Hikvision Security Code Cracked

By: IPVM Team, Published on Aug 08, 2017

Hikvision's 'security code' feature has been cracked and a program generating security codes is being distributed online. IPVM has obtained and tested this program, verifying that it works.

Hikvision 'security code' allows unauthenticated users to access Hikvision recorders locally regardless of the admin password strength. Hikvision has used this as a tech support feature, as we covered and explained in this report.

Hikvision has historically called this 'security code' or 'security codes', e.g.:

Now, anyone with this program can generate a security code that resets the admin password and takes over the Hikvision recorder. Hikvision does not allow disabling this 'security code' feature.

Inside this note, we show how the program works, what it does and what risks it poses.

*********'* '******** ****' ******* has **** ******* *** a ******* ********** ******** codes ** ***** *********** online. **** *** ******** and ****** **** *******, verifying **** ** *****.

********* '******** ****' ****** unauthenticated ***** ** ****** Hikvision ********* ******* ********** of *** ***** ******** strength. ********* *** **** this ** ***** ******* *******, ** we ******* *** ********* in **** ******.

********* *** ************ ****** this '******** ****' ** 'security *****', *.*.:

***, ****** **** **** program *** ******** * security **** **** ****** the ***** ******** *** takes **** *** ********* recorder. ********* **** *** allow ********* **** '******** code' *******.

****** **** ****, ** show *** *** ******* works, **** ** **** and **** ***** ** poses.

[***************]

Cracked ******* ********

*** **** ********* ** distributed ** * ***** (53KB) ******* **********. ** does *** ******* *** installation *** *** ** run ******** ******* ************* access ** *** ******* requirements. ** *** *** distributing *** *******, ** it ******** * ******** risk ** ********* *****.

** *** ******* ** the **** *********, *** starts **** ******** *** IP ******* ** *** Hikvision ********:

****, **** *** ** address ** ******** ** being * ********* ****** you *** ***** *** serial ****** ** *** unit, *** *** **** you **** ** ******** a ***** **** ***. From **** ****, *** software ******* * ******** code **** *** ** used ** ***** *** admin ********:

*** **** *** **** be **** ** *** recorders ******* ** **** out *** ***** ******** and *** * *** one, ** ***** ***** on *** **** ****:

* ******* ** *** software ** ************ ** a ******* *****:

[******] - *** ******** author ******* *** *****, he *** *** ******* a ***** *********** ****** his ****** *** ***** so.

***** **** *****, *** author ***** *** ******* to ******* *** ****, to ******** ***** *** future *****, ** ** case *** ****** **** of *** **** *** incorrect.

Feedback **** ******* ******* ******

*** ****** ** *** software, ***** [**** ** longer *********]******, **** ** did *** ****** *** tool *** *******, *** instead ** **** ******, and **** *********** *** his ******* *******. ** says ** ** ******* on ******** *** ******** to ******* ***** ***** for **** ********* *******, as ** ********* **** works *** *********. ** also ****** **** ******* assistance *** ********* ****[****** - *** ****** removed *** ******** **** as ****].

Works ** *** *-***, ****** ***** ****

**** ******** **** *** security **** ***** ******* works ** ** *** W-Box ******** ***** **-*******, including ******* **** *** local ******* / **** on ***** ******** ** shown ** *** ********** below:

** *** ****** *-*** firmware (*.*.*) *** ***** also ******, *** ******* to *** ********* ******** it *** ** ** entered ** *** ********* local *******.

** ******* **** ************** **** (** ***** there *** ****** **+)*** ******** ** **** as ****.

[******: *-*** ***** **** in**.*.* ***** ****** (******** here). *** ****** ** request *** **** *** been *******.]

Benefits ** ********* ******* / ********

********* ******* *** ******** can ****** ***** **** support ***** *** **** by ********* **** ******* and ***** ******** ****** by **********, ****** **** having ** ******* *** wait *** ********* ** respond.

Benefits ** ********* ***********

********* ***********, **** *********** and *************, *** **** end ***** *** ******** Hikvision ** ** ***** this ******* ** ****** Hikvision *********. ** ***** for * ******** **-**** demonstration, ********** ***** ********* has ******** *** *********** of ****** ********* **** can *** ** ****** overridden.

Detrimental ** ********** ********* *****

*********'* ** *** ****** operation ******** **** ****-****** sellers (******, *******, ***.) often ******** *** **** equipment ** ***** ******. One ********* *********'* ********** team ****** ** *** ability ** *** ******** Hikvision ******* *******, **** as *** ***** ******** resets. ** ********* **** tool, ******* *** ******* their *** ******** ****** for ********* ******* ******* to ******* ********* *******, reducing ***** ********* ** buy ******* ********** ********.

Cannot ** ********

*************, *** '******** ****' feature ** **** ***** into ********* ********* *** cannot ** ********. ** have ******** **** ********* if ** **** **** would *** **** ****** to ***** ***** ** close **** *************.

Atypical *** ******* *************

*** ***** ******** ***** concept ** **** ******* of ******* *********. ***** has * ******* '***** password' *******, *** ** enterprising*********** ******* *** ******** master ******** *****, *** ********* **** Avigilon, *******, *********, ***. do *** ***** * person ** **** ** to *** ******** *** wipe *** *** ***** password **** ******* *****.

Cybersecurity ******** *** *********

************* *** **** ** ongoing ***** *** *********. The *********** *** ***** passwords ** ** ***** at ***, *** ******* any ********* **********, ** an ***** ******. ****** the ***** **** ********* widely ********* ***** *** systems **** **** ******. Hikvision *** ************************** **** **** ************* seriously, *** **** ***** features **** ***** ******** that ***** ***** ********* to ** ***** *** easily, *** ******* **** notifying ***** **** **** occurred.

********** *********, ***** ********* is ****** ** ****** their ********, **** *************** like ****** ***** ******** resets ** ****** ***********, and **** ***** ****** any ******* **** ****** such **** ********.

UPDATE - **** ******* ** ******** *****

**** ****, ****** *** and ******** ** *** form ** * ******* executable ********* ********** ** previous **********-***** ********, ******** of *****:

*** ******* ****** **** all ** ***** ***** produced *** **** ****** from * ***** ****** number/date ******. ****** *********** ** *** ********* tool ********* ** *** not **** ** ***** firmware, *** ***** ***** that ** **** ***** work ** ****** ******** firmware, ** ** ****** on **.*.*.

*** ******* *** ********** tools (*** ********** *** Windows-based ****) *** ** compute ***** ***** ***** is ***** *****, ********** some **** **** *** device's ****** ****** *** date ******** ** ********** by * '***** ******', with *** ****** ** the '***** ******' **** converted ** ***** ********** that *** ** ******* on * ******** ********:

Update * - ********* ******** **** "******** ***** ******"

** ****** **, ****, Hikvision **** * '******* Bulletin' ***** * **** ******** entitled "********* ***/*** ******** Reset ******". ** ******** * history ** ******** ********** to ******** ********* ****** various *********. ** **** requested * **** **** Hikvision ********* *************** ** go ******* *** ******* and **** ** ****** the **** ***********.

*** ********* *****:

(*) ********* ****** ** the ******** ***** ** "so-called ********* '******** ****'". To ** *****, ** use *** **** '******** code' ******* **** ** Hikvision's *** **** *** this *******, *.*., *** excerpt ** ********* ********* calling ** * '******** ****'.

(*) ********* ******* ****** nor ******** **** ***** security **** *** *******. Rather **** ********* * newer ******** **** ***** overcome **** *******. **** approach ** **** ** will ** ********* ** detail **** ********* *** then ******* ** ******.

Update * - ****/*** ******** ** ********* ******** *** *** ******

*** ******** ** *********'* response *** **** ********:********* ******** ** ******* Security *****

Comments (59)

A reset button on the physical motherboard would be the best option to alleviate this issue. It would be secure, effective, and would reduce tech support costs as well

To be clear, does this only work locally on the LAN or is there a way to use this remotely as well? I don't think the SADP tool works remotely but I want to make sure I understand that part accurately  

SADP primarily relies on multicast and broadcast packets, so you are limited to using it on a LAN (or VPN).

UPDATE -

Added some additional detail to the Cracked Program Overview section:

The code generator is distributed as a small (53KB) Windows executable. It does not require any installation and can be run directly without administrator access or any special requirements. We are not distributing the program, as it presents a security risk to Hikvision users.

Hey Brian,

How does this program differ from the"HikVision Password Reset Tool" that is currently on ipcamtalk? From what I can determine it looks like it is just a different GUI from what they have posted on their webpage.

 

https://ipcamtalk.com/pages/hikvision-password-reset-tool/

We did some tests of this newer tool and the previous version you referenced. They produced the same output from the serial numbers/dates we tested with. You are correct that they are basically different GUI's producing the same results.

The following update was added to the report to reflect this:

UPDATE - Same Results As Previous Tools

This tool, though new and packaged in the form of a Windows executable functions comparably to previous javascript-based versions, examples of these:

Our testing showed that all of these tools produced the same output from a given serial number/date string. Though a discussion on the ipcamtalk tool indicates it may not work on newer firmware, tests prove that it does still work on recent recorder firmware, as it was tested on version 3.4.5.

The methods the javascript tools (and presumably the Windows-based tool) use to compute these reset codes is shown below, ultimately some data from the device's serial number and date settings is multiplied by a 'magic number', with the digits of the 'magic number' then converted to ASCII characters that can be entered on a standard keyboard:

 

I thought the codes generated on the forum were for older versions and didn't work anymore. But maybe they still work on NVRs?

From our tests, the recorders can still be reset with these codes, though not always via SADP, in some cases the reset had to be done from the recorders local console.  Still, they work, and present a security risk.

 

Unless we are missing something, we tried the IPCT generator on some newer firmware products and it didnt work. We will try again to confirm.

Sean - can you provide details on what products/firmware versions you tested? Also, did you try the reset codes only via SADP or also from the local console?

The reset tool works at the NVR itself on "older" firmwares that have the hidden menu that allows you to enter a secure code.  The newer firmwares don't have the hidden menu on NVRs/DVRs, instead asking for a GUID password file that is supposed to be created during the initial setup. 

This morning I tested it on a camera with firmware 5.4.0, a camera with firmware 5.4.3, and 5.3.6 and none of them worked. 

However, it will reset cameras with firmware below 5.3.0.  I tested it on an OEM DS-2CD2020-I with firmware 5.2.0 and it worked.

This morning I tested it on a camera

As mentioned multiple times in the report, this was targeted at recorders, not cameras. Even recorders with recent firmware could be bypassed using the codes generated.

Overall, I consider recorders to be a bigger risk than cameras for this. If you are deploying a Hikvision recorder, the cameras are typically going to be "behind it" from a network perspective, and most likely not directly accessible. Additionally, the cameras would typically not store any video.

The recorder, however, has stored video, and provides access to all the cameras connected to it. Bypassing the recorders authentication opens up the user to a much larger overall risk.

To be fair, HIK is not he only manufacturer with a back door around a password. I had a client lose the password to their Bosch Dibos DVR, and the factory provided a work-around which allowed me to reset to default. Granted, this was around 2003 or so, but I'm sure some manufacturers still do things this way.

You are correct that Hikvision is not the only company with a back door password, we pointed out Dahua and XiongMai as two other companies that also take this approach. It was also noted that this is far less common among non-Chinese manufacturers, but if anyone has specific current references (e.g.:a 2003 scenario is not a valid example) we would be interested in hearing what other manufacturers take this approach.

Additionally, there is a difference between a "reset to defaults" and an admin password reset. With a default reset, the situation should be much more obvious, and would hopefully include wiping out stored video or making it unretrievable. This at least makes it easier to notice that the unit has been compromised, and hopefully makes it so that someone cannot retrieve data from the unit if it is compromised. It also matters how the reset is carried out, requiring physical access to a switch or jumper inside the unit also makes it much more difficult for an attacker to do this without being noticed.

 

Yes, as mentioned in my post, a 2003 anecdotal reference has questionable validity in 2017, however, I wouldn't be surprised to find this is still a practice even for non-Chinese companies. And I do recall that the only change to the Bosch unit was a resetting of the password, all data was left intact. A final note, saying that there is a difference based upon what "should be" and  "hopefully" is happening doesn't validate any difference.

This used to be the way. I am pretty sure that this method works for 90% of the Hikvision devices out in the field. I have used IPCAMTALK's tool mostly to reset admin password but lately with newer Hikvision's firmware, 5.4.x(these are for cameras), the method discussed here no longer works.

On a NEWER Hikvision firmware, one would have to export a xml file from the camera/dvr using SADP on a local network, then, send it over to Hikvision Techsupport. Hikvision Techsupport would email you back a one time reset file that you can import back using SADP, then the admin password would be reset.

Hikvision did made sure that my cameras were purchased through authoirzed re sellers such as ADI before assisting me further.

Myung, thanks for the feedback.

Hikvision did made sure that my cameras were purchased through authoirzed re sellers such as ADI before assisting me further.

Question: curious, how did they make sure of that?

Hikvision USA were able to distinguish if the products were sold to ADI,Tri-Ed versus OEM like Winic.

They must have access to Hikvision's China master database of some sort. I tried once to get techsupport on a Winic Hikvision OEM, but knew exactly that this was sold to Winic. They were pretty irate about it too, but understandable. Told me to call them because this is OEM Hikvision, not Hikvision brand.

Hikvision requires you to submit the serial number of the unit. That's how they track it. 

On really new Dahua firmware's exporting the XML is also a option for resetting the admin password, Dahua also have a new online system that goes through there email server. You press "Forgot Password" on the GUI and it sends a security code for you to change the admin password on the local GUI. 

UPDATE -

Added some additional detail to the W-Box test session to list the model number tested (0E-41TP1UN) and to clarify that it worked over SADP for older firmware, and via local console only for newest/latest firmware, 3.4.2.

 

This is starting to sound like old news. The online generator for older cameras and firmware has been online for years. Newer firmware has fixed that. When I first read this I was thinking someone had cracked the new way to reset password but that's not the case. 

The only problem here is that some devices still can have their passwords reset the old way because they're running old firmesre, is that correct? 

The only problem here is that some devices still can have their passwords reset the old way because they're running old firmesre, is that correct?

Which hikvision models did you test with the latest firmware? 

OEM models might still have this issue becuase they don't upgrade to the latest versions or security protocols. That's up to the OEM. 

I suspect this is for low-end models, not I and K series, neither Blazers. 

Will check when I get back to the office.

Just checking in again, was this test performed on branded hikvision products with the latest firmware? Or just the w-box unit? 

These are the models/firmware versions that we were able to successfully perform the admin password reset on:

Hikvision DS-7604NI-E1/4P firmware:

V3.4.3build 160822

V3.4.5 build 170224

Wbox 0E-41TP1UN firmware:

V3.0.8build 151103

 

We did also try the process on a Northern Video NVR and an LTS NVR, neither of which accepted the generated code when attempting an admin password reset.

So based on Hikvision's bulleton, the newer NVRs aren't affected anymore. Those run the latest firmware, for example the I series NVRs.

The issue is only with the older NVRs. Cameras no longer work with this security code tools and newer NVRs don't either.

 

I don't believe Hikvision is the only manufacturer who has a way to take over a recorder without having the password codes.  I have used others who have back doors when passwords are lost or forgotten so we can get back into the recorders - (this includes some access control manufacturers as well).  If I arrive at a competitors site running these recorders I know I can take them over within minutes.  You do have to be onsite (or remotely logged in to the local server with a TeamViewer type program) and within minutes have all passwords reset to defaults then changed to our standard password protocols.  For 1 manufacturer I keep the back door instructions on my phone so I don't have to call tech support to help me back door in - and I'm not a tech I'm in sales!  So it isn't just a Hikvision issue, the reported way may be a different way to do it, but its possible to get into other recorders without knowing the passwords.

Additionally, who would the end user be worried about with this code cracking information.  Seems that the hacker needs to be onsite - so it's unlikely an unknown person would be the culprit, and what's the chance that a known person would have the right skillset to pull it off - outside of the IT department - who may already have the passwords.

The biggest issue with this password reset method is that all you need to utilize it is access to the LAN. Once I plug my laptop into an unsecured port on the security network with HikVision Cameras I now own them all. This is in comparison to other manufactures that have a physical reset button that must be used to reset the admin password.  Just my 2 cents on the discussion. 

This forum seems to focus specifically on HIK even though some of the issues are industry wide. It grows tiresome. Being a professional site selling market research to the industry, personal attacks driven by animosity really do not belong. 

I agree. The same issues can be seen on a large range of CCTV Products. I just ended up focusing on HikVision in my comments because they were the topic of this post. Did not mean to target HikVision individually. 

I wasn't speaking of your post, but of this site's readily apparent animosity towards HIK. I really don't understand why they are focused on when there is a plethora of low-end IP camera manufacturers selling cheap cameras with poor or no cyber-security protections. I'm not defending HIK, quite the contrary, I typically stay away from so-called "bargain brands", unless specifically called out by my client. But as I said, I grow tired of seeing what is obviously a personal enmity portrayed as "market data". 

Steven, thanks for your feedback. I appreciate it.

As for our animosity towards companies, this is a common accusation. In alphabetical order, routinely ADI people think we hate, Anixter people think we hate them, Avigilon people think we hate them, Axis people think we hate them, on and on...

Our focus is large players that impact the market. So Hikvision and ADI and Anixter and Avigilon and Axis, etc. are going to take far more criticism than small players. This is for a simple reason - those big companies far more impact the professional market (which is what IPVM focuses on) than smaller players.

plethora of low-end IP camera manufacturers selling cheap cameras with poor or no cyber-security protections

For example, recall the recent 175,000 camera vulnerability for 'NeoCoolCam'. We saw this immediately and reviewed this. We decided not to do a post, not because we 'like' the 'NeoCoolCam' people (we have no idea who they are) but because we know our members overwhelmingly neither use nor compete with them, so it is irrelevant to what they do.

I hope that helps explain our editorial process. Happy to answer more questions here.

personal attacks

Steven, what type of 'personal attacks' specifically do you feel IPVM is making against anyone?

Against HIK. If I were to count the total number of "negative" posts involving manufacturers, am I incorrect in postulating that the number of articles unfavorable to HIK would far outnumber articles referencing other manufacturers? 

Steven,

We have plenty of positive posts about Hikvision, just from the summer so far:

We are going to have more positive and negative posts about Hikvision than we are going to have about almost any other company because of Hikvision's sheer size.

Metrics such as this prove nothing. If you do a complete review, say for a period of 1 year, showing the number of favorable versus unfavorable results for the 5 most mentioned entities, what do you suppose that would show? My own perception is that you lean heavily towards the negative where HIK is concerned. I could be wrong, and it wouldn't even be the first time.

Steven,

You claim IPVM has made "personal attacks" and has "personal enmity" against Hikvision.

I have given you multiple examples of positive reporting that a reasonable person would conclude that someone with 'enmity' and 'personal attacks' would not do. And yet you dismiss it as, and I quote, 'nothing'.

IPVM criticizes lots of things and lots of companies and many companies are going to receive net negative criticism. But just because we are critical does not mean we are wrong or that we are 'personal' against them.

I am now asking you again - specifically what reporting that IPVM has made is 'personal' in nature against Hikvision?

Because the number of articles unfavorable to HIK seems to heavily outweigh articles unfavorable to other manufacturers. And a reasonable person would want to weigh the number of negative articles over the summer compared to the number of positive ones, and use that as a metric to compare with the positive / negative ratio of articles concerning other manufacturers. Stating that you posted 4 "positive" articles over the summer has no merit whatsoever without the comparatives mentioned above. So your statement that I dismissed your 4 as "nothing" wasn't entirely accurate. Because any reasonable person would disregard the 4 positive articles if there were 25 negative ones, and unless the other vendors mentioned shared this >5/1 ratio, the same reasonable person would probably conclude that you did indeed have some personal enmity against them. 

that you posted 4 "positive" articles over the summer has no merit whatsoever without the comparatives... disregard the 4 positive articles if there were 25 negative ones

Steven, be fair. We have not published anything close to 25 articles total on Hikvision this summer. If you want to criticize us that is fine, do it on facts, do not employe hypotheticals that are clearly false.

This summer, since June 21st, we have published 93 total articles, 12 of which have been on Hikvision, including this one here.

In addition to the 4 positive ones cited above, we have a positive comparison vs Dahua - Dahua 4K Turret Tested Vs Hikvision (N84BG44 ) and 2 other tests that are neutral to positive - Hikvision 8MP Low-Cost Camera Tested and Hikvision H.265+ Bullet Tested (2035).

So your hypothetical is clearly wrong.

That said, IPVM does not aim to be 50/50 on any company or topic. We don't have 'quotas' for 'positive' or 'negative' coverage. Our goal is to cover important topics to the industry accurately.

I will ask you a 3rd time Steven, beyond the sheer number of articles we write, what specifically in the actual reporting consists of 'personal attacks'?

Your argument, without evidence beyond your own opinion, incorrectly conflates 'numbers of negative posts' with 'bias'...  it is not true just because you say it is true.

Further, imo, the remainder of your comments are then focused on knocking down that self-created 'bias' straw man.

Hik is the worlds largest surveillance equipment provider.  THAT is the causation for 'numbers of posts'.

The higher number of negative posts in relation to lower number of positive posts can just as easily be ascribed to the way in which this company has historically handled/responded to repeated publicly exposed vulnerabilities in their own hardware/software.

If a company has experienced seemingly sustained occurrences of different vulnerabilities over a period of time - no matter what it is that this company produces - I find it hard to justify a claim of bias when the vast majority of news stories covering these sustained occurrences of vulnerabilities are negative.

I guess you missed the whole "my perception is" and "my opinion is" in my posts. And your whole "knocking down the bias straw man" is funny. I do enjoy slapstick humor. But I've now wasted far more time on an inconsequential subject than I originally intended. 

The best way for Hikvision to avoid having negative news would be for them to fix their constant security breaches, government subsidization, and other items that are brought up.  Complaining that someone calls them on it does not solve anything, solving and preventing these items does.

Note: Based on discussion here, we have started a new topic - Forgot Recorder Password, How To Recover?

Also, we are checking on the comment made about Dahua recovery method. Any inputs on other manufacturers, please add to this topic.

I think that the issue is that their method of password recovery is considered a back door.  This has been discussed here recently. 

Many manufacturers I have worked with, when you default the device, all programming is wiped, so that an attacker doesn't get access to the settings.  This way to someone watching the monitor, etc all appears normal while they p0wned it in the network side. 

 

Here, the reset simply wipes the password giving you full access to the system as it was previously configured. 

For best cyber security practices, this should be restricted to requiring physical access or out-of-bounds (OOB) access. A network device shouldnt allow a reset over the network. 

Think about Cisco or other brand switches. You need physical access to press a button sequence and a console cable for local rs232 access. 

Hikvision just sent out an email Special Bulletin regarding this issue.  In it they said:

"The update is intended to clear up any misunderstandings stemming from an Aug. 9 online report of a so-called Hikvision 'security code' being 'cracked' via a security-code generating software program."

You don't think they are referring to IPVM's article, do you?!   :^P

UPDATE:

Hikvision has responded, though not directly to us, they did send a Special Bulletin email out. We have updated the report to reflect this:

Hikvision Responds With "Password Reset Update"

On August 10, 2017, Hikvision sent a 'Special Bulletin' with a 2 page document entitled "Hikvision NVR/DVR Password Reset Update". It explains a history of evolving approaches to reseting passwords across various recorders. We have requested a call with Hikvision technical representatives to go through the details and plan to update the post accordingly.

Two immediate notes:

(1) Hikvision refers to the security codes as "so-called Hikvision 'security code'". To be clear, we use the term 'security code' because that is Hikvision's own term for this feature, e.g., see excerpt of Hikvision documents calling it a 'security code'.

(2) Hikvision neither denies nor confirms that their security code was cracked. Rather they emphasize a newer approach that would overcome this problem. This approach is what we will be reviewing in detail with Hikvision and then posting an update.

The update clearly misses the mark.  1) The units CAN be reset by Hik or ANYONE else with the algorithm, which clearly has been cracked. As mentioned above, they don't want to really acknowledge that these codes exist, and anyone can call in and get one generated.  2)  They want you to send them a GUID key.  A properly locked down IP device that requires user authentication will NOT allow you to download this file via SADP, since you don't know the password and have not been authenticated.  The only thing that should be exposed is by the discovery tool/protocol - IP address and that is it...

 

I believe the generic term for these types of codes are "One Time Use Passwords" meaning that they are based on the time/date of the unit and will expire in 24 hours.  Of course, from the screenshot, HIK seems to be providing the codes for a few days, again making it even more dangerous.

You can crack a windows machine admin login as well. Nothing new here.

I agree 100%.

I don't understand all this fuss.

The fact that you must be either physically plugged or on the same LAN, greatly decreases the risks.

And again, once you eventually reset the password and gain access to the DVR/NVR, you have access to some worthless, meaningless images that nobody cares about: only an idiot could spend time and effort pursuing that. You don't have access to personal data, credit card numbers, medical data, nothing. Once again, security in videosurveillance is way overestimated.

And thank God that you gave an utility to recover from lost passwords: last time a client of ours forgot the password of a Mobotix camera, he had to spend several hundred Euros to send the cameras to Mobotix in Germany, what the hell!!

P.S.: no big surprise Mobotix is virtually disappearing from the videosurveillance market and lost almost 60% of stack value in recent months.

I am beginning to be fed up by this completely biased, tabloid-style garbage journalism.

This time thumb completely down.

Giancarlo Favero

I don't understand all this fuss.

The fact that you must be either physically plugged or on the same LAN, greatly decreases the risks.

Yes, it is not as much a risk as the Hikvision backdoor.

However, it is certainly a risk and a risk that Hikvision was well aware of, that's why Hikvision changed the code generation process - Hikvision Responds To Cracked Security Codes.

UPDATE -

We had a technical update call with Hikvision on Friday August 11th to discuss the security code crack, and steps Hikvision has taken to make it more challenging to crack the security code. We will be publishing a new report tomorrow (August 15th) with our analysis of Hikvision's updated admin password reset process.

Glad to see you guys are on speaking terms again. It does appear that the Hikvision reporting lately appears to be more objective than opinionated lately. Excellent.

nice slam masquerading as a compliment.  :(

Update - Good/Bad Analysis Of Hikvision Response And New Method

Our analysis of Hikvision's response and the new password reset method has been released: Hikvision Responds To Cracked Security Codes

 I guess you "like" HIK much. Try to test Dahua agains RAT cctv super password -gaining access to Dahua DVR/NVR is more than easy.

I will neither confirm nor deny *shrugs*. Honestly, we just need physical reset buttons and just not have a password recovery method that's worth the time and effort altogether. Physical access should take care of everything. Then again, what do we do about physical theft?

UPDATE: W-Box fixed this in V3.4.2 build 170816 (download here). The option to request the code has been removed.

Update: Our new Interlogix test shows Interlogix recorders are still vulnerable to the cracked security code process:

Interlogix recorders' passwords may be reset using the Hikvision security code generator detailed in our report Hikvision Security Code Cracked. Entering a code from this tool in TruVision Device Manager resets the password to default (admin/1234). Note that Hikvision and other OEMs have removed this capability in new firmware.

Read this IPVM report for free.

This article is part of IPVM's 6,438 reports, 865 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Seek Scan Thermal Temperature Screening System Tested on May 28, 2020
Now that IPVM has tested Dahua, Hikvision, and Sunell, we are returning to...
Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020
Access control is supposed to make doors more secure, but a $5 can of...
China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed...
Clinton Public View Monitor (PVM) Mask Detection Tested on Jul 09, 2020
Face mask detection, or more specifically not wearing one, is expanding...
"Fever Camera" Online Show June 2020 - On-Demand Recordings on Jun 03, 2020
IPVM has successfully completed the world's first "Fever Camera" show....
BICSI For IP Video Surveillance Guide on Feb 11, 2020
Spend enough time around networks and eventually someone will mention BICSI,...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...
IPConfigure Presents Orchid Fusion VSaaS on Apr 30, 2020
IPConfigure presented Orchid Fusion VSaaS at the April 2020 IPVM New Products...
US Jail Uses China State Owned Fever Camera on Apr 30, 2020
Police in Ohio are boasting about their jail's new fever camera system, which...
Access Control Course Spring 2020 - Register Now - Last Chance on Apr 21, 2020
IPVM offers the most comprehensive access control course in the...
ROG Security - Cloud AI For Remote Monitoring on Jan 28, 2020
ROG Security is offering cloud-based AI analytics to remote guard companies,...
ISS Presents Face As A Credential and UVSS on Apr 30, 2020
ISS presented its security platform, including access control integration,...
SenseB4 Presents Cloud Network Device Monitoring on Jun 09, 2020
SenseB4 presented its cybersecurity and network health monitoring products at...

Recent Reports

Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all of the...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...
Directory of 201 "Fever" Camera Suppliers on Aug 04, 2020
This directory provides a list of "Fever" scanning thermal camera providers...
Face Masks Increase Face Recognition Errors Says NIST on Aug 04, 2020
COVID-19 has led to widespread facemask use, which as IPVM testing has shown...
Dahua Loses Australian Medical Device Approval on Aug 04, 2020
Dahua has cancelled its medical device registration after "discussions" with...
Google Invests in ADT, ADT Stock Soars on Aug 03, 2020
Google has announced a $450 million investment in the Florida-based security...