Hikvision Security Code Cracked

By IPVM Team, Published on Aug 08, 2017

Hikvision's 'security code' feature has been cracked and a program generating security codes is being distributed online. IPVM has obtained and tested this program, verifying that it works.

Hikvision 'security code' allows unauthenticated users to access Hikvision recorders locally regardless of the admin password strength. Hikvision has used this as a tech support feature, as we covered and explained in this report.

Hikvision has historically called this 'security code' or 'security codes', e.g.:

Now, anyone with this program can generate a security code that resets the admin password and takes over the Hikvision recorder. Hikvision does not allow disabling this 'security code' feature.

Inside this note, we show how the program works, what it does and what risks it poses.

Cracked ******* ********

*** **** ********* ** distributed ** * ***** (53KB) ******* **********. ** does *** ******* *** installation *** *** ** run ******** ******* ************* access ** *** ******* requirements. ** *** *** distributing *** *******, ** it ******** * ******** risk ** ********* *****.

** *** ******* ** the **** *********, *** starts **** ******** *** IP ******* ** *** Hikvision ********:

****, **** *** ** address ** ******** ** being * ********* ****** you *** ***** *** serial ****** ** *** unit, *** *** **** you **** ** ******** a ***** **** ***. From **** ****, *** software ******* * ******** code **** *** ** used ** ***** *** admin ********:

*** **** *** **** be **** ** *** recorders ******* ** **** out *** ***** ******** and *** * *** one, ** ***** ***** on *** **** ****:

* ******* ** *** software ** ************ ** a ******* *****:

[******] - *** ******** author ******* *** *****, he *** *** ******* a ***** *********** ****** his ****** *** ***** so.

***** **** *****, *** author ***** *** ******* to ******* *** ****, to ******** ***** *** future *****, ** ** case *** ****** **** of *** **** *** incorrect.

Feedback **** ******* ******* ******

*** ****** ** *** software, ***** [**** ** longer *********]******, **** ** did *** ****** *** tool *** *******, *** instead ** **** ******, and **** *********** *** his ******* *******. ** says ** ** ******* on ******** *** ******** to ******* ***** ***** for **** ********* *******, as ** ********* **** works *** *********. ** also ****** **** ******* assistance *** ********* ****[****** - *** ****** removed *** ******** **** as ****].

Works ** *** *-***, ****** ***** ****

**** ******** **** *** security **** ***** ******* works ** ** *** W-Box ******** ***** **-*******, including ******* **** *** local ******* / **** on ***** ******** ** shown ** *** ********** below:

** *** ****** *-*** firmware (*.*.*) *** ***** also ******, *** ******* to *** ********* ******** it *** ** ** entered ** *** ********* local *******.

** ******* **** ************** **** (** ***** there *** ****** **+)*** ******** ** **** as ****.

[******: *-*** ***** **** in**.*.* ***** ****** (******** here). *** ****** ** request *** **** *** been *******.]

Benefits ** ********* ******* / ********

********* ******* *** ******** can ****** ***** **** support ***** *** **** by ********* **** ******* and ***** ******** ****** by **********, ****** **** having ** ******* *** wait *** ********* ** respond.

Benefits ** ********* ***********

********* ***********, **** *********** and *************, *** **** end ***** *** ******** Hikvision ** ** ***** this ******* ** ****** Hikvision *********. ** ***** for * ******** **-**** demonstration, ********** ***** ********* has ******** *** *********** of ****** ********* **** can *** ** ****** overridden.

Detrimental ** ********** ********* *****

*********'* ** *** ****** operation ******** **** ****-****** sellers (******, *******, ***.) often ******** *** **** equipment ** ***** ******. One ********* *********'* ********** team ****** ** *** ability ** *** ******** Hikvision ******* *******, **** as *** ***** ******** resets. ** ********* **** tool, ******* *** ******* their *** ******** ****** for ********* ******* ******* to ******* ********* *******, reducing ***** ********* ** buy ******* ********** ********.

Cannot ** ********

*************, *** '******** ****' feature ** **** ***** into ********* ********* *** cannot ** ********. ** have ******** **** ********* if ** **** **** would *** **** ****** to ***** ***** ** close **** *************.

Atypical *** ******* *************

*** ***** ******** ***** concept ** **** ******* of ******* *********. ***** has * ******* '***** password' *******, *** ** enterprising*********** ******* *** ******** master ******** *****, *** ********* **** Avigilon, *******, *********, ***. do *** ***** * person ** **** ** to *** ******** *** wipe *** *** ***** password **** ******* *****.

Cybersecurity ******** *** *********

************* *** **** ** ongoing ***** *** *********. The *********** *** ***** passwords ** ** ***** at ***, *** ******* any ********* **********, ** an ***** ******. ****** the ***** **** ********* widely ********* ***** *** systems **** **** ******. Hikvision *** ************************** **** **** ************* seriously, *** **** ***** features **** ***** ******** that ***** ***** ********* to ** ***** *** easily, *** ******* **** notifying ***** **** **** occurred.

********** *********, ***** ********* is ****** ** ****** their ********, **** *************** like ****** ***** ******** resets ** ****** ***********, and **** ***** ****** any ******* **** ****** such **** ********.

UPDATE - **** ******* ** ******** *****

**** ****, ****** *** and ******** ** *** form ** * ******* executable ********* ********** ** previous **********-***** ********, ******** of *****:

********* ******** ***** ****
********* ******* ******** ***** Tool

*** ******* ****** **** all ** ***** ***** produced *** **** ****** from * ***** ****** number/date ******. ****** *********** ** *** ********* tool ********* ** *** not **** ** ***** firmware, *** ***** ***** that ** **** ***** work ** ****** ******** firmware, ** ** ****** on **.*.*.

*** ******* *** ********** tools (*** ********** *** Windows-based ****) *** ** compute ***** ***** ***** is ***** *****, ********** some **** **** *** device's ****** ****** *** date ******** ** ********** by * '***** ******', with *** ****** ** the '***** ******' **** converted ** ***** ********** that *** ** ******* on * ******** ********:

Update * - ********* ******** **** "******** ***** ******"

** ****** **, ****, Hikvision **** * '******* Bulletin' ***** * **** ******** entitled "********* ***/*** ******** Reset ******". ** ******** * history ** ******** ********** to ******** ********* ****** various *********. ** **** requested * **** **** Hikvision ********* *************** ** go ******* *** ******* and **** ** ****** the **** ***********.

*** ********* *****:

(*) ********* ****** ** the ******** ***** ** "so-called ********* '******** ****'". To ** *****, ** use *** **** '******** code' ******* **** ** Hikvision's *** **** *** this *******, *.*., *** excerpt ** ********* ********* calling ** * '******** ****'.

(*) ********* ******* ****** nor ******** **** ***** security **** *** *******. Rather **** ********* * newer ******** **** ***** overcome **** *******. **** approach ** **** ** will ** ********* ** detail **** ********* *** then ******* ** ******.

Update * - ****/*** ******** ** ********* ******** *** *** ******

*** ******** ** *********'* response *** **** ********:********* ******** ** ******* Security *****

Comments (59)

Sean Nelson

Nelly's Security
08/08/17 01:28pm

A reset button on the physical motherboard would be the best option to alleviate this issue. It would be secure, effective, and would reduce tech support costs as well

Undisclosed Integrator #1

08/08/17 02:08pm

To be clear, does this only work locally on the LAN or is there a way to use this remotely as well? I don't think the SADP tool works remotely but I want to make sure I understand that part accurately

Brian Karas

IPVM | In reply to Undisclosed Integrator #1 | 08/08/17 02:26pm

SADP primarily relies on multicast and broadcast packets, so you are limited to using it on a LAN (or VPN).

Brian Karas

IPVM | 08/08/17 05:04pm

UPDATE -

Added some additional detail to the Cracked Program Overview section:

The code generator is distributed as a small (53KB) Windows executable. It does not require any installation and can be run directly without administrator access or any special requirements. We are not distributing the program, as it presents a security risk to Hikvision users.

Undisclosed Integrator #2

08/08/17 05:15pm

Hey Brian,

How does this program differ from the"HikVision Password Reset Tool" that is currently on ipcamtalk? From what I can determine it looks like it is just a different GUI from what they have posted on their webpage.

https://ipcamtalk.com/pages/hikvision-password-reset-tool/

Brian Karas

IPVM | In reply to Undisclosed Integrator #2 | 08/08/17 07:33pm

We did some tests of this newer tool and the previous version you referenced. They produced the same output from the serial numbers/dates we tested with. You are correct that they are basically different GUI's producing the same results.

The following update was added to the report to reflect this:

UPDATE - Same Results As Previous Tools

This tool, though new and packaged in the form of a Windows executable functions comparably to previous javascript-based versions, examples of these:

Our testing showed that all of these tools produced the same output from a given serial number/date string. Though a discussion on the ipcamtalk tool indicates it may not work on newer firmware, tests prove that it does still work on recent recorder firmware, as it was tested on version 3.4.5.

The methods the javascript tools (and presumably the Windows-based tool) use to compute these reset codes is shown below, ultimately some data from the device's serial number and date settings is multiplied by a 'magic number', with the digits of the 'magic number' then converted to ASCII characters that can be entered on a standard keyboard:

Undisclosed Integrator #1

In reply to Brian Karas | 08/08/17 08:32pm

I thought the codes generated on the forum were for older versions and didn't work anymore. But maybe they still work on NVRs?

Brian Karas

IPVM | In reply to Undisclosed Integrator #1 | 08/08/17 08:38pm

From our tests, the recorders can still be reset with these codes, though not always via SADP, in some cases the reset had to be done from the recorders local console. Still, they work, and present a security risk.

Sean Nelson

Nelly's Security
In reply to Brian Karas | 08/09/17 09:13am

Unless we are missing something, we tried the IPCT generator on some newer firmware products and it didnt work. We will try again to confirm.

Brian Karas

IPVM | In reply to Sean Nelson | 08/09/17 09:28am

Sean - can you provide details on what products/firmware versions you tested? Also, did you try the reset codes only via SADP or also from the local console?

Ryan O'Daniel

IPVMU Certified | In reply to Brian Karas | 08/09/17 01:33pm

The reset tool works at the NVR itself on "older" firmwares that have the hidden menu that allows you to enter a secure code. The newer firmwares don't have the hidden menu on NVRs/DVRs, instead asking for a GUID password file that is supposed to be created during the initial setup.

This morning I tested it on a camera with firmware 5.4.0, a camera with firmware 5.4.3, and 5.3.6 and none of them worked.

However, it will reset cameras with firmware below 5.3.0. I tested it on an OEM DS-2CD2020-I with firmware 5.2.0 and it worked.

Brian Karas

IPVM | In reply to Ryan O'Daniel | 08/09/17 02:58pm

This morning I tested it on a camera

As mentioned multiple times in the report, this was targeted at recorders, not cameras. Even recorders with recent firmware could be bypassed using the codes generated.

Overall, I consider recorders to be a bigger risk than cameras for this. If you are deploying a Hikvision recorder, the cameras are typically going to be "behind it" from a network perspective, and most likely not directly accessible. Additionally, the cameras would typically not store any video.

The recorder, however, has stored video, and provides access to all the cameras connected to it. Bypassing the recorders authentication opens up the user to a much larger overall risk.

Steven Burman

08/09/17 11:07am

To be fair, HIK is not he only manufacturer with a back door around a password. I had a client lose the password to their Bosch Dibos DVR, and the factory provided a work-around which allowed me to reset to default. Granted, this was around 2003 or so, but I'm sure some manufacturers still do things this way.

Brian Karas

IPVM | In reply to Steven Burman | 08/09/17 11:20am

You are correct that Hikvision is not the only company with a back door password, we pointed out Dahua and XiongMai as two other companies that also take this approach. It was also noted that this is far less common among non-Chinese manufacturers, but if anyone has specific current references (e.g.:a 2003 scenario is not a valid example) we would be interested in hearing what other manufacturers take this approach.

Additionally, there is a difference between a "reset to defaults" and an admin password reset. With a default reset, the situation should be much more obvious, and would hopefully include wiping out stored video or making it unretrievable. This at least makes it easier to notice that the unit has been compromised, and hopefully makes it so that someone cannot retrieve data from the unit if it is compromised. It also matters how the reset is carried out, requiring physical access to a switch or jumper inside the unit also makes it much more difficult for an attacker to do this without being noticed.

Steven Burman

08/09/17 11:27am

Yes, as mentioned in my post, a 2003 anecdotal reference has questionable validity in 2017, however, I wouldn't be surprised to find this is still a practice even for non-Chinese companies. And I do recall that the only change to the Bosch unit was a resetting of the password, all data was left intact. A final note, saying that there is a difference based upon what "should be" and "hopefully" is happening doesn't validate any difference.

Undisclosed Integrator #3

08/09/17 11:43am

This used to be the way. I am pretty sure that this method works for 90% of the Hikvision devices out in the field. I have used IPCAMTALK's tool mostly to reset admin password but lately with newer Hikvision's firmware, 5.4.x(these are for cameras), the method discussed here no longer works.

On a NEWER Hikvision firmware, one would have to export a xml file from the camera/dvr using SADP on a local network, then, send it over to Hikvision Techsupport. Hikvision Techsupport would email you back a one time reset file that you can import back using SADP, then the admin password would be reset.

Hikvision did made sure that my cameras were purchased through authoirzed re sellers such as ADI before assisting me further.

John Honovich

IPVM | In reply to Undisclosed Integrator #3 | 08/09/17 11:46am

Myung, thanks for the feedback.

Hikvision did made sure that my cameras were purchased through authoirzed re sellers such as ADI before assisting me further.

Question: curious, how did they make sure of that?

Mike K

In reply to John Honovich | 08/09/17 11:51am

Hikvision USA were able to distinguish if the products were sold to ADI,Tri-Ed versus OEM like Winic.

They must have access to Hikvision's China master database of some sort. I tried once to get techsupport on a Winic Hikvision OEM, but knew exactly that this was sold to Winic. They were pretty irate about it too, but understandable. Told me to call them because this is OEM Hikvision, not Hikvision brand.

Undisclosed Integrator #1

In reply to Mike K | 08/09/17 02:23pm

Hikvision requires you to submit the serial number of the unit. That's how they track it.

Undisclosed Manufacturer #4

In reply to Undisclosed Integrator #3 | 08/09/17 11:55am

On really new Dahua firmware's exporting the XML is also a option for resetting the admin password, Dahua also have a new online system that goes through there email server. You press "Forgot Password" on the GUI and it sends a security code for you to change the admin password on the local GUI.

Brian Karas

IPVM | 08/09/17 12:21pm

UPDATE -

Added some additional detail to the W-Box test session to list the model number tested (0E-41TP1UN) and to clarify that it worked over SADP for older firmware, and via local console only for newest/latest firmware, 3.4.2.

Undisclosed Integrator #1

08/09/17 02:28pm

This is starting to sound like old news. The online generator for older cameras and firmware has been online for years. Newer firmware has fixed that. When I first read this I was thinking someone had cracked the new way to reset password but that's not the case.

The only problem here is that some devices still can have their passwords reset the old way because they're running old firmesre, is that correct?

Brian Karas

IPVM | In reply to Undisclosed Integrator #1 | 08/09/17 03:02pm

The only problem here is that some devices still can have their passwords reset the old way because they're running old firmesre, is that correct?

Undisclosed Integrator #1

In reply to Brian Karas | 08/09/17 04:20pm

Which hikvision models did you test with the latest firmware?

OEM models might still have this issue becuase they don't upgrade to the latest versions or security protocols. That's up to the OEM.

Undisclosed Distributor #8

In reply to Undisclosed Integrator #1 | 08/10/17 02:02am

I suspect this is for low-end models, not I and K series, neither Blazers.

Will check when I get back to the office.

Undisclosed Integrator #1

In reply to Undisclosed Integrator #1 | 08/10/17 06:30pm

Just checking in again, was this test performed on branded hikvision products with the latest firmware? Or just the w-box unit?

Brian Karas

IPVM | In reply to Undisclosed Integrator #1 | 08/10/17 07:38pm

These are the models/firmware versions that we were able to successfully perform the admin password reset on:

Hikvision DS-7604NI-E1/4P firmware:

V3.4.3build 160822

V3.4.5 build 170224

Wbox 0E-41TP1UN firmware:

V3.0.8build 151103

We did also try the process on a Northern Video NVR and an LTS NVR, neither of which accepted the generated code when attempting an admin password reset.

Undisclosed Integrator #1

In reply to Brian Karas | 08/10/17 08:26pm

So based on Hikvision's bulleton, the newer NVRs aren't affected anymore. Those run the latest firmware, for example the I series NVRs.

The issue is only with the older NVRs. Cameras no longer work with this security code tools and newer NVRs don't either.

Undisclosed Integrator #5

08/09/17 03:48pm

I don't believe Hikvision is the only manufacturer who has a way to take over a recorder without having the password codes. I have used others who have back doors when passwords are lost or forgotten so we can get back into the recorders - (this includes some access control manufacturers as well). If I arrive at a competitors site running these recorders I know I can take them over within minutes. You do have to be onsite (or remotely logged in to the local server with a TeamViewer type program) and within minutes have all passwords reset to defaults then changed to our standard password protocols. For 1 manufacturer I keep the back door instructions on my phone so I don't have to call tech support to help me back door in - and I'm not a tech I'm in sales! So it isn't just a Hikvision issue, the reported way may be a different way to do it, but its possible to get into other recorders without knowing the passwords.

Additionally, who would the end user be worried about with this code cracking information. Seems that the hacker needs to be onsite - so it's unlikely an unknown person would be the culprit, and what's the chance that a known person would have the right skillset to pull it off - outside of the IT department - who may already have the passwords.

Undisclosed Integrator #2

In reply to Undisclosed Integrator #5 | 08/09/17 04:08pm

The biggest issue with this password reset method is that all you need to utilize it is access to the LAN. Once I plug my laptop into an unsecured port on the security network with HikVision Cameras I now own them all. This is in comparison to other manufactures that have a physical reset button that must be used to reset the admin password. Just my 2 cents on the discussion.

Steven Burman

In reply to Undisclosed Integrator #5 | 08/09/17 04:43pm

This forum seems to focus specifically on HIK even though some of the issues are industry wide. It grows tiresome. Being a professional site selling market research to the industry, personal attacks driven by animosity really do not belong.

Undisclosed Integrator #2

In reply to Steven Burman | 08/09/17 05:46pm

I agree. The same issues can be seen on a large range of CCTV Products. I just ended up focusing on HikVision in my comments because they were the topic of this post. Did not mean to target HikVision individually.

Steven Burman

In reply to Undisclosed Integrator #2 | 08/09/17 06:05pm

I wasn't speaking of your post, but of this site's readily apparent animosity towards HIK. I really don't understand why they are focused on when there is a plethora of low-end IP camera manufacturers selling cheap cameras with poor or no cyber-security protections. I'm not defending HIK, quite the contrary, I typically stay away from so-called "bargain brands", unless specifically called out by my client. But as I said, I grow tired of seeing what is obviously a personal enmity portrayed as "market data".

John Honovich

IPVM | In reply to Steven Burman | 08/09/17 06:20pm

Steven, thanks for your feedback. I appreciate it.

As for our animosity towards companies, this is a common accusation. In alphabetical order, routinely ADI people think we hate, Anixter people think we hate them, Avigilon people think we hate them, Axis people think we hate them, on and on...

Our focus is large players that impact the market. So Hikvision and ADI and Anixter and Avigilon and Axis, etc. are going to take far more criticism than small players. This is for a simple reason - those big companies far more impact the professional market (which is what IPVM focuses on) than smaller players.

plethora of low-end IP camera manufacturers selling cheap cameras with poor or no cyber-security protections

For example, recall the recent 175,000 camera vulnerability for 'NeoCoolCam'. We saw this immediately and reviewed this. We decided not to do a post, not because we 'like' the 'NeoCoolCam' people (we have no idea who they are) but because we know our members overwhelmingly neither use nor compete with them, so it is irrelevant to what they do.

I hope that helps explain our editorial process. Happy to answer more questions here.

personal attacks

Steven, what type of 'personal attacks' specifically do you feel IPVM is making against anyone?

Steven Burman

In reply to John Honovich | 08/09/17 06:39pm

Against HIK. If I were to count the total number of "negative" posts involving manufacturers, am I incorrect in postulating that the number of articles unfavorable to HIK would far outnumber articles referencing other manufacturers?

John Honovich

IPVM | In reply to Steven Burman | 08/09/17 06:48pm

Steven,

We have plenty of positive posts about Hikvision, just from the summer so far:

We are going to have more positive and negative posts about Hikvision than we are going to have about almost any other company because of Hikvision's sheer size.

Steven Burman

In reply to John Honovich | 08/09/17 07:23pm

Metrics such as this prove nothing. If you do a complete review, say for a period of 1 year, showing the number of favorable versus unfavorable results for the 5 most mentioned entities, what do you suppose that would show? My own perception is that you lean heavily towards the negative where HIK is concerned. I could be wrong, and it wouldn't even be the first time.

John Honovich

IPVM | In reply to Steven Burman | 08/09/17 07:29pm

Steven,

You claim IPVM has made "personal attacks" and has "personal enmity" against Hikvision.

I have given you multiple examples of positive reporting that a reasonable person would conclude that someone with 'enmity' and 'personal attacks' would not do. And yet you dismiss it as, and I quote, 'nothing'.

IPVM criticizes lots of things and lots of companies and many companies are going to receive net negative criticism. But just because we are critical does not mean we are wrong or that we are 'personal' against them.

I am now asking you again - specifically what reporting that IPVM has made is 'personal' in nature against Hikvision?

Steven Burman

In reply to John Honovich | 08/09/17 07:55pm

Because the number of articles unfavorable to HIK seems to heavily outweigh articles unfavorable to other manufacturers. And a reasonable person would want to weigh the number of negative articles over the summer compared to the number of positive ones, and use that as a metric to compare with the positive / negative ratio of articles concerning other manufacturers. Stating that you posted 4 "positive" articles over the summer has no merit whatsoever without the comparatives mentioned above. So your statement that I dismissed your 4 as "nothing" wasn't entirely accurate. Because any reasonable person would disregard the 4 positive articles if there were 25 negative ones, and unless the other vendors mentioned shared this >5/1 ratio, the same reasonable person would probably conclude that you did indeed have some personal enmity against them.

John Honovich

IPVM | In reply to Steven Burman | 08/09/17 08:36pm

that you posted 4 "positive" articles over the summer has no merit whatsoever without the comparatives... disregard the 4 positive articles if there were 25 negative ones

Steven, be fair. We have not published anything close to 25 articles total on Hikvision this summer. If you want to criticize us that is fine, do it on facts, do not employe hypotheticals that are clearly false.

This summer, since June 21st, we have published 93 total articles, 12 of which have been on Hikvision, including this one here.

In addition to the 4 positive ones cited above, we have a positive comparison vs Dahua - Dahua 4K Turret Tested Vs Hikvision (N84BG44 ) and 2 other tests that are neutral to positive - Hikvision 8MP Low-Cost Camera Tested and Hikvision H.265+ Bullet Tested (2035).

So your hypothetical is clearly wrong.

That said, IPVM does not aim to be 50/50 on any company or topic. We don't have 'quotas' for 'positive' or 'negative' coverage. Our goal is to cover important topics to the industry accurately.

I will ask you a 3rd time Steven, beyond the sheer number of articles we write, what specifically in the actual reporting consists of 'personal attacks'?

Undisclosed #7

In reply to Steven Burman | 08/09/17 10:53pm

Your argument, without evidence beyond your own opinion, incorrectly conflates 'numbers of negative posts' with 'bias'... it is not true just because you say it is true.

Further, imo, the remainder of your comments are then focused on knocking down that self-created 'bias' straw man.

Hik is the worlds largest surveillance equipment provider. THAT is the causation for 'numbers of posts'.

The higher number of negative posts in relation to lower number of positive posts can just as easily be ascribed to the way in which this company has historically handled/responded to repeated publicly exposed vulnerabilities in their own hardware/software.

If a company has experienced seemingly sustained occurrences of different vulnerabilities over a period of time - no matter what it is that this company produces - I find it hard to justify a claim of bias when the vast majority of news stories covering these sustained occurrences of vulnerabilities are negative.

Steven Burman

In reply to Undisclosed #7 | 08/10/17 09:40am

I guess you missed the whole "my perception is" and "my opinion is" in my posts. And your whole "knocking down the bias straw man" is funny. I do enjoy slapstick humor. But I've now wasted far more time on an inconsequential subject than I originally intended.

Undisclosed #9

In reply to Steven Burman | 08/10/17 06:36am

The best way for Hikvision to avoid having negative news would be for them to fix their constant security breaches, government subsidization, and other items that are brought up. Complaining that someone calls them on it does not solve anything, solving and preventing these items does.

John Honovich

IPVM | 08/09/17 04:20pm

Note: Based on discussion here, we have started a new topic - Forgot Recorder Password, How To Recover?

Also, we are checking on the comment made about Dahua recovery method. Any inputs on other manufacturers, please add to this topic.

Undisclosed Manufacturer #6

08/09/17 09:30pm

I think that the issue is that their method of password recovery is considered a back door. This has been discussed here recently.

Many manufacturers I have worked with, when you default the device, all programming is wiped, so that an attacker doesn't get access to the settings. This way to someone watching the monitor, etc all appears normal while they p0wned it in the network side.

Here, the reset simply wipes the password giving you full access to the system as it was previously configured.

For best cyber security practices, this should be restricted to requiring physical access or out-of-bounds (OOB) access. A network device shouldnt allow a reset over the network.

Think about Cisco or other brand switches. You need physical access to press a button sequence and a console cable for local rs232 access.

Joseph Marotta

IPVMU Certified | 08/10/17 06:05pm

Hikvision just sent out an email Special Bulletin regarding this issue. In it they said:

"The update is intended to clear up any misunderstandings stemming from an Aug. 9 online report of a so-called Hikvision 'security code' being 'cracked' via a security-code generating software program."

You don't think they are referring to IPVM's article, do you?! :^P

Brian Karas

IPVM | 08/10/17 07:42pm

UPDATE:

Hikvision has responded, though not directly to us, they did send a Special Bulletin email out. We have updated the report to reflect this:

Hikvision Responds With "Password Reset Update"

On August 10, 2017, Hikvision sent a 'Special Bulletin' with a 2 page document entitled "Hikvision NVR/DVR Password Reset Update". It explains a history of evolving approaches to reseting passwords across various recorders. We have requested a call with Hikvision technical representatives to go through the details and plan to update the post accordingly.

Two immediate notes:

(1) Hikvision refers to the security codes as "so-called Hikvision 'security code'". To be clear, we use the term 'security code' because that is Hikvision's own term for this feature, e.g., see excerpt of Hikvision documents calling it a 'security code'.

(2) Hikvision neither denies nor confirms that their security code was cracked. Rather they emphasize a newer approach that would overcome this problem. This approach is what we will be reviewing in detail with Hikvision and then posting an update.

Undisclosed Manufacturer #6

08/11/17 10:43am

The update clearly misses the mark. 1) The units CAN be reset by Hik or ANYONE else with the algorithm, which clearly has been cracked. As mentioned above, they don't want to really acknowledge that these codes exist, and anyone can call in and get one generated. 2) They want you to send them a GUID key. A properly locked down IP device that requires user authentication will NOT allow you to download this file via SADP, since you don't know the password and have not been authenticated. The only thing that should be exposed is by the discovery tool/protocol - IP address and that is it...

I believe the generic term for these types of codes are "One Time Use Passwords" meaning that they are based on the time/date of the unit and will expire in 24 hours. Of course, from the screenshot, HIK seems to be providing the codes for a few days, again making it even more dangerous.

Undisclosed Integrator #10

08/14/17 08:34am

You can crack a windows machine admin login as well. Nothing new here.

Giancarlo Favero

In reply to Undisclosed Integrator #10 | 09/08/17 02:46pm

I agree 100%.

I don't understand all this fuss.

The fact that you must be either physically plugged or on the same LAN, greatly decreases the risks.

And again, once you eventually reset the password and gain access to the DVR/NVR, you have access to some worthless, meaningless images that nobody cares about: only an idiot could spend time and effort pursuing that. You don't have access to personal data, credit card numbers, medical data, nothing. Once again, security in videosurveillance is way overestimated.

And thank God that you gave an utility to recover from lost passwords: last time a client of ours forgot the password of a Mobotix camera, he had to spend several hundred Euros to send the cameras to Mobotix in Germany, what the hell!!

P.S.: no big surprise Mobotix is virtually disappearing from the videosurveillance market and lost almost 60% of stack value in recent months.

I am beginning to be fed up by this completely biased, tabloid-style garbage journalism.

This time thumb completely down.

Giancarlo Favero

John Honovich

IPVM | In reply to Giancarlo Favero | 09/08/17 03:05pm

I don't understand all this fuss.

The fact that you must be either physically plugged or on the same LAN, greatly decreases the risks.

Yes, it is not as much a risk as the Hikvision backdoor.

However, it is certainly a risk and a risk that Hikvision was well aware of, that's why Hikvision changed the code generation process - Hikvision Responds To Cracked Security Codes.

Brian Karas

IPVM | 08/14/17 09:02am

UPDATE -

We had a technical update call with Hikvision on Friday August 11th to discuss the security code crack, and steps Hikvision has taken to make it more challenging to crack the security code. We will be publishing a new report tomorrow (August 15th) with our analysis of Hikvision's updated admin password reset process.

Sean Nelson

Nelly's Security
In reply to Brian Karas | 08/14/17 10:59am

Glad to see you guys are on speaking terms again. It does appear that the Hikvision reporting lately appears to be more objective than opinionated lately. Excellent.

Undisclosed #7

In reply to Sean Nelson | 08/14/17 11:10am

nice slam masquerading as a compliment. :(

Brian Karas

IPVM | 08/15/17 11:53am

Update - Good/Bad Analysis Of Hikvision Response And New Method

Our analysis of Hikvision's response and the new password reset method has been released: Hikvision Responds To Cracked Security Codes

Dawid Adamczyk

08/15/17 03:27pm

I guess you "like" HIK much. Try to test Dahua agains RAT cctv super password -gaining access to Dahua DVR/NVR is more than easy.

Robert Shih

Independent
In reply to Dawid Adamczyk | 08/16/17 09:53am

I will neither confirm nor deny *shrugs*. Honestly, we just need physical reset buttons and just not have a password recovery method that's worth the time and effort altogether. Physical access should take care of everything. Then again, what do we do about physical theft?

John Honovich

IPVM | 08/31/17 10:36am

UPDATE: W-Box fixed this in V3.4.2 build 170816 (download here). The option to request the code has been removed.

John Honovich

IPVM | 09/08/17 09:57am

Update: Our new Interlogix test shows Interlogix recorders are still vulnerable to the cracked security code process:

Interlogix recorders' passwords may be reset using the Hikvision security code generator detailed in our report Hikvision Security Code Cracked. Entering a code from this tool in TruVision Device Manager resets the password to default (admin/1234). Note that Hikvision and other OEMs have removed this capability in new firmware.

Read this IPVM report for free.

This article is part of IPVM's 6,596 reports, 889 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Hikvision Security Code Cracked

Comments (59)

Sean Nelson

Undisclosed Integrator #1

Brian Karas

Brian Karas

Undisclosed Integrator #2

Brian Karas

Undisclosed Integrator #1

Brian Karas

Sean Nelson

Brian Karas

Ryan O'Daniel

Brian Karas

Steven Burman

Brian Karas

Steven Burman

Undisclosed Integrator #3

John Honovich

Mike K

Undisclosed Integrator #1

Undisclosed Manufacturer #4

Brian Karas

Undisclosed Integrator #1

Brian Karas

Undisclosed Integrator #1

Undisclosed Distributor #8

Undisclosed Integrator #1

Brian Karas

Undisclosed Integrator #1

Undisclosed Integrator #5

Undisclosed Integrator #2

Steven Burman

Undisclosed Integrator #2

Steven Burman

John Honovich

Steven Burman

John Honovich

Steven Burman

John Honovich

Steven Burman

John Honovich

Undisclosed #7

Steven Burman

Undisclosed #9

John Honovich

Undisclosed Manufacturer #6

Joseph Marotta

Brian Karas

Undisclosed Manufacturer #6

Undisclosed Integrator #10

Giancarlo Favero

John Honovich

Brian Karas

Sean Nelson

Undisclosed #7

Brian Karas

Dawid Adamczyk

Robert Shih

John Honovich

John Honovich

Read this IPVM report for free.

Member Login

Related Reports

Recent Reports