Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text

Author: Michael Budalich, Published on Aug 28, 2017

Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond by emailing the admin password in plain text.

This is different than the Hikvision recorder cracked security codes. Because it is for the iVMS-4200, exploiting this vulnerability would provide access to all devices connected to the iVMS-4200 including Hikvision cameras and recorders, as well as any 3rd party cameras connected through those recorders.

In this report we detail the vulnerability, explaining how it can be exploited and the security problems therein.

********* ****-**** ******* **** * ************* **** ****** ****** *****, without **************, ** ******** * **** **** ********* **** ******* by ******** *** ***** ******** ** ***** ****.

**** ** ********* **** ************ ******** ******* ******** *****. ******* ** ** *** *** ****-****, ********** **** ************* would ******* ****** ** *** ******* ********* ** *** ****-**** including ********* ******* *** *********, ** **** ** *** *** party ******* ********* ******* ***** *********.

** **** ****** ** ****** *** *************, ********** *** ** can ** ********* *** *** ******** ******** *******.

[***************]

iVMS-4200 ******** *************

*** ****-**** ****** ******** * "****** ********" ******:

******** "****** ********" ******* ** "********* ******",***** *** ** ******* ** ********* ******* *** ******** ********:

****** ** **** ** '******* **** ******', ********* ******* ******* admin ********* ** ** ******* *** ******* ** ************** ** verification.

***** * ***** ****** (~** ******* ** *** *******), ********* support ****** *** ****-**** ******'* ***** ******** ** ***** ****:

Multiple ******** *****

***** *** * *** ******** *****:

  • ** ************** *** ************
  • *** ****'* ******** ** ******* **** ** ***** ****
  • ** ***** ** ******
  • ******* *********
  • *********** ********* *** ** *******

No ************** *** ************

****** *** *** **** ** ** * ******** **** ****-**** software *** *** *** ***** ******** ********. ***** ** ** email, ***** ****** ** *** ***** ******* ** ****** ** authenticate *** ********* ** **********. **** ** ****** *** ****** universally ******* *******.

Plain **** ********

******** *** ******** ** ***** **** ** ******* ********* ** basic ******** *********, **** ***** ***** **** ******** **** *** change ** **** ***. ****** *** *** ****** ** **** email, ****** ** *** ******** ** ******'* **** *** *** the ***** ******** *** *** ******.

No ***** ** ******

**** ******** ******** ******* **** ********* ******* **** **** **** than ******** ******** ******, ** ** ******** *** ****** ***** password ** ** ************ ******. **** ******** ***** *********, *** admin ******** **** ***** ** * *** *****, ******** ******** legitimate ***** **** ********* *** ** ***** **** ***** ******** stops *******.

Reusing *********

***** ******* ********* ****** ******* ** *** ********, ** ** common. ** *** ****** *** ***** *** ****-**** *********** **** the **** ***** ******** ** ***** ******* ** ************, *** attacker *** *** *** ***** ******** ** * ******* ** devices. **** ** *** ****-**** ***** ******** ** ******, ********* the ********* ******** *** ******* ***** **** *** *** **** chooses *********, ****** ** ****** ** **** ************ ****** ** other *******.

Recoverable ********* *** ** *******

*********'* '********* ******' *** *** ******** *** ** *******. ** independent ******** ******* *** **** ** ********* *** ********* ******* about *** ******* ****** * *** *****:

*** ***** ******** ** ********* **** *** ** *** ****, and ** **** ****** *******, ******* ****** "***" *** "***". This ** *********** *** *** **** ** ******* *** ******** upon ******* ***********. *** ** *** **** ** *********** ** a ********* ******** ******, ******** ** ******** ** ********* *** blocksize, ******, *** ******* ****** *** **********. ** * ******, the ******** ***** ** **** ** ********* *** ***/******** **** for ********** *** ***** **** ******* *** **** *********.

** *********'* ******** ********** ****** **** *******, ********* ***** ** revealed ******* *** **** ** ******* ********* *******, ****** ** even ****** *** ****** *** ****-**** ******* ** ** ***********.

Risk ** ********** ** ******** ********* *************

*** ***** ***** ******** ***** ***** *** **** **/****-**** ************, it ** *********** ********** ** ******** ****** *** ******** **** lower-level ***** ********* *** ***** ******** "********* ******" *** ******* it ** ********* ******* ** ******** *** ***** ********.

********* *** ****** ********** **** ********, ****** ** *********** *** larger *************, ********* ***** ********** ** **** ** ********* ********** admin ********* ******* **** *************.

Hikvision

**** ***** ********* ** ********* *** ***** *********/******** **** ****** in * ******* ****** ***** ********* ********* *** ***********, *** there ** * *** *** ***** ** ******* *** ******** recovery ** ****-****. ********* *** *********** ******* ** *** *********, but *** *** ***** * ********, ** ************ **** * response ***** ** ********.

******

***** ********* *** *** ******* ** *** ***** (**** ****** 24th), **** ******** * "******* ********" *** ******* ******* ** iVMS-4200 ***** (****** ****):

Mitigating ******** ******** ****

******* ********* ***** ** ** **** *** ** ************ **** to ******** ** ****-**** ***** ********, ***** ** *** *********** need ** ******* ******* ************ ****** ** *** ***********. ****** savers **** * **** ***** ******** *** ******** ****** *********** should ** **** ** ******* ************ ***** **** ********* *** app *** ********** *** ******** ***** ****.

Hikvsion **** ******** ********

*************** ****** ** "********** *** ********** ** *********** ********", ***** ******* *********** ***** *********. *************** **** **** ***** in*********'* ****** ***,***** ********,*******/*********, *** *** ** ***********. ***** ********** *************** **** **** the ******* **** *** ***** *********** ********/***** ******** ** * top ********, ****** * ********** ******* ** ********* ******** ** managing *********** ********. ** ** ****** ****** **** ***** ******* lines, **** ** ****** ******* ** *********, **** ******* *************** that *** ********* ** ****. ***** ** ********* ******** ** software ****** ******** ***** ******** **********, *** *** *********** ******* to ******* ******* ******** *** ******** ******* *************.

Comments (11)

Undisclosed Integrator #1

08/28/17 05:22pm

(****** ********* ******* ******** ******** *** ***** ****)

Thumbnail brk1

Brian Karas

IPVM | 08/28/17 05:35pm

***** ********* *** *** ******* ** *** ***** (**** ****** 24th), **** ******** * "******* ********" *** ******* ******* ** iVMS-4200 ***** (****** ****):

****-**** ******* ******** ********

Thumbnail brk1

Brian Karas

IPVM | 08/28/17 07:11pm

** ******** ** ******** *** "****** ********" ********, ********* *** stopped ******* ******** ******** ********. * ******* ********* ***** **** report *** ******** ******** *** ********* ******** **** *********:

*** ******** *** *** **** ** ***** **** *** ********/******* was *******, *** *** **** ********* *********** *** ****** ******* with *** "******** ******** *********".

Thumbnail marty2016

Marty Calhoun

IPVMU Certified | 09/03/17 05:40pm

**** *****

********** ***** ********* ***** *** ** ***** *** ******** ********, it ** **** ********* ** *** ***-*******.

Undisclosed #2

In reply to Marty Calhoun | 09/03/17 05:48pm

...** ** **** ********* ** *** ***-*******.

** **** **** * ***?

Thumbnail marty2016

Marty Calhoun

IPVMU Certified | In reply to Undisclosed #2 | 09/04/17 12:00am

** ** * *** ********. *********** ********** ****** *** ** be ******** **** * *** ** ****-****.

** ***** ***** ***** ** **, ***** *** ******* **********, blame *** *****-******** ******** **** *** **** (**) ***** ** Hik, ***** *** ******* **** ** **, ***** ** ********** that *** **** ******** *** *** ****** * ***-******** ********** of *** ******** *** *** ********* ******* *** '******** ** the ****' ********.

John Honovich

IPVM | In reply to Marty Calhoun | 09/03/17 11:54pm

*****,

***-******* *** **** ******** ** *** **** *** ****** ***** means **** *** *********, ********** ** ********* *** ***** ***-*******.

***, **** ******** ************* ******* *** ***-******* **** *** *******?

Undisclosed #2

In reply to John Honovich | 09/04/17 12:14am

********** ***** ********* ***** *** ** ***** *** ******** ********, it ** **** ********* ** *** ***-*******. - *.*.

... **** *** *********, ********** ** ********* *** ***** ***-*******. - *.*.

**** ** ***** ****** ** ****, ****** ********* *** **** few ********** *********.

John Honovich

IPVM | In reply to Undisclosed #2 | 09/04/17 12:28am

***** ** ******** **** ********** ***** ***************** ***** ***-*******.

******* **** ****** *** ***-******* ** ***, ** **** ******* general ************ **** **** * ****** ***:

** *** ******* **, ********** ** **** ***** ********* ****** be *****, ************ *********, ********** ** ***, *** ***** ****-**** since ***-******* ** ***** ***.

** ******, ******* ***-******* ** ****** * *********** ** *** fact **** *********'* **** ************* ****** ******* ******** ***** ********* in ***** ****.

Undisclosed #2

In reply to John Honovich | 09/04/17 12:39am

***** ** ******** **** ********** ***** ***************** ***** ***-*******.

*** ** *** ***** ************ ****.

John Honovich

IPVM | In reply to Marty Calhoun | 09/03/17 11:59pm

**** *****

*** ***** ** ** * '**** *****' ** **** ***** passwords ** ***** **** ** ******?

*****, *** *** ******* ** *** **** *** **** *** these **** ** ********* ********** **** ********* *** ***** ******* are *** ******* ***** ***** ******** *** ****** ** ******** excuses.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on VMS

Exacq Raises VMS Software Pricing Twice in Less Than a Year on Feb 18, 2019
Most VMSes regularly release new features, but rarely increase their prices. For the 3rd time in 4 years, and 2nd time in 8 months, since being...
Axis IR Multi Imager Camera Tested (P3717-PLE) on Feb 18, 2019
Axis has released their first IR multi imager, the P3717-PLE, a repositionable model listing 360° IR illumination and flexible positioning,...
Casino Surveillance Pro Interview: James Lathrop on Feb 15, 2019
James Lathrop has been working in casinos for almost 25 years. During that time, he says he has held "just about every job you can do in the...
Cisco Meraki Cloud VMS/Cameras Tested on Feb 13, 2019
Cisco Meraki says their cameras "bring Meraki magic to the enterprise video security world". According to Meraki, their magic is their management...
Solink Raises $12 Million - Company Profile on Feb 12, 2019
Most industry professionals have never heard of Solink, a company whose tagline is: It's time to revolutionize the way business uses...
Milestone Drops Hikvision From Elite Partners on Feb 11, 2019
Milestone has quietly dropped Hikvision from their 'Elite Partners', less than 3 years after adding the Chinese government-owned...
FLIR Favorability Results 2019 on Feb 08, 2019
FLIR has had a challenging past few years including FLIR Security business struggling, FLIR restructuring their security division and FLIR selling...
No Genetec Major Releases In Over A Year on Feb 06, 2019
Annual VMS licenses are a controversial practice in the video surveillance industry, with many questioning their need or value. However, enterprise...
PlateSmart LPR Profile on Jan 31, 2019
PlateSmart Technologies claims to "turn any conventional surveillance camera into a license plate recognition camera" We spoke with PlateSmart to...
Hanwha Techwin Favorability Results 2019 on Jan 31, 2019
Hanwha Techwin's favorability results surged, in IPVM's 2019 study, going from barely neutral in 2016 to strongly net positive, as the results...

Most Recent Industry Reports

Security Installation Tools Guide - 22 Tools Listed on Feb 19, 2019
In this guide, we cover 22 tools that security installers frequently use. This is one part of our upcoming Video Surveillance...
Sales Cuts At Rasilient on Feb 19, 2019
Over the past 2 years, video surveillance storage specialist Rasilient has expanded its workforce significantly, aiming to build its own branded...
Exacq Raises VMS Software Pricing Twice in Less Than a Year on Feb 18, 2019
Most VMSes regularly release new features, but rarely increase their prices. For the 3rd time in 4 years, and 2nd time in 8 months, since being...
Axis IR Multi Imager Camera Tested (P3717-PLE) on Feb 18, 2019
Axis has released their first IR multi imager, the P3717-PLE, a repositionable model listing 360° IR illumination and flexible positioning,...
Ubiquiti Favorability Results 2019 on Feb 18, 2019
Ubiquiti has quietly grown into a $1+ billion annual revenue company, with offerings across wireless, wireline network and video surveillance (see...
Casino Surveillance Pro Interview: James Lathrop on Feb 15, 2019
James Lathrop has been working in casinos for almost 25 years. During that time, he says he has held "just about every job you can do in the...
Hikvision 2018 Revenue Tops $7 Billion USD But Growth Slows To Low on Feb 15, 2019
Hikvision's annual revenue topped $7 billion for the first time in 2018, although growth slowed sharply. In this post, we analyze the latest...
Hanwha Smaller Multi Imager Tested (PNM-9000VQ) on Feb 14, 2019
Hanwha's first repositionable multi imager PNM-9081VQ tested well, but was huge, over 12" wide and weighing in at over 10 pounds. Now, they have...
ADT And 'The Defenders' Silent About Massive Complaints on Feb 14, 2019
ADT's largest dealer, "The Defenders" has been the subject of a massive number of complaints over many years and many forums, most recently a CBS...
Hikvision Chairman Praises United Front on Feb 14, 2019
Hikvision’s controlling shareholder held a meeting last month praising the United Front, a Communist Party organization known for its secretive...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact