Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text

Author: Michael Budalich, Published on Aug 28, 2017

Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond by emailing the admin password in plain text.

This is different than the Hikvision recorder cracked security codes. Because it is for the iVMS-4200, exploiting this vulnerability would provide access to all devices connected to the iVMS-4200 including Hikvision cameras and recorders, as well as any 3rd party cameras connected through those recorders.

In this report we detail the vulnerability, explaining how it can be exploited and the security problems therein.

********* ****-**** ******* **** * ************* **** ****** ****** *****, without **************, ** ******** * **** **** ********* **** ******* by ******** *** ***** ******** ** ***** ****.

**** ** ********* **** ************ ******** ******* ******** *****. ******* ** ** *** *** ****-****, ********** **** ************* would ******* ****** ** *** ******* ********* ** *** ****-**** including ********* ******* *** *********, ** **** ** *** *** party ******* ********* ******* ***** *********.

** **** ****** ** ****** *** *************, ********** *** ** can ** ********* *** *** ******** ******** *******.

[***************]

iVMS-4200 ******** *************

*** ****-**** ****** ******** * "****** ********" ******:

******** "****** ********" ******* ** "********* ******",***** *** ** ******* ** ********* ******* *** ******** ********:

****** ** **** ** '******* **** ******', ********* ******* ******* admin ********* ** ** ******* *** ******* ** ************** ** verification.

***** * ***** ****** (~** ******* ** *** *******), ********* support ****** *** ****-**** ******'* ***** ******** ** ***** ****:

Multiple ******** *****

***** *** * *** ******** *****:

  • ** ************** *** ************
  • *** ****'* ******** ** ******* **** ** ***** ****
  • ** ***** ** ******
  • ******* *********
  • *********** ********* *** ** *******

No ************** *** ************

****** *** *** **** ** ** * ******** **** ****-**** software *** *** *** ***** ******** ********. ***** ** ** email, ***** ****** ** *** ***** ******* ** ****** ** authenticate *** ********* ** **********. **** ** ****** *** ****** universally ******* *******.

Plain **** ********

******** *** ******** ** ***** **** ** ******* ********* ** basic ******** *********, **** ***** ***** **** ******** **** *** change ** **** ***. ****** *** *** ****** ** **** email, ****** ** *** ******** ** ******'* **** *** *** the ***** ******** *** *** ******.

No ***** ** ******

**** ******** ******** ******* **** ********* ******* **** **** **** than ******** ******** ******, ** ** ******** *** ****** ***** password ** ** ************ ******. **** ******** ***** *********, *** admin ******** **** ***** ** * *** *****, ******** ******** legitimate ***** **** ********* *** ** ***** **** ***** ******** stops *******.

Reusing *********

***** ******* ********* ****** ******* ** *** ********, ** ** common. ** *** ****** *** ***** *** ****-**** *********** **** the **** ***** ******** ** ***** ******* ** ************, *** attacker *** *** *** ***** ******** ** * ******* ** devices. **** ** *** ****-**** ***** ******** ** ******, ********* the ********* ******** *** ******* ***** **** *** *** **** chooses *********, ****** ** ****** ** **** ************ ****** ** other *******.

Recoverable ********* *** ** *******

*********'* '********* ******' *** *** ******** *** ** *******. ** independent ******** ******* *** **** ** ********* *** ********* ******* about *** ******* ****** * *** *****:

*** ***** ******** ** ********* **** *** ** *** ****, and ** **** ****** *******, ******* ****** "***" *** "***". This ** *********** *** *** **** ** ******* *** ******** upon ******* ***********. *** ** *** **** ** *********** ** a ********* ******** ******, ******** ** ******** ** ********* *** blocksize, ******, *** ******* ****** *** **********. ** * ******, the ******** ***** ** **** ** ********* *** ***/******** **** for ********** *** ***** **** ******* *** **** *********.

** *********'* ******** ********** ****** **** *******, ********* ***** ** revealed ******* *** **** ** ******* ********* *******, ****** ** even ****** *** ****** *** ****-**** ******* ** ** ***********.

Risk ** ********** ** ******** ********* *************

*** ***** ***** ******** ***** ***** *** **** **/****-**** ************, it ** *********** ********** ** ******** ****** *** ******** **** lower-level ***** ********* *** ***** ******** "********* ******" *** ******* it ** ********* ******* ** ******** *** ***** ********.

********* *** ****** ********** **** ********, ****** ** *********** *** larger *************, ********* ***** ********** ** **** ** ********* ********** admin ********* ******* **** *************.

Hikvision

**** ***** ********* ** ********* *** ***** *********/******** **** ****** in * ******* ****** ***** ********* ********* *** ***********, *** there ** * *** *** ***** ** ******* *** ******** recovery ** ****-****. ********* *** *********** ******* ** *** *********, but *** *** ***** * ********, ** ************ **** * response ***** ** ********.

******

***** ********* *** *** ******* ** *** ***** (**** ****** 24th), **** ******** * "******* ********" *** ******* ******* ** iVMS-4200 ***** (****** ****):

Mitigating ******** ******** ****

******* ********* ***** ** ** **** *** ** ************ **** to ******** ** ****-**** ***** ********, ***** ** *** *********** need ** ******* ******* ************ ****** ** *** ***********. ****** savers **** * **** ***** ******** *** ******** ****** *********** should ** **** ** ******* ************ ***** **** ********* *** app *** ********** *** ******** ***** ****.

Hikvsion **** ******** ********

*************** ****** ** "********** *** ********** ** *********** ********", ***** ******* *********** ***** *********. *************** **** **** ***** in*********'* ****** ***,***** ********,*******/*********, *** *** ** ***********. ***** ********** *************** **** **** the ******* **** *** ***** *********** ********/***** ******** ** * top ********, ****** * ********** ******* ** ********* ******** ** managing *********** ********. ** ** ****** ****** **** ***** ******* lines, **** ** ****** ******* ** *********, **** ******* *************** that *** ********* ** ****. ***** ** ********* ******** ** software ****** ******** ***** ******** **********, *** *** *********** ******* to ******* ******* ******** *** ******** ******* *************.

Comments (11)

Undisclosed Integrator #1

08/28/17 05:22pm

(****** ********* ******* ******** ******** *** ***** ****)

Thumbnail brk1

Brian Karas

IPVM | 08/28/17 05:35pm

***** ********* *** *** ******* ** *** ***** (**** ****** 24th), **** ******** * "******* ********" *** ******* ******* ** iVMS-4200 ***** (****** ****):

****-**** ******* ******** ********

Thumbnail brk1

Brian Karas

IPVM | 08/28/17 07:11pm

** ******** ** ******** *** "****** ********" ********, ********* *** stopped ******* ******** ******** ********. * ******* ********* ***** **** report *** ******** ******** *** ********* ******** **** *********:

*** ******** *** *** **** ** ***** **** *** ********/******* was *******, *** *** **** ********* *********** *** ****** ******* with *** "******** ******** *********".

Thumbnail marty2016

Marty Calhoun

IPVMU Certified | 09/03/17 05:40pm

**** *****

********** ***** ********* ***** *** ** ***** *** ******** ********, it ** **** ********* ** *** ***-*******.

Undisclosed #2

In reply to Marty Calhoun | 09/03/17 05:48pm

...** ** **** ********* ** *** ***-*******.

** **** **** * ***?

Thumbnail marty2016

Marty Calhoun

IPVMU Certified | In reply to Undisclosed #2 | 09/04/17 12:00am

** ** * *** ********. *********** ********** ****** *** ** be ******** **** * *** ** ****-****.

** ***** ***** ***** ** **, ***** *** ******* **********, blame *** *****-******** ******** **** *** **** (**) ***** ** Hik, ***** *** ******* **** ** **, ***** ** ********** that *** **** ******** *** *** ****** * ***-******** ********** of *** ******** *** *** ********* ******* *** '******** ** the ****' ********.

John Honovich

IPVM | In reply to Marty Calhoun | 09/03/17 11:54pm

*****,

***-******* *** **** ******** ** *** **** *** ****** ***** means **** *** *********, ********** ** ********* *** ***** ***-*******.

***, **** ******** ************* ******* *** ***-******* **** *** *******?

Undisclosed #2

In reply to John Honovich | 09/04/17 12:14am

********** ***** ********* ***** *** ** ***** *** ******** ********, it ** **** ********* ** *** ***-*******. - *.*.

... **** *** *********, ********** ** ********* *** ***** ***-*******. - *.*.

**** ** ***** ****** ** ****, ****** ********* *** **** few ********** *********.

John Honovich

IPVM | In reply to Undisclosed #2 | 09/04/17 12:28am

***** ** ******** **** ********** ***** ***************** ***** ***-*******.

******* **** ****** *** ***-******* ** ***, ** **** ******* general ************ **** **** * ****** ***:

** *** ******* **, ********** ** **** ***** ********* ****** be *****, ************ *********, ********** ** ***, *** ***** ****-**** since ***-******* ** ***** ***.

** ******, ******* ***-******* ** ****** * *********** ** *** fact **** *********'* **** ************* ****** ******* ******** ***** ********* in ***** ****.

Undisclosed #2

In reply to John Honovich | 09/04/17 12:39am

***** ** ******** **** ********** ***** ***************** ***** ***-*******.

*** ** *** ***** ************ ****.

John Honovich

IPVM | In reply to Marty Calhoun | 09/03/17 11:59pm

**** *****

*** ***** ** ** * '**** *****' ** **** ***** passwords ** ***** **** ** ******?

*****, *** *** ******* ** *** **** *** **** *** these **** ** ********* ********** **** ********* *** ***** ******* are *** ******* ***** ***** ******** *** ****** ** ******** excuses.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on VMS

Most Wanted Improvements In Manufacturer Technical Support (Statistics) on Jun 21, 2018
5 key areas of improvement and 1 clear wanted support feature were voiced by 140+ integrator responses to: What improvement in manufacturer...
Axis Guardian - Cloud VMS And Alarm Monitoring - Released on Jun 19, 2018
Axis has struggled to deliver a cloud-based managed service video platform. Video service providers have utilized AVHS for over a decade, and have...
ReconaSense - The AI / Access Control / Analytics / IoT / Video Company Profile on Jun 12, 2018
One company's ISC West booth stood out for displaying a light-up tower of buzzwords. The company, ReconaSense, pledged to be 'making sense of it...
H.265 / HEVC Codec Tutorial on Jun 07, 2018
H.265 support has improved significantly in 2018, with H.265 camera/VMS compatibility increased compared to only a year ago, and more manufacturers...
Bosch IVA Video Analytics And Motion+ VMD Tested on Jun 06, 2018
Bosch's video analytics now ship on nearly every model, from indoor domes to high-end 5MP starlight cameras.  In this test, we evaluate Bosch's...
Hikvision PanoVu 20MP Flexible Camera Tested on Jun 01, 2018
Hikvision has released their first repositionable multi imager cameras with integrated IR included, atypical in competitors. We bought and tested...
Oncam 12MP Fisheye Camera Tested on May 29, 2018
Oncam has made their name since the early 2000s as a fisheye specialist, focusing only on panoramic cameras. To see how this specialist stacks up...
VMS Server Sizing on May 25, 2018
Specifying the right sized PC/server for VMS software is one of the most important yet difficult decisions in IP video surveillance. In the past...
Hanwha Wisenet X Analytics and VMD Test on May 24, 2018
Continuing our updated testing of camera analytics, we tested Hanwha's Wisenet X analytics for over two weeks in multiple scenes, indoors and out,...
Software Only VMS vs NVR Appliances on May 23, 2018
Should you buy your own PC/server and load VMS software on it or get a turnkey appliance (both hardware and software, e.g., NVR, Hybrid DVR) from a...

Most Recent Industry Reports

Installation Hardware for Video Surveillance - Indoor Fasteners on Jun 22, 2018
As part of our Installation for Video Surveillance series, in this note, we cover drywall anchors. A key part of installing security hardware is...
Hikvision ColorVu Integrated Visible Light Cameras Examined on Jun 22, 2018
When it comes to low light, infrared light has become the defacto standard in surveillance. But IR is limited to monochrome images, making colors...
Last Chance - Save $50 - July 2018 IP Networking Course on Jun 21, 2018
Today, Thursday the 21st is the last chance to save $50 on registration. Register now and save. This is the only networking course designed...
'Secure Channel' OSDP Access Control Examined on Jun 21, 2018
Despite claiming to be better than Wiegand, OSDP's initial releases did not address the lack of encryption between reader and controller, leaving...
Most Wanted Improvements In Manufacturer Technical Support (Statistics) on Jun 21, 2018
5 key areas of improvement and 1 clear wanted support feature were voiced by 140+ integrator responses to: What improvement in manufacturer...
GDPR / ICO Complaint Filed Against IFSEC Show Facial Recognition on Jun 20, 2018
IPVM has filed a complaint against IFSEC’s parent company UBM based on our concern that the conference violates core GDPR principles on...
IFSEC 2018 Final Show Report on Jun 20, 2018
IPVM attended the IFSEC show for the first time this year. The Chinese have taken over the UK, centered on Hikvision, flanked by Dahua, Huawei and...
Mobotix Releases 'Move' Into 21st Century on Jun 20, 2018
For years, Mobotix stood resolutely against, well, every other manufacturer, selling it as a virtue: MOBOTIX equipment is designed with no...
Cybersecurity Startup VDOO Disclosing 10 Manufacturer Vulnerabilities Starting With Axis And Foscam on Jun 20, 2018
Cybersecurity startup VDOO has uncovered significant vulnerabilities in Axis cameras along with many others not yet disclosed. In this report, we...
Axis Guardian - Cloud VMS And Alarm Monitoring - Released on Jun 19, 2018
Axis has struggled to deliver a cloud-based managed service video platform. Video service providers have utilized AVHS for over a decade, and have...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact