Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text

By Michael Budalich, Published Aug 28, 2017, 10:42am EDT

Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond by emailing the admin password in plain text.

This is different than the Hikvision recorder cracked security codes. Because it is for the iVMS-4200, exploiting this vulnerability would provide access to all devices connected to the iVMS-4200 including Hikvision cameras and recorders, as well as any 3rd party cameras connected through those recorders.

In this report we detail the vulnerability, explaining how it can be exploited and the security problems therein.

iVMS-4200 ******** *************

*** ****-**** ****** ******** a "****** ********" ******:

******** "****** ********" ******* an "********* ******", ***** can ** ******* ** Hikvision ******* *** ******** recovery [**** ** ****** available]:

****** ** **** ** 'contact **** ******', ********* support ******* ***** ********* to ** ******* *** attempt ** ************** ** verification.

***** * ***** ****** (~30 ******* ** *** example), ********* ******* ****** the ****-**** ******'* ***** password ** ***** ****:

Multiple ******** *****

***** *** * *** security *****:

  • ** ************** *** ************
  • *** ****'* ******** ** emailed **** ** ***** text
  • ** ***** ** ******
  • ******* *********
  • *********** ********* *** ** cracked

No ************** *** ************

****** *** *** **** up ** * ******** with ****-**** ******** *** get *** ***** ******** directly. ***** ** ** email, ***** ****** ** any ***** ******* ** verify ** ************ *** requester ** **********. **** is ****** *** ****** universally ******* *******.

Plain **** ********

******** *** ******** ** plain **** ** ******* violation ** ***** ******** practices, **** ***** ***** that ******** **** *** change ** **** ***. Anyone *** *** ****** to **** *****, ****** on *** ******** ** sender's **** *** *** the ***** ******** *** the ******.

No ***** ** ******

**** ******** ******** ******* from ********* ******* **** more **** **** ******** password ******, ** ** provides *** ****** ***** password ** ** ************ person. **** ******** ***** functions, *** ***** ******** gets ***** ** * new *****, ******** ******** legitimate ***** **** ********* may ** ***** **** their ******** ***** *******.

Reusing *********

***** ******* ********* ****** devices ** *** ********, it ** ******. ** the ****** *** ***** the ****-**** *********** **** the **** ***** ******** on ***** ******* ** applications, *** ******** *** has *** ***** ******** to * ******* ** devices. **** ** *** iVMS-4200 ***** ******** ** unique, ********* *** ********* password *** ******* ***** into *** *** **** chooses *********, ****** ** easier ** **** ************ access ** ***** *******.

Recoverable ********* *** ** *******

*********'* '********* ******' *** the ******** *** ** cracked. ** *********** ******** analyst *** **** ** determine *** ********* ******* about *** ******* ****** a *** *****:

*** ***** ******** ** encrypted **** *** ** ECB ****, *** ** then ****** *******, ******* adding "***" *** "***". This ** *********** *** the **** ** ******* and ******** **** ******* passphrases. *** ** *** mode ** *********** ** a ********* ******** ******, allowing ** ******** ** determine *** *********, ******, and ******* ****** *** ciphertext. ** * ******, the ******** ***** ** able ** ********* *** key/password **** *** ********** and ***** **** ******* the **** *********.

** *********'* ******** ********** scheme **** *******, ********* could ** ******** ******* the **** ** ******* Hikvision *******, ****** ** even ****** *** ****** for ****-**** ******* ** be ***********.

Risk ** ********** ** ******** ********* *************

*** ***** ***** ******** users ***** *** **** PC/iVMS-4200 ************, ** ** effectively ********** ** ******** secure *** ******** **** lower-level ***** ********* *** admin ******** "********* ******" and ******* ** ** Hikvision ******* ** ******** the ***** ********.

********* *** ****** ********** user ********, ****** ** enterprises *** ****** *************, therefore ***** ********** ** risk ** ********* ********** admin ********* ******* **** vulnerability.

Hikvision

**** ***** ********* ** passwords *** ***** *********/******** were ****** ** * similar ****** ***** ********* passwords *** ***********, *** there ** * *** for ***** ** ******* the ******** ******** ** iVMS-4200. ********* *** *********** receipt ** *** *********, but *** *** ***** a ********, ** ************ when * ******** ***** be ********.

******

***** ********* *** *** respond ** *** ***** (sent ****** ****), **** released * "******* ********" and ******* ******* ** iVMS-4200 ***** (****** ****):

Mitigating ******** ******** ****

******* ********* ***** ** so **** *** ** unauthorized **** ** ******** an ****-**** ***** ********, users ** *** *********** need ** ******* ******* unauthorized ****** ** *** application. ****** ****** **** a **** ***** ******** and ******** ****** *********** should ** **** ** prevent ************ ***** **** launching *** *** *** retrieving *** ******** ***** code.

Hikvsion **** ******** ********

****** ********* ****** ** "understand *** ********** ** information ********" [**** ** longer *********], ***** ******* continually ***** *********. *************** have **** ***** ***********'* ****** ***,***** ********,*******/*********, *** *** ** application. ***** ********** *************** show **** *** ******* does *** ***** *********** security/cyber ******** ** * top ********, ****** * responsive ******* ** ********* approach ** ******** *********** security. ** ** ****** likely **** ***** ******* lines, **** ** ****** control ** *********, **** similar *************** **** *** customers ** ****. ***** of ********* ******** ** software ****** ******** ***** products **********, *** *** appropriate ******* ** ******* against ******** *** ******** exploit *************.

Comments (11)

Undisclosed Integrator #1

08/28/17 05:22pm

(Insert Hikvision Special Bulletin security fix email here) 

Avatar

Brian Karas

IPVM | 08/28/17 05:35pm

While Hikvision did not respond to our email (sent August 24th), they released a "Special Bulletin" and updated version of iVMS-4200 today (August 28th):

 

iVMS-4200 Updated Software Download 

Avatar

Brian Karas

IPVM | 08/28/17 07:11pm

In addition to removing the "Forgot Password" function, Hikvision has stopped issuing password recovery requests. A request submitted after this report was released received the following response from Hikvision:

The response did not make it clear that the function/support was removed, nor did they recommend downloading the latest release with the "upgraded security structure".

 

 

Marty Calhoun

IPVMU Certified | 09/03/17 05:40pm

Moot Point

Enterprise level customers would not be using the iVMS4200 platform, it is more realistic to use Hik-Central.

Undisclosed #2

IPVMU Certified | In reply to Marty Calhoun | 09/03/17 05:48pm

...it is more realistic to use Hik-Central.

Is that even a VMS?

Marty Calhoun

IPVMU Certified | In reply to Undisclosed #2 | 09/04/17 12:00am

It is a CMS solution. Centralized Management System not to be confused with a VMS OR  iVMS-4200.

Go ahead throw water on it, blame the Chinese government, blame all cyber-security problems over the last (10) years on Hik, throw the Kitchen sink at it, bring up everything that has been resolved but god forbid a non-partisan discussion of the software and its abilities without the 'Headline of the week' approach.

 

John Honovich

IPVM | In reply to Marty Calhoun | 09/03/17 11:54pm

Marty,

Hik-Central was just released in the past few months which means very few customers, enterprise or otherwise are using Hik-Central.

Btw, what security vulnerability testing has Hik-Central been put through?

Undisclosed #2

IPVMU Certified | In reply to John Honovich | 09/04/17 12:14am

Enterprise level customers would not be using the iVMS4200 platform, it is more realistic to use Hik-Central. - M.C.

... very few customers, enterprise or otherwise are using Hik-Central. - J.H.

Both of these cannot be true, unless Hikvision has very few enterprise customers.

John Honovich

IPVM | In reply to Undisclosed #2 | 09/04/17 12:28am

Marty is implying that enterprise level customers should be using Hik-Central.

Whether they should use Hik-Central or not, it just reached general availability less than 2 months ago:

So the reality is, regardless of what their customers should be using, overwhelming customers, enterprise or not, are using iVMS-4200 since Hik-Central is brand new.

Of course, raising Hik-Central is simply a smokescreen to the fact that Hikvision's poor cybersecurity policy allowed emailing admin passwords in plain test. 

Undisclosed #2

IPVMU Certified | In reply to John Honovich | 09/04/17 12:39am

Marty is implying that enterprise level customers should be using Hik-Central.

And so the Point only should be Moot.

John Honovich

IPVM | In reply to Marty Calhoun | 09/03/17 11:59pm

Moot Point

How would it be a 'moot point' to send admin passwords in plain text to anyone?

Marty, you are welcome to say what you want but these type of responses reinforces that Hikvision and their dealers are not serious about cyber security and engage in shameful excuses.

Read this IPVM report for free.

This article is part of IPVM's 6,805 reports, 913 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports