Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text

By Michael Budalich, Published on Aug 28, 2017

Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond by emailing the admin password in plain text.

This is different than the Hikvision recorder cracked security codes. Because it is for the iVMS-4200, exploiting this vulnerability would provide access to all devices connected to the iVMS-4200 including Hikvision cameras and recorders, as well as any 3rd party cameras connected through those recorders.

In this report we detail the vulnerability, explaining how it can be exploited and the security problems therein.

iVMS-4200 ******** *************

*** ****-**** ****** ******** a "****** ********" ******:

******** "****** ********" ******* an "********* ******", ***** can ** ******* ** Hikvision ******* *** ******** recovery [**** ** ****** available]:

****** ** **** ** 'contact **** ******', ********* support ******* ***** ********* to ** ******* *** attempt ** ************** ** verification.

***** * ***** ****** (~30 ******* ** *** example), ********* ******* ****** the ****-**** ******'* ***** password ** ***** ****:

Multiple ******** *****

***** *** * *** security *****:

  • ** ************** *** ************
  • *** ****'* ******** ** emailed **** ** ***** text
  • ** ***** ** ******
  • ******* *********
  • *********** ********* *** ** cracked

No ************** *** ************

****** *** *** **** up ** * ******** with ****-**** ******** *** get *** ***** ******** directly. ***** ** ** email, ***** ****** ** any ***** ******* ** verify ** ************ *** requester ** **********. **** is ****** *** ****** universally ******* *******.

Plain **** ********

******** *** ******** ** plain **** ** ******* violation ** ***** ******** practices, **** ***** ***** that ******** **** *** change ** **** ***. Anyone *** *** ****** to **** *****, ****** on *** ******** ** sender's **** *** *** the ***** ******** *** the ******.

No ***** ** ******

**** ******** ******** ******* from ********* ******* **** more **** **** ******** password ******, ** ** provides *** ****** ***** password ** ** ************ person. **** ******** ***** functions, *** ***** ******** gets ***** ** * new *****, ******** ******** legitimate ***** **** ********* may ** ***** **** their ******** ***** *******.

Reusing *********

***** ******* ********* ****** devices ** *** ********, it ** ******. ** the ****** *** ***** the ****-**** *********** **** the **** ***** ******** on ***** ******* ** applications, *** ******** *** has *** ***** ******** to * ******* ** devices. **** ** *** iVMS-4200 ***** ******** ** unique, ********* *** ********* password *** ******* ***** into *** *** **** chooses *********, ****** ** easier ** **** ************ access ** ***** *******.

Recoverable ********* *** ** *******

*********'* '********* ******' *** the ******** *** ** cracked. ** *********** ******** analyst *** **** ** determine *** ********* ******* about *** ******* ****** a *** *****:

*** ***** ******** ** encrypted **** *** ** ECB ****, *** ** then ****** *******, ******* adding "***" *** "***". This ** *********** *** the **** ** ******* and ******** **** ******* passphrases. *** ** *** mode ** *********** ** a ********* ******** ******, allowing ** ******** ** determine *** *********, ******, and ******* ****** *** ciphertext. ** * ******, the ******** ***** ** able ** ********* *** key/password **** *** ********** and ***** **** ******* the **** *********.

** *********'* ******** ********** scheme **** *******, ********* could ** ******** ******* the **** ** ******* Hikvision *******, ****** ** even ****** *** ****** for ****-**** ******* ** be ***********.

Risk ** ********** ** ******** ********* *************

*** ***** ***** ******** users ***** *** **** PC/iVMS-4200 ************, ** ** effectively ********** ** ******** secure *** ******** **** lower-level ***** ********* *** admin ******** "********* ******" and ******* ** ** Hikvision ******* ** ******** the ***** ********.

********* *** ****** ********** user ********, ****** ** enterprises *** ****** *************, therefore ***** ********** ** risk ** ********* ********** admin ********* ******* **** vulnerability.

Hikvision

**** ***** ********* ** passwords *** ***** *********/******** were ****** ** * similar ****** ***** ********* passwords *** ***********, *** there ** * *** for ***** ** ******* the ******** ******** ** iVMS-4200. ********* *** *********** receipt ** *** *********, but *** *** ***** a ********, ** ************ when * ******** ***** be ********.

******

***** ********* *** *** respond ** *** ***** (sent ****** ****), **** released * "******* ********" and ******* ******* ** iVMS-4200 ***** (****** ****):

Mitigating ******** ******** ****

******* ********* ***** ** so **** *** ** unauthorized **** ** ******** an ****-**** ***** ********, users ** *** *********** need ** ******* ******* unauthorized ****** ** *** application. ****** ****** **** a **** ***** ******** and ******** ****** *********** should ** **** ** prevent ************ ***** **** launching *** *** *** retrieving *** ******** ***** code.

Hikvsion **** ******** ********

****** ********* ****** ** "understand *** ********** ** information ********" [**** ** longer *********], ***** ******* continually ***** *********. *************** have **** ***** ***********'* ****** ***,***** ********,*******/*********, *** *** ** application. ***** ********** *************** show **** *** ******* does *** ***** *********** security/cyber ******** ** * top ********, ****** * responsive ******* ** ********* approach ** ******** *********** security. ** ** ****** likely **** ***** ******* lines, **** ** ****** control ** *********, **** similar *************** **** *** customers ** ****. ***** of ********* ******** ** software ****** ******** ***** products **********, *** *** appropriate ******* ** ******* against ******** *** ******** exploit *************.

Comments (11)

Undisclosed Integrator #1

08/28/17 05:22pm

(Insert Hikvision Special Bulletin security fix email here) 

Avatar

Brian Karas

IPVM | 08/28/17 05:35pm

While Hikvision did not respond to our email (sent August 24th), they released a "Special Bulletin" and updated version of iVMS-4200 today (August 28th):

 

iVMS-4200 Updated Software Download 

Avatar

Brian Karas

IPVM | 08/28/17 07:11pm

In addition to removing the "Forgot Password" function, Hikvision has stopped issuing password recovery requests. A request submitted after this report was released received the following response from Hikvision:

The response did not make it clear that the function/support was removed, nor did they recommend downloading the latest release with the "upgraded security structure".

 

 

Marty Calhoun

IPVMU Certified | 09/03/17 05:40pm

Moot Point

Enterprise level customers would not be using the iVMS4200 platform, it is more realistic to use Hik-Central.

Undisclosed #2

IPVMU Certified | In reply to Marty Calhoun | 09/03/17 05:48pm

...it is more realistic to use Hik-Central.

Is that even a VMS?

Marty Calhoun

IPVMU Certified | In reply to Undisclosed #2 | 09/04/17 12:00am

It is a CMS solution. Centralized Management System not to be confused with a VMS OR  iVMS-4200.

Go ahead throw water on it, blame the Chinese government, blame all cyber-security problems over the last (10) years on Hik, throw the Kitchen sink at it, bring up everything that has been resolved but god forbid a non-partisan discussion of the software and its abilities without the 'Headline of the week' approach.

 

John Honovich

IPVM | In reply to Marty Calhoun | 09/03/17 11:54pm

Marty,

Hik-Central was just released in the past few months which means very few customers, enterprise or otherwise are using Hik-Central.

Btw, what security vulnerability testing has Hik-Central been put through?

Undisclosed #2

IPVMU Certified | In reply to John Honovich | 09/04/17 12:14am

Enterprise level customers would not be using the iVMS4200 platform, it is more realistic to use Hik-Central. - M.C.

... very few customers, enterprise or otherwise are using Hik-Central. - J.H.

Both of these cannot be true, unless Hikvision has very few enterprise customers.

John Honovich

IPVM | In reply to Undisclosed #2 | 09/04/17 12:28am

Marty is implying that enterprise level customers should be using Hik-Central.

Whether they should use Hik-Central or not, it just reached general availability less than 2 months ago:

So the reality is, regardless of what their customers should be using, overwhelming customers, enterprise or not, are using iVMS-4200 since Hik-Central is brand new.

Of course, raising Hik-Central is simply a smokescreen to the fact that Hikvision's poor cybersecurity policy allowed emailing admin passwords in plain test. 

Undisclosed #2

IPVMU Certified | In reply to John Honovich | 09/04/17 12:39am

Marty is implying that enterprise level customers should be using Hik-Central.

And so the Point only should be Moot.

John Honovich

IPVM | In reply to Marty Calhoun | 09/03/17 11:59pm

Moot Point

How would it be a 'moot point' to send admin passwords in plain text to anyone?

Marty, you are welcome to say what you want but these type of responses reinforces that Hikvision and their dealers are not serious about cyber security and engage in shameful excuses.

Read this IPVM report for free.

This article is part of IPVM's 6,599 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Access Control Levels and Schedules Tutorial on Sep 29, 2020
Configuring access levels and setting up schedules is central to maintaining...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
The Insecure Verkada Access Control System on Jun 25, 2020
While Verkada touts the security of its system and that how their new door...
Favorite Access Control Credentials 2020 on Sep 15, 2020
Credential choice is more debated than ever, with hacking risk for 125kHz and...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Access Control and Video Integration Statistics 2020 on Oct 08, 2020
Video Surveillance and Access Control are two of the most common security...
Dangerous Hikvision Fever Screening Marketing In Africa on Sep 15, 2020
A multi-national African Hikvision distributor is marketing dangerously...
Free Online NFPA, IBC, and ADA Codes and Standards 2020 on Sep 03, 2020
Finding applicable codes for security work can be a costly task, with printed...

Recent Reports

Bedside Cough and Sneeze Detector (Sound Intelligence and CLB) on Oct 28, 2020
Coronavirus has increased interest in detecting symptoms such as fever and...
Fever Tablet Thermal Sensors Examined (Melexis) on Oct 28, 2020
Fever tablet suppliers heavily rely on the accuracy and specs of...
Verkada Fires 3 on Oct 28, 2020
Verkada has fired three employees over an incident where female colleagues...
Recruiters Online Show LIVE Thursday! on Oct 27, 2020
IPVM's 7th online show resumes Thursday with 12 recruiters presenting...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...
GDPR Impact On Temperature / Fever Screening Explained on Oct 22, 2020
What impact does GDPR have on temperature screening? Do you risk a GDPR fine...
Security And Safety Things (S&ST) Tested on Oct 22, 2020
S&ST, a Bosch spinout, is spending tens of millions of dollars aiming to...
Nokia Fever Screening Claims To "Advance Fight Against COVID-19" on Oct 22, 2020
First IBM, then briefly Clorox, and now Nokia becomes the latest Fortune 500...
Deceptive Meridian Temperature Tablets Endanger Public Safety on Oct 21, 2020
IPVM's testing of and investigation into Meridian Kiosk's temperature...
Honeywell 30 Series and Vivotek NVRs Tested on Oct 21, 2020
The NDAA ban has driven many users to look for low-cost NVRs not made by...