Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text

By Michael Budalich, Published Aug 28, 2017, 10:42am EDT

Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond by emailing the admin password in plain text.

This is different than the Hikvision recorder cracked security codes. Because it is for the iVMS-4200, exploiting this vulnerability would provide access to all devices connected to the iVMS-4200 including Hikvision cameras and recorders, as well as any 3rd party cameras connected through those recorders.

In this report we detail the vulnerability, explaining how it can be exploited and the security problems therein.

iVMS-4200 ******** *************

*** ****-**** ****** ******** a "****** ********" ******:

******** "****** ********" ******* an "********* ******", ***** can ** ******* ** Hikvision ******* *** ******** recovery [**** ** ****** available]:

****** ** **** ** 'contact **** ******', ********* support ******* ***** ********* to ** ******* *** attempt ** ************** ** verification.

***** * ***** ****** (~30 ******* ** *** example), ********* ******* ****** the ****-**** ******'* ***** password ** ***** ****:

Multiple ******** *****

***** *** * *** security *****:

  • ** ************** *** ************
  • *** ****'* ******** ** emailed **** ** ***** text
  • ** ***** ** ******
  • ******* *********
  • *********** ********* *** ** cracked

No ************** *** ************

****** *** *** **** up ** * ******** with ****-**** ******** *** get *** ***** ******** directly. ***** ** ** email, ***** ****** ** any ***** ******* ** verify ** ************ *** requester ** **********. **** is ****** *** ****** universally ******* *******.

Plain **** ********

******** *** ******** ** plain **** ** ******* violation ** ***** ******** practices, **** ***** ***** that ******** **** *** change ** **** ***. Anyone *** *** ****** to **** *****, ****** on *** ******** ** sender's **** *** *** the ***** ******** *** the ******.

No ***** ** ******

**** ******** ******** ******* from ********* ******* **** more **** **** ******** password ******, ** ** provides *** ****** ***** password ** ** ************ person. **** ******** ***** functions, *** ***** ******** gets ***** ** * new *****, ******** ******** legitimate ***** **** ********* may ** ***** **** their ******** ***** *******.

Reusing *********

***** ******* ********* ****** devices ** *** ********, it ** ******. ** the ****** *** ***** the ****-**** *********** **** the **** ***** ******** on ***** ******* ** applications, *** ******** *** has *** ***** ******** to * ******* ** devices. **** ** *** iVMS-4200 ***** ******** ** unique, ********* *** ********* password *** ******* ***** into *** *** **** chooses *********, ****** ** easier ** **** ************ access ** ***** *******.

Recoverable ********* *** ** *******

*********'* '********* ******' *** the ******** *** ** cracked. ** *********** ******** analyst *** **** ** determine *** ********* ******* about *** ******* ****** a *** *****:

*** ***** ******** ** encrypted **** *** ** ECB ****, *** ** then ****** *******, ******* adding "***" *** "***". This ** *********** *** the **** ** ******* and ******** **** ******* passphrases. *** ** *** mode ** *********** ** a ********* ******** ******, allowing ** ******** ** determine *** *********, ******, and ******* ****** *** ciphertext. ** * ******, the ******** ***** ** able ** ********* *** key/password **** *** ********** and ***** **** ******* the **** *********.

** *********'* ******** ********** scheme **** *******, ********* could ** ******** ******* the **** ** ******* Hikvision *******, ****** ** even ****** *** ****** for ****-**** ******* ** be ***********.

Risk ** ********** ** ******** ********* *************

*** ***** ***** ******** users ***** *** **** PC/iVMS-4200 ************, ** ** effectively ********** ** ******** secure *** ******** **** lower-level ***** ********* *** admin ******** "********* ******" and ******* ** ** Hikvision ******* ** ******** the ***** ********.

********* *** ****** ********** user ********, ****** ** enterprises *** ****** *************, therefore ***** ********** ** risk ** ********* ********** admin ********* ******* **** vulnerability.

Hikvision

**** ***** ********* ** passwords *** ***** *********/******** were ****** ** * similar ****** ***** ********* passwords *** ***********, *** there ** * *** for ***** ** ******* the ******** ******** ** iVMS-4200. ********* *** *********** receipt ** *** *********, but *** *** ***** a ********, ** ************ when * ******** ***** be ********.

******

***** ********* *** *** respond ** *** ***** (sent ****** ****), **** released * "******* ********" and ******* ******* ** iVMS-4200 ***** (****** ****):

Mitigating ******** ******** ****

******* ********* ***** ** so **** *** ** unauthorized **** ** ******** an ****-**** ***** ********, users ** *** *********** need ** ******* ******* unauthorized ****** ** *** application. ****** ****** **** a **** ***** ******** and ******** ****** *********** should ** **** ** prevent ************ ***** **** launching *** *** *** retrieving *** ******** ***** code.

Hikvsion **** ******** ********

****** ********* ****** ** "understand *** ********** ** information ********" [**** ** longer *********], ***** ******* continually ***** *********. *************** have **** ***** ***********'* ****** ***,***** ********,*******/*********, *** *** ** application. ***** ********** *************** show **** *** ******* does *** ***** *********** security/cyber ******** ** * top ********, ****** * responsive ******* ** ********* approach ** ******** *********** security. ** ** ****** likely **** ***** ******* lines, **** ** ****** control ** *********, **** similar *************** **** *** customers ** ****. ***** of ********* ******** ** software ****** ******** ***** products **********, *** *** appropriate ******* ** ******* against ******** *** ******** exploit *************.

Comments (11)

(Insert Hikvision Special Bulletin security fix email here) 

Agree
Disagree
Informative
Unhelpful
Funny

While Hikvision did not respond to our email (sent August 24th), they released a "Special Bulletin" and updated version of iVMS-4200 today (August 28th):

 

iVMS-4200 Updated Software Download 

Agree
Disagree
Informative
Unhelpful
Funny: 2

In addition to removing the "Forgot Password" function, Hikvision has stopped issuing password recovery requests. A request submitted after this report was released received the following response from Hikvision:

The response did not make it clear that the function/support was removed, nor did they recommend downloading the latest release with the "upgraded security structure".

 

 

Agree
Disagree
Informative: 1
Unhelpful
Funny

Moot Point

Enterprise level customers would not be using the iVMS4200 platform, it is more realistic to use Hik-Central.

Agree
Disagree
Informative
Unhelpful
Funny

...it is more realistic to use Hik-Central.

Is that even a VMS?

Agree
Disagree
Informative
Unhelpful
Funny

It is a CMS solution. Centralized Management System not to be confused with a VMS OR  iVMS-4200.

Go ahead throw water on it, blame the Chinese government, blame all cyber-security problems over the last (10) years on Hik, throw the Kitchen sink at it, bring up everything that has been resolved but god forbid a non-partisan discussion of the software and its abilities without the 'Headline of the week' approach.

 

Agree
Disagree
Informative
Unhelpful
Funny: 1

Marty,

Hik-Central was just released in the past few months which means very few customers, enterprise or otherwise are using Hik-Central.

Btw, what security vulnerability testing has Hik-Central been put through?

Agree
Disagree
Informative
Unhelpful
Funny

Enterprise level customers would not be using the iVMS4200 platform, it is more realistic to use Hik-Central. - M.C.

... very few customers, enterprise or otherwise are using Hik-Central. - J.H.

Both of these cannot be true, unless Hikvision has very few enterprise customers.

Agree
Disagree
Informative
Unhelpful
Funny

Marty is implying that enterprise level customers should be using Hik-Central.

Whether they should use Hik-Central or not, it just reached general availability less than 2 months ago:

So the reality is, regardless of what their customers should be using, overwhelming customers, enterprise or not, are using iVMS-4200 since Hik-Central is brand new.

Of course, raising Hik-Central is simply a smokescreen to the fact that Hikvision's poor cybersecurity policy allowed emailing admin passwords in plain test. 

Agree
Disagree
Informative
Unhelpful
Funny

Marty is implying that enterprise level customers should be using Hik-Central.

And so the Point only should be Moot.

Agree
Disagree
Informative
Unhelpful
Funny

Moot Point

How would it be a 'moot point' to send admin passwords in plain text to anyone?

Marty, you are welcome to say what you want but these type of responses reinforces that Hikvision and their dealers are not serious about cyber security and engage in shameful excuses.

Agree: 1
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,275 reports and 969 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports