
US company, Athena Security, faked its coronavirus fever detection marketing,...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
ISS Presents Face As A Credential and UVSS on Apr 30, 2020
ISS presented its security platform, including access control integration,...
SenseB4 Presents Cloud Network Device Monitoring on Jun 09, 2020
SenseB4 presented its cybersecurity and network health monitoring products at...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Anyvision Layoffs on Mar 19, 2020
Anyvision has conducted a layoff, citing the impact of coronavirus, joining a...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...