Hikvision Vulnerability Permits Wi-Fi Attack

Author: Brian Karas, Published on Nov 28, 2017

Hikvision acknowledged a Wi-Fi cyber security vulnerability on November 27, 2017. No special passwords, text strings, or programming knowledge are required. Any attacker within Wi-Fi range of the impacted cameras can exploit this.

IPVM spoke with the researcher who discovered and reported this vulnerability. We examine the limitations, exploit potential, affected products, and Hikvision's problems in responding to the vulnerability.

********* ************* **-** ***** ******** *************** ******** **, ****. ** ******* *********, **** *******, ** programming ********* *** ********. *** ******** ****** **-** ***** ** the ******** ******* *** ******* ****.

**** ***** **** *** ********** *** ********** *** ******** **** vulnerability. ** ******* *** ***********, ******* *********, ******** ********, *** Hikvision's ******** ** ********** ** *** *************.

[***************]

Limited ****** *********

**** ************* ** ******* ** **-** ******* ***** *** **** has *** ********** **-** ********, ********** *** ******** *******. **** limits ** ** * ********** ***** ****** ** ********** *****, as **-** *******, ** ******* *** *** **** *******, *** those ***** **-** ******* *** ****** ** ********* **-**.

Exploit ********

*** ************* ** **** ***** ******* *** ***, ** *******, to ******* * ******** ******* ****** "*******", **** ** ********. An ******** *** ****** * **** ******* **** **** "*******" and * ********** ******* **** ************* ******* ** **, ******** the ******** ** ******* ** *** ******. ********* ** *** researcher, *** ********** ****** **** ** ****** **** * ** DaVinci ******* *** ** ******** **** **** ** ****** *** origin ** *** *************.

********* ****** **** *** ********* ***** *** ********:

**-**********-***, **-**********-***, **-**********-**, **-**********-**, **-********-***, **-********-***, **-*******-**, **-********-**

*** ********* ******* ***** ** ******* ** *** ** ******** can *** *** **-** ******* ****** **** ******* ******** ** a *** ** **** ****** ** ** ******** *******:

Firewalls ***********

******* *** ******** ******** **** *** ****** **-** ******* ********* on *** ******, *** ******** ********, ****, ** ***** ******* used ** ****** ******** *********** ** *** ******** **** ** the ******* ***** *** ** ******* ** *** **-** **** of *** ******, ******* ** **** ** ******.

Exploit *********

********** ** *** ********** (**** ******) ** *********, **** ** ***** ***** ******* **** ******** **** **** prevents ********* *** **-** ********* **** *** ***** **** (** to *.*.*), *** **** *** ********** ** ************ ******** *******, ****** *** ******* ********* **** **** *** ***** ** these ******* **** ******* **-** ********.

*** *********** *** *** ******** ** ** ** **-** ***** of *** ****, *** **** *** **** **** **** ******* Wi-Fi ********, ***** **** ************* **** ****** *************'* ******** *************. ** **, *******, * *********** ********* ** *********'* **** to **** ******** **** **** ******* ********.

Hikvision ***** ******** ******* ************

***** ********* ********** *********** ** ****** ***************, *** *** * specific ***** ******* *** ***** *******, ******** **** ******:

*** ********** ******* **** ******* ********* *********'* ********, ** **** 4 ******, *** ******** ******* ******** ** *** * ******** to **** **********, ***** ** **** ** *** ************* ********** post:

***** ******* ******* ******** **** ***** ********* *** ********* ******* He *** ******** ******************'* ***** ******** *******, ********* ****** ******** ******** *** ******** *********** *******, ***** ****** **** ********** **** ***** ************* ** ***** own. ************,*********'* ***** *** **** ** ***** *********** **** *** *******, ******* *** **** ** ************* **** open ****** *** ******* ******* ********.

Positive ******** **** ***** *****

*** ********** ****** **** *** ******** **** ********* ********** **** from *** ***** ******** ********* *****, **** ** ***** ** ** ******* *** ******** ********** in ********** *** *********. ** **** ***** *** * **** hire *** *********, *** ***** ********* ** **** ** ******* Hikvision's ******* ***** ******** ************** *** ************* ********** ******* *********** such ** ***** ******** ************** ******** *******.

Hikvision ** ********* ************ ** *****

******* ************* *** ****** ** ******* ***, *** ****** ******* firmware *********, ** **** ** *********** *********** ** ***** **** vulnerability, ********* *** *** ********* ****** ***** ****** *** ************* was ********* ******** ** **** **********.

Special ******** ****** ***

********* *** *** ******* ** ****'* ******* *** ********** ****** on *** ************* **********. *******, **** **** * ***** ***** our ***** ** *********, *** ******* ******** * "******* ********", reusing *** ******* **** *** ***** **** **** ***** ******* Bulletin ******** * ***** *** ** ******* ****** ******* ********* *************.:

~** ******* *****, ********* **-**** *** ******** **** * ********* subject **** *** *****:

** *** ********, ******* ** ********** ******* ** *** ************* first, ********* ****** ** ******* ***** **** ****** ******* ****** features, ****** **** *** *********** ********** **** *** ******** ********* on **** ** *** ******** *****.

** ******** ******** ******(***) ********* **** ********, ***** *** ******* ** ** ** "Information ****" ********, **** ** ****** ********:

***, *** *** ******* ******** ******, ************ ******** ****** ******** and/or ********* **-** (*** ***** **** ******** *** ****** ** support ****).

***** *** "****** ********" ******* ***** ************* ** * ***** error, *********'* ****** ** ********* *** ************* ******** *** ******* rushed ** ***** ***** ********* **** **** ****** ***** **** the ************* ***** ** ******** *********, *** ******** **. *** Hikvision **** ********** ** ***** *** ************* ********* ***** *******, and *** * ************* ******** *** ************ ******* ** *****, they ***** **** *** ***** ****** ** ******* "********* *** outreach" ******* ** ******* ** ******* ** *** ********** *** issuing *******-******** *************.

Continued ********* *********** ******

**** ************* ** ** ********* *****, **** ****** ** ********** in ******** *********** ********* ** ******** ***** ******** *****. *********,*********'* ****** *********** ******** ** *******,***** ****** *************, ****** ******** ******** *************, ***** ******, *** **** ***** ** *************** **** **** been *** ****** ** **** ******** ****** ** **************, ** choices **** ** *** ******* ** ************ ***** ******** ******** to ***** ******* ** *** ********.

Communication ************ ******

********* ***** **** ****** ************* **** *******, **** ********* *** less ********* ************* ** ***************.

Comments (15)

Scott Sheldrake

11/28/17 11:15pm

** *** ****** *** ********* **** *** **-*******-***/* *** *** DS-2DE3304W-DE ****** ******** (*** ***** ******* ** ******) ******* ****** a ****** ********. *** **** ** **** ** ******* ** the **** *************.

********* **** *** **** ******** ******* ** ***** **** ****** (xx3304xx *** ******), ** *** ******* (*** ****** ****) ** on ***** ********** *** ****. **** ******* *****'* ****, **** just ***** *** ** *** **** ****** ***** **** *** have *** ****** ******. *** *** **** *** ****** **** doesn't ****.

*** *** ********* ****** ** ** ******* *** ***** **** hacking **** **** ** *** **** **** ** ********??

**** ** ********** ******.

Thumbnail brk1

Brian Karas

IPVM | In reply to Scott Sheldrake | 11/28/17 11:38pm

***** -

**** *** *** ********** ****** **** *** ******* *** ***** hit ** ************ ******** *******, ***** ****** ******* ** ****** ** ****** ****** ******** regardless ** *** ***** ******** ********/**********. *********, **** **** ********, Hikvision ******** * *** *** ********* ** ********** ****** *********.

*** **** *** *****, *** *** *** *****. ** ******** I *** **** *** ************ ******* ***** ***** *** ****** thousands ** ******* **** **** *** *** **** ******* ** "HACKED". ****, ***** *** **'* ** ********* ** ******* **** this ************* ********* ** *** ********. * **** *** ********** how/why *** **** **** *** ***** ****** ** **** "******" are ******** ******** ** *** ****** ***** ******* ****** ** vulnerable *******.

**** ** * *** ** ***** * **** ******* ****** 1,000 ******* (***** ** *** ** ******, ** **** ****** could ** ***) ******* "******" *** *** ****** ****. *** can *** **** *** ******* ************ ** *** **, *** Europe:

Undisclosed #1

In reply to Brian Karas | 11/29/17 12:09am

********: ** **** ********* ****** **** *** **** *** ***** is ********* *** ** *** ***** ****** ***** (*.*. **** have *** **** ******* ********* ** ***** **** ******** ****), how **** *** *** ********** ******* ****** ** ** ** N ******* *** ******?

Thumbnail brk1

Brian Karas

IPVM | In reply to Undisclosed #1 | 11/29/17 12:13am

***** *** *** **** ********** *******, **** *** ********** ******* that **** **** ****** ** ******* *** *******-******** **** "******" (or "******", ** ****-*********** ********).

***** *** ** ******* ** ***** **** ******* *** ******* equivalent ** "******", *** ** ***** *** *** ******* *** alternate *********/*********, ***.

Undisclosed #1

In reply to Brian Karas | 11/29/17 12:14am

**** ***** *****... : )

Undisclosed #1

In reply to Brian Karas | 11/29/17 12:17am

*** ** *** ** ********* ****, ** *** *****?

Thumbnail brk1

Brian Karas

IPVM | In reply to Undisclosed #1 | 11/29/17 01:04am

******* ****** *** **** **** *** ********* ******* ** ***** database, ** *** ** * *** ****.

Undisclosed #1

In reply to Brian Karas | 11/29/17 02:21am

**** **** ********************? ** ***** *******?

** ***** **... ** *** ****** ******* *** ******* ***'* show ** ** **** ****** *** ******* ********* ** ****** (when ***** *** **** ** **** ***** **** ********) ** because **** ****** *** ******* ** *** ******* ******* ** the **** ******, **** *** *** ***** *** **** ****** devices ******* ** ** *********? ***** * ***** ****** **** of ***** ******* **** ***** ** *******?

Thumbnail brk1

Brian Karas

IPVM | In reply to Undisclosed #1 | 11/29/17 11:30am

*** *** ***** *** **** ****** ******* ******* ** ** Australia?

******* *** ****** ******** *** **** *** *** *** ********* cameras ** *********. * ** *** **** ** **** ** because ********* *** *** ****** *********** *****, ******* ****** ****** does *** **** *** ** *********, ** *********** **** ****** firewalls, ** ********* ****.

** *** *** *** *** ** ******, ***** ** ***** I **** ***** ** ******** ********** ******* ****, **** * can *** **** ****.

Thumbnail passfoto 4

Karsten Kirchhof

In reply to Brian Karas | 01/04/18 03:23pm

** *****,

*** ********* ** *********** *** *** ***.

***** *** *** **** ******* **** ******* *** *** ******?

**,

*******

Undisclosed Manufacturer #2

11/29/17 12:05pm

**** *** ** ******* ******** **** *** ***** ******* *** a **** ****, ** *** ***** “*” *** *** ** get *** **** ******* “*”. *** ****** **** ***** “***”.

* **** **** **** ********* *** ********* ***** **** *** audio ***** ******* *** **** ******* ********.

Undisclosed #3

12/04/17 01:19pm

******* ********* **** !!! **** * *****.

John Honovich

IPVM | 12/21/17 08:02pm

******: * *** ***** **** ********** ********* *** *** ****** that *********** ****** ** ****** *** ********:

** ******** ******** ******(***) ********* **** ********, ***** *** ******* ** ** ** "Information ****" ********, **** ** ****** ********:

***, *** *** ******* ******** ******, ************ ******** ****** ******** and/or ********* **-** (*** ***** **** ******** *** ****** ** support ****).

***************** * ********* ******:

Undisclosed Integrator #4

In reply to John Honovich | 12/21/17 08:13pm

*** ****** ********* ***** ***** ******* ******* *** **** ******* when ***'** ******* ** ** ** *** **** *** ****?

Undisclosed Manufacturer #2

In reply to John Honovich | 12/21/17 08:47pm

*** ************ ** *********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on VMS

Cut Milestone Licensing Costs 80% By Using Hikvision and Dahua NVRs (Tested) on Aug 13, 2018
Enterprise VMS licensing can be quite expensive, with $200 or more per channel common, meaning a 100 camera system can cost $20,000 in VMS...
Uniview Intrusion Analytics and VMD Tested on Aug 13, 2018
IPVM's IP Camera Analytics Shootout featuring Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision created some ill will with a Uniview distributor who...
Hikvision PanoVu Mini Tested (Multi-imager + PTZ For ~$500) on Aug 07, 2018
Hikvision has released their first PanoVu Mini multi imager, the PanoVu DS-2PT3326IZ-DE3, with four 1080p imagers, including a PTZ and integrated...
Bluebox Video UK Startup Profile on Aug 06, 2018
One UK startup, Bluebox Video has designed, developed and is manufacturing their own streaming video wall appliances. To the right is a picture of...
Zenitel/ Stentofon Turbine IP Intercom Tested on Aug 06, 2018
IPVM has published reports testing an Axis door station and a Hikvision door station (tested). However, those companies are new entrants to this...
Panasonic 9MP Panoramic Fisheye Tested (WV-X4571L) on Aug 02, 2018
Panasonic has released their latest fisheye camera, the WV-X4571L, with 12MP sensor and 9MP resolution, claiming "extreme image quality" under...
Genetec Self-Discloses Critical Vulnerability on Jul 31, 2018
In an unprecedented move for the video surveillance industry, Genetec has self-disclosed a critical software vulnerability across Security Center...
Milestone / Canon Spinout Arcules Cloud Launch on Jul 30, 2018
Canon and Milestone's VSaaS Startup spinoff Arcules launched their platform at Google Cloud Next. IPVM spoke with CEO Andreas Pettersson about the...
IP Camera Analytics Shootout - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview on Jul 30, 2018
Video analytics are hot again. But whose analytics really work? IPVM bought and tested Avigilon, Axis, Bosch, Dahua, Hanwha and Hikvision cameras,...
Eagle Eye Networks Cloud VMS Tested on Jul 26, 2018
Eagle Eye has become one of the most significant players in the industry in the past few years: Eagle Eye's Owner Acquired Brivo Eagle Eye...

Most Recent Industry Reports

SimpliSafe Violating California, Florida, and Texas Licensing Laws on Aug 14, 2018
IPVM has verified that DIY security system provider SimpliSafe, founded in 2006 and acquired in June of 2018 at a billion dollar valuation, is...
Cut Milestone Licensing Costs 80% By Using Hikvision and Dahua NVRs (Tested) on Aug 13, 2018
Enterprise VMS licensing can be quite expensive, with $200 or more per channel common, meaning a 100 camera system can cost $20,000 in VMS...
Nortek Sues SDS, Battle Over Unpaid Bill and Cancelled Lines on Aug 13, 2018
Nortek and SDS legal battle continues. As IPVM reported, SDS sued Nortek alleging bribery and antitrust violation. However, Wave fired back at SDS,...
Uniview Intrusion Analytics and VMD Tested on Aug 13, 2018
IPVM's IP Camera Analytics Shootout featuring Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision created some ill will with a Uniview distributor who...
ADT Employees Protest ADT CEO on Aug 10, 2018
So many ADT employees were so upset with ADT's CEO speech reported on by IPVM, that ADT's CEO was forced to send a mass email to employees to...
Axis / Avigilon Legal Battle Rises on Aug 09, 2018
In what is shaping up to be high-powered, will-not-back-down battle, Axis and Avigilon are squaring off in multiple legal contests. In 2017, IPVM...
Camera Focusing Tutorial on Aug 09, 2018
A camera's focus is fundamental to quality imaging. Mistakes can cause important problems. In this guide, we explain focus issues and proper...
Dahua Ban Response: NOT Chinese Government Owned on Aug 08, 2018
Dahua has responded to the US Congress passing a US government ban on Dahua and Hikvision's products. While Dahua offered the now standard...
Bad Move: ADT Markets Rival Amazon on Aug 08, 2018
Amazon may be lining up ADT as its next victim but ADT is happy to promote Amazon. Amazon has made major moves recently, including acquiring...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact