Cracked ******* ********
*** **** ********* ** distributed ** * ***** (53KB) ******* **********. ** does *** ******* *** installation *** *** ** run ******** ******* ************* access ** *** ******* requirements. ** *** *** distributing *** *******, ** it ******** * ******** risk ** ********* *****.
** *** ******* ** the **** *********, *** starts **** ******** *** IP ******* ** *** Hikvision ********:

****, **** *** ** address ** ******** ** being * ********* ****** you *** ***** *** serial ****** ** *** unit, *** *** **** you **** ** ******** a ***** **** ***. From **** ****, *** software ******* * ******** code **** *** ** used ** ***** *** admin ********:

*** **** *** **** be **** ** *** recorders ******* ** **** out *** ***** ******** and *** * *** one, ** ***** ***** on *** **** ****:


* ******* ** *** software ** ************ ** a ******* *****:
[******] - *** ******** author ******* *** *****, he *** *** ******* a ***** *********** ****** his ****** *** ***** so.
***** **** *****, *** author ***** *** ******* to ******* *** ****, to ******** ***** *** future *****, ** ** case *** ****** **** of *** **** *** incorrect.
Feedback **** ******* ******* ******
*** ****** ** *** software, ***** [**** ** longer *********]******, **** ** did *** ****** *** tool *** *******, *** instead ** **** ******, and **** *********** *** his ******* *******. ** says ** ** ******* on ******** *** ******** to ******* ***** ***** for **** ********* *******, as ** ********* **** works *** *********. ** also ****** **** ******* assistance *** ********* ****[****** - *** ****** removed *** ******** **** as ****].
Works ** *** *-***, ****** ***** ****
**** ******** **** *** security **** ***** ******* works ** ** *** W-Box ******** ***** **-*******, including ******* **** *** local ******* / **** on ***** ******** ** shown ** *** ********** below:

** *** ****** *-*** firmware (*.*.*) *** ***** also ******, *** ******* to *** ********* ******** it *** ** ** entered ** *** ********* local *******.
** ******* **** ************** **** (** ***** there *** ****** **+)*** ******** ** **** as ****.
[******: *-*** ***** **** in**.*.* ***** ****** (******** here). *** ****** ** request *** **** *** been *******.]
Benefits ** ********* ******* / ********
********* ******* *** ******** can ****** ***** **** support ***** *** **** by ********* **** ******* and ***** ******** ****** by **********, ****** **** having ** ******* *** wait *** ********* ** respond.
Benefits ** ********* ***********
********* ***********, **** *********** and *************, *** **** end ***** *** ******** Hikvision ** ** ***** this ******* ** ****** Hikvision *********. ** ***** for * ******** **-**** demonstration, ********** ***** ********* has ******** *** *********** of ****** ********* **** can *** ** ****** overridden.
Detrimental ** ********** ********* *****
*********'* ** *** ****** operation ******** **** ****-****** sellers (******, *******, ***.) often ******** *** **** equipment ** ***** ******. One ********* *********'* ********** team ****** ** *** ability ** *** ******** Hikvision ******* *******, **** as *** ***** ******** resets. ** ********* **** tool, ******* *** ******* their *** ******** ****** for ********* ******* ******* to ******* ********* *******, reducing ***** ********* ** buy ******* ********** ********.
Cannot ** ********
*************, *** '******** ****' feature ** **** ***** into ********* ********* *** cannot ** ********. ** have ******** **** ********* if ** **** **** would *** **** ****** to ***** ***** ** close **** *************.
Atypical *** ******* *************
*** ***** ******** ***** concept ** **** ******* of ******* *********. ***** has * ******* '***** password' *******, *** ** enterprising*********** ******* *** ******** master ******** *****, *** ********* **** Avigilon, *******, *********, ***. do *** ***** * person ** **** ** to *** ******** *** wipe *** *** ***** password **** ******* *****.
Cybersecurity ******** *** *********
************* *** **** ** ongoing ***** *** *********. The *********** *** ***** passwords ** ** ***** at ***, *** ******* any ********* **********, ** an ***** ******. ****** the ***** **** ********* widely ********* ***** *** systems **** **** ******. Hikvision *** ************************** **** **** ************* seriously, *** **** ***** features **** ***** ******** that ***** ***** ********* to ** ***** *** easily, *** ******* **** notifying ***** **** **** occurred.
********** *********, ***** ********* is ****** ** ****** their ********, **** *************** like ****** ***** ******** resets ** ****** ***********, and **** ***** ****** any ******* **** ****** such **** ********.
UPDATE - **** ******* ** ******** *****
**** ****, ****** *** and ******** ** *** form ** * ******* executable ********* ********** ** previous **********-***** ********, ******** of *****:
*** ******* ****** **** all ** ***** ***** produced *** **** ****** from * ***** ****** number/date ******. ****** *********** ** *** ********* tool ********* ** *** not **** ** ***** firmware, *** ***** ***** that ** **** ***** work ** ****** ******** firmware, ** ** ****** on **.*.*.
*** ******* *** ********** tools (*** ********** *** Windows-based ****) *** ** compute ***** ***** ***** is ***** *****, ********** some **** **** *** device's ****** ****** *** date ******** ** ********** by * '***** ******', with *** ****** ** the '***** ******' **** converted ** ***** ********** that *** ** ******* on * ******** ********:

Update * - ********* ******** **** "******** ***** ******"
** ****** **, ****, Hikvision **** * '******* Bulletin' ***** * **** ******** entitled "********* ***/*** ******** Reset ******". ** ******** * history ** ******** ********** to ******** ********* ****** various *********. ** **** requested * **** **** Hikvision ********* *************** ** go ******* *** ******* and **** ** ****** the **** ***********.
*** ********* *****:
(*) ********* ****** ** the ******** ***** ** "so-called ********* '******** ****'". To ** *****, ** use *** **** '******** code' ******* **** ** Hikvision's *** **** *** this *******, *.*., *** excerpt ** ********* ********* calling ** * '******** ****'.
(*) ********* ******* ****** nor ******** **** ***** security **** *** *******. Rather **** ********* * newer ******** **** ***** overcome **** *******. **** approach ** **** ** will ** ********* ** detail **** ********* *** then ******* ** ******.
Update * - ****/*** ******** ** ********* ******** *** *** ******
*** ******** ** *********'* response *** **** ********:********* ******** ** ******* Security *****
Comments (59)
Sean Nelson
08/09/17 03:28am
A reset button on the physical motherboard would be the best option to alleviate this issue. It would be secure, effective, and would reduce tech support costs as well
Create New Topic
Undisclosed Integrator #1
To be clear, does this only work locally on the LAN or is there a way to use this remotely as well? I don't think the SADP tool works remotely but I want to make sure I understand that part accurately
Create New Topic
Brian Karas
UPDATE -
Added some additional detail to the Cracked Program Overview section:
The code generator is distributed as a small (53KB) Windows executable. It does not require any installation and can be run directly without administrator access or any special requirements. We are not distributing the program, as it presents a security risk to Hikvision users.
Create New Topic
Undisclosed Integrator #2
Hey Brian,
How does this program differ from the"HikVision Password Reset Tool" that is currently on ipcamtalk? From what I can determine it looks like it is just a different GUI from what they have posted on their webpage.
https://ipcamtalk.com/pages/hikvision-password-reset-tool/
Create New Topic
Create New Topic
Steven Burman
To be fair, HIK is not he only manufacturer with a back door around a password. I had a client lose the password to their Bosch Dibos DVR, and the factory provided a work-around which allowed me to reset to default. Granted, this was around 2003 or so, but I'm sure some manufacturers still do things this way.
Create New Topic
Steven Burman
Yes, as mentioned in my post, a 2003 anecdotal reference has questionable validity in 2017, however, I wouldn't be surprised to find this is still a practice even for non-Chinese companies. And I do recall that the only change to the Bosch unit was a resetting of the password, all data was left intact. A final note, saying that there is a difference based upon what "should be" and "hopefully" is happening doesn't validate any difference.
Create New Topic
Undisclosed Integrator #3
This used to be the way. I am pretty sure that this method works for 90% of the Hikvision devices out in the field. I have used IPCAMTALK's tool mostly to reset admin password but lately with newer Hikvision's firmware, 5.4.x(these are for cameras), the method discussed here no longer works.
On a NEWER Hikvision firmware, one would have to export a xml file from the camera/dvr using SADP on a local network, then, send it over to Hikvision Techsupport. Hikvision Techsupport would email you back a one time reset file that you can import back using SADP, then the admin password would be reset.
Hikvision did made sure that my cameras were purchased through authoirzed re sellers such as ADI before assisting me further.
Create New Topic
Brian Karas
UPDATE -
Added some additional detail to the W-Box test session to list the model number tested (0E-41TP1UN) and to clarify that it worked over SADP for older firmware, and via local console only for newest/latest firmware, 3.4.2.
Create New Topic
Undisclosed Integrator #1
This is starting to sound like old news. The online generator for older cameras and firmware has been online for years. Newer firmware has fixed that. When I first read this I was thinking someone had cracked the new way to reset password but that's not the case.
The only problem here is that some devices still can have their passwords reset the old way because they're running old firmesre, is that correct?
Create New Topic
Undisclosed Integrator #5
I don't believe Hikvision is the only manufacturer who has a way to take over a recorder without having the password codes. I have used others who have back doors when passwords are lost or forgotten so we can get back into the recorders - (this includes some access control manufacturers as well). If I arrive at a competitors site running these recorders I know I can take them over within minutes. You do have to be onsite (or remotely logged in to the local server with a TeamViewer type program) and within minutes have all passwords reset to defaults then changed to our standard password protocols. For 1 manufacturer I keep the back door instructions on my phone so I don't have to call tech support to help me back door in - and I'm not a tech I'm in sales! So it isn't just a Hikvision issue, the reported way may be a different way to do it, but its possible to get into other recorders without knowing the passwords.
Additionally, who would the end user be worried about with this code cracking information. Seems that the hacker needs to be onsite - so it's unlikely an unknown person would be the culprit, and what's the chance that a known person would have the right skillset to pull it off - outside of the IT department - who may already have the passwords.
Create New Topic
John Honovich
Note: Based on discussion here, we have started a new topic - Forgot Recorder Password, How To Recover?
Also, we are checking on the comment made about Dahua recovery method. Any inputs on other manufacturers, please add to this topic.
Create New Topic
Undisclosed Manufacturer #6
I think that the issue is that their method of password recovery is considered a back door. This has been discussed here recently.
Many manufacturers I have worked with, when you default the device, all programming is wiped, so that an attacker doesn't get access to the settings. This way to someone watching the monitor, etc all appears normal while they p0wned it in the network side.
Here, the reset simply wipes the password giving you full access to the system as it was previously configured.
For best cyber security practices, this should be restricted to requiring physical access or out-of-bounds (OOB) access. A network device shouldnt allow a reset over the network.
Think about Cisco or other brand switches. You need physical access to press a button sequence and a console cable for local rs232 access.
Create New Topic
Joseph Marotta
Hikvision just sent out an email Special Bulletin regarding this issue. In it they said:
"The update is intended to clear up any misunderstandings stemming from an Aug. 9 online report of a so-called Hikvision 'security code' being 'cracked' via a security-code generating software program."
You don't think they are referring to IPVM's article, do you?! :^P
Create New Topic
Brian Karas
UPDATE:
Hikvision has responded, though not directly to us, they did send a Special Bulletin email out. We have updated the report to reflect this:
Hikvision Responds With "Password Reset Update"
On August 10, 2017, Hikvision sent a 'Special Bulletin' with a 2 page document entitled "Hikvision NVR/DVR Password Reset Update". It explains a history of evolving approaches to reseting passwords across various recorders. We have requested a call with Hikvision technical representatives to go through the details and plan to update the post accordingly.
Two immediate notes:
(1) Hikvision refers to the security codes as "so-called Hikvision 'security code'". To be clear, we use the term 'security code' because that is Hikvision's own term for this feature, e.g., see excerpt of Hikvision documents calling it a 'security code'.
(2) Hikvision neither denies nor confirms that their security code was cracked. Rather they emphasize a newer approach that would overcome this problem. This approach is what we will be reviewing in detail with Hikvision and then posting an update.
Create New Topic
Undisclosed Manufacturer #6
The update clearly misses the mark. 1) The units CAN be reset by Hik or ANYONE else with the algorithm, which clearly has been cracked. As mentioned above, they don't want to really acknowledge that these codes exist, and anyone can call in and get one generated. 2) They want you to send them a GUID key. A properly locked down IP device that requires user authentication will NOT allow you to download this file via SADP, since you don't know the password and have not been authenticated. The only thing that should be exposed is by the discovery tool/protocol - IP address and that is it...
I believe the generic term for these types of codes are "One Time Use Passwords" meaning that they are based on the time/date of the unit and will expire in 24 hours. Of course, from the screenshot, HIK seems to be providing the codes for a few days, again making it even more dangerous.
Create New Topic
Undisclosed Integrator #10
You can crack a windows machine admin login as well. Nothing new here.
Create New Topic
Brian Karas
UPDATE -
We had a technical update call with Hikvision on Friday August 11th to discuss the security code crack, and steps Hikvision has taken to make it more challenging to crack the security code. We will be publishing a new report tomorrow (August 15th) with our analysis of Hikvision's updated admin password reset process.
Create New Topic
Brian Karas
Update - Good/Bad Analysis Of Hikvision Response And New Method
Our analysis of Hikvision's response and the new password reset method has been released: Hikvision Responds To Cracked Security Codes
Create New Topic
Dawid Adamczyk
I guess you "like" HIK much. Try to test Dahua agains RAT cctv super password -gaining access to Dahua DVR/NVR is more than easy.
Create New Topic
John Honovich
UPDATE: W-Box fixed this in V3.4.2 build 170816 (download here). The option to request the code has been removed.
Create New Topic
John Honovich
Update: Our new Interlogix test shows Interlogix recorders are still vulnerable to the cracked security code process:
Interlogix recorders' passwords may be reset using the Hikvision security code generator detailed in our report Hikvision Security Code Cracked. Entering a code from this tool in TruVision Device Manager resets the password to default (admin/1234). Note that Hikvision and other OEMs have removed this capability in new firmware.
Create New Topic