Hikvision Anti Hacking Firmware Tested

Author: Ethan Ace, Published on Jun 03, 2015

Hikvision has had historic hacking problems, with DVRs turned into Bitcoin miners, buffer overflow vulnerabilities, and finally culminating in the hacking of a Chinese province's cameras due to weak passwords.

In response to these attacks, Hikvision promised improvements to address these issues in updated firmware.

We tested this new firmware, version 5.3.0, to see how these features functioned, any potential drawbacks, and what impact this new firmware has on Hikvision devices being hacked.

************ *** ******** ******* ********, **** **** ****** *********** ******,****** ******** ***************, *** ******* *********** ** ********** ** * ******* ********'* ******* *** ** **** *********.

** ******** ** ***** *******,********* ******** ************** ******* ***** ****** ** ******* ********.

** ****** **** *** ********, ******* *.*.*, ** *** *** these ******** **********, *** ********* *********, *** **** ****** **** *** firmware *** ** ********* ******* ***** ******.

[***************]

Key ********

**** *** ************ ***** ** *.*.* ********, ********* ******* *** much **** ****** ** ** *********** ****** *** ** ***** *** ******** simple ******* ********* ** ******** ********* *******, ***** *** ******/******** forces * ****** ******** ****** ** *** ** ****. *******, some ***** *** **** ****** ******** ************ ******** ** ****** ** increased ************* *** *************** ****.

************, **** *** ********* ** ******* ***** **** (*** ************), brute ***** ******* ******** *** *** **** ****** ** *******, as ********* **** ** ******* ***********, ******** *** ******, *** users *** ** ********, ****** **** **** ** *****, *****, IP *********, ****** *******, ***. 

*******, *** ******* ** *** **********, ***********, *** ************ **** telnet ******** ****** * ******** **** ***** **** ** ********* of ******** *******.

Firmware ************

*.*.* ******** ** ********* *** *** ******** ************* ***'* ********** ***** ** ***** *******. ***** ** ***** ******* ****** check ***** ********** ********.

****: ********* ********** ******* ********** ***** ************* ** ******** (*.*., Chinese ******* ** ***** ******** *******), ** **** *** ******* for ********* *******, **** ********* **********, ***.

Device ********** *******

*** ******* *** ******** ** ******** *.*.* ** *** *** device ********** *******, ***** ****** ***** ** ****** * ****** password (*** *** ********* ** *********'* **** ********) ****** *** camera *** ** ******** ** ********* ** * ***. ********* must ******* ** ***** * ********** *** *** * *********** of *** ***** (*********, *********, *******, ** ******* **********), ****** this ** ***** ********** "****" ** *********. ** ***** ** create * "******" ********, ***** **** *** ** ***** ***** ***** of *********. 

*** ****** ********** ******* ** ******** ** **** *****:

**** ******** ******** ****** ********* ********, *** ***** **** *** downsides:

********* ************* ********

*** **** ********* ***** ****** *********, ********** ***** ***********, ** that ********* ************* ** ********. **** ****** ** ****** ***** ****** passwords *********, ********** **** ******* ** ************-**** ********, *** ****** with ***** ********.

************ *** ******* ***** *** **** ** **** ** ********* under **** ******, ***** **** *** **** ********* ****** ********* it. *******, ************* *** ****** ****** * ******* ******* ******** ***** is **** *** *** ******** *** **** ** ********, ***** still ******* ***** *****, *********** ******** **** ********.

*** ******** *********

****** ** ******** ***** *** ** ******** **** ****** *.*.* cameras ** ***** ***** ******** ******* *********. ***** ***** ***** do *** ****** ******* ******** ** ** *** ******* *** not *******, ***** ***** *** *** ******* **** *** ***** incorrect *********. **** *** ***** ********** ******** ** ******* ***** lock ** ****** ** (*****).

Illegal ***** ****

******* ***** **** ****** *** ****** **** ******** ** ********* after **** ****** ***** ********. ************, ****** *** ** ********* informing ************* ** ****** ***** ******** ** **** *** **** other ******* **** ** ******** *** ********* ********* ** *********, checking ******** ********, ***.

**** ******, ***** **** **** ** ******* ** ****** *** camera, ** *** ** *** * ********* ** *******, *** disable *** **-****** *** *******.

******* ***** **** ********* *** ***** ** **** *****:

***** *** **** ******

***** *** ******* ******** ******* ***** **** ** **** ******* to *** * ****** ** * *** ***** *** ******* credentials. ** *** *** ******** ** ********* *******, *** ****** may ***** *** ****** ** * ****** ** **** * few ******* ** ****** ********* *** *** *******. ** *** tests, ********** **** ********** ******* ********* ** ***** ***** *** ***********, *** ****** *** blocked ** ***** *** *******.

****** *******

*******, ********* ******* ****** ******* **** *** ******* ** *.*.*, a******* ******** ******** ** *******, ***** ** ** *********** *** *** **** ** ***** open ** *******. ***, * ******* ********, ** ***** ** use, ******* **** ** *** **** ********* ** ******** ****** is ********, ****** ** ** *********, ******* *** ****** *** and **** **** ********** ** ******.

** **** *****, ** ************ ******* ******* ******* *.*.* *** *.*.*, ******* *** *********** ** open/closed ***** *** ******* ********.

**** **********

*** ********** ***** ***** *** ********** ** **** *** ****** ports ******* * ****** ******* *.*.* ******** *** *** ******* 5.2.x, **** ****** ****** (** **** ** *** *** *****, which *** *** ******** ** *******).

Compared ** ***** *************

********* ** *** *** ***** ************ ** ********* **** ** these ******** ********, *** *** ** *** ***** ** ******* them. ** ******* * ******* ** ******** ***** ** ***** manufacturers *****. ******* ****** *** *** ** ****** ********* - ****, *****, ******* ****** *** **** *******.

******* ******** * ****** ********** ******* ******* ** *********, ******** in 2.x *********. ***** *** ******** ** ****** * ****** ******** (**** more ******* **** *********, **** *****) ****** *** ****** *** be ******** ** ***** ** * ***.

**** *** ****** ***** ** ****** * **** ********, *** users *** ***** ****** *** "****", *********** *** **** ** keeping *** *******. ************, ****** *** ******** ** *******, ***** is ******* ***** *** ****/**** ***********, ******** *** ****** ** be ***** ** *****.

*******, ***** **** *** ******* *** ****** ******** ************, **** passwords ********** ** "*****". *******, **** *** *** ** *** other ************* ** ******* ***** ************ ** ******** ****** ***** attempts. ******, ****** *********, *** ****** **** *** *********** ***** the ********* ** *******, ******** *** ****** ** ********.

What ** *** *****?

** ***** ********* ** *********'* *.*.* ******** ** ****** ** prevent *******? ** **** ******** *******?

 

 

Comments (15)

Meghan Uhl

06/03/15 07:29pm

******* ** ***** ** "******* *******". * ***** **** *** a ****** **** *** ** ********* ** *** ** **** as **** ********* - ***'** *** ****. *** **** ***** - *** **** ** *** ***** ** ** **** ** accept ****, **** ******** *********** ** ***, *** ******** ********* we ***, **** *** *** **** *** ***'* ***** ** it. ********* **** ** **** **** ***'** ***** ***** ********** but **** ********** **** ** *** **** & ***** ***'* keep ***** ******* ****, **** ***'* ****** ** **** ***** security ****** ***% **** ******.

Tyler Fenby

06/03/15 09:00pm

*****'* **** ********** ** **** ****** ********** ****** ******** ******* as ****? ***'* *** * *** **** ***** ** **** after ****.

Bob Germain

In reply to Tyler Fenby | 06/07/15 12:53am

*****- *** ****** ******** ***** *** ********* **** ****, ****** a **** ** ** ***** ******** ** ** (*********). ********* has *** ** ******** ********* *** *** ********* ** ******* concerns *** ******. ** **** ***** **-**** *** ***** ****** reports ** *** ******** ******** ******.

***

Steve Mitchell

06/03/15 10:10pm

*** ******. ********* *********'* *****: * ****** ** *** **** for ***** ***** ** *****. *** **** ** *** ********'* own *****: ***/**** (*** *******) ***** ***** *** **** ***** of ******** *************** ** ********* ** ********* (***/*******) *** ******* the ******** ********* ** ************** ** ******* ******* ******* **** have ******* ** *** ** ******** **** *** **** **+ years. *********, *****, **, **., ******* ******** ******* ****** *******, and **** ** ***** *** *** ** ** ****** ******* these ************* ** **** ******** ** ****** **** ******** ** kept **-**-****. *** ******** ** ******** ***** ** ** "***-*********" and ** **** *****'* **** *** *** **** ** **** software **-**-**** ** ******. ************, **** ********* **** **** ******* remain *********.

Tyler Fenby

In reply to Steve Mitchell | 06/04/15 12:37pm

*'* *** **'* * ******* **** ******* **** ******* ** security. **, ** **** ****** **** ***'* ********** *** ******* of ****** * ****** ********** ** ***** ****** ****** ** the ***** **** ** ** ******* *** ****** **** ** doesn't **** *** ******* ***************. **** ** *** ****** ***** that **** ******** (*** *** ********** ** ******) *** * perfect *******.

Steve Mitchell

In reply to Tyler Fenby | 06/04/15 04:59pm

*****, ***'** *****, ** ***/**** ***** ******* ** ********. ** exists ** *** ******* ***** ******* *** *** ********* ******* with *** ********** ******** *****.

** ***** ** *** ******* ** ** **** **-**-**** *** thus ********** **** ** ***** ******** *************** *** ****** **** to *****:

  1. *** ************ ***** ** **** ************ ******* ******** ******* *** provide ********** ******* ******* *** ** ****** (** *** *************) applied.
  2. *** ******** ***** ** ********* **** ******* ******* *** ******** to **** ***** ****** ******, *** **** ************** *** ******** the ******* *** *******. **** **** ** **** *** ************ accountable, *** ******* ******** ********** ***** (*.*, ********* *******) ** update ***** ******* ******** ********.

*** ** ******* ***** ********* ** * ********: ** *** extreme **** ******* * ****** *** ***** ****** **, ** the ***** ******* **** *********** ***** *******.

*** ******** ******** ***** ** **** ******* *** ****** **** of **** ********. **** ********* ********* ****’* ****** ********* ** the ******** ** ***** ***/**** (** **** ******’* *** ****** run ** ***** *******), *** ********* *** *** **** *********** for ******* ***** *************** ** *****. * ***’* ******* **** will ****** **** ****** *** ***-********* ******** ******** **** ** some ** *** **** ********* **** *** **** ****** ** the ** *******.

**** ******* ** ****** *************** ** * ***** ***. *** I ******* **** **** *** ** ****** * ******* ** an ***********/******* ***** ******* *** ******* ** *** *** ** date (************, *** ****/*****-****** ***********). **** ******* ** ***** ‘*****’*’ typically ** ***-** ******, *** *****’* **** **** **** ****** be ******** ** ****** ***** ******* ***** ****** *** *************** and ***** **** ******** ** ** **** ***** ****** *******.

Undisclosed End User #2

In reply to Steve Mitchell | 06/04/15 05:10pm

* ***** *** **** ***** ***** **** *********** ****** ** Hikvision. *** ******* *** *** *** **** *** ******** *********** passwords. **** ****** ****** ******** *********** *** ********** ** ** their *** ********. *** ******* ** * **** ******** ******* and **** ****** ***** ******* ** * **** **** ****** than **** ******.

** *** ****** **** *** * ****** **** **********, *** alone * ******** ******, **** ******* ********* ** *****. *** it ***** ** **** ***** ** ******* ** ***** ** seconds ** ****** *** **** **** ******* ** **** *******.

******* *** ************ *** **** ** **** ******* **** **** your *** *** ****** ******* *** **** ** ******** *** the *** ** *** ********. * *** ** ************** ***** to *** ************* *** ********.

* ***** **** *** * *** ** ***** ** ** was * ******* ******* *** **** ***** ********* *** **** cameras *** ********* ***** ******** (**** ******** *** ***) *** exactly ** ********** **** *** ************** ***'* *** ****** ******** protocols.

John Honovich

IPVM | In reply to Undisclosed End User #2 | 06/04/15 05:19pm

"******* *** ************ *** **** ** **** ******* **** **** your *** *** ****** ******* *** **** ** ******** *** the *** ** *** ********. * *** ** ************** ***** to *** ************* *** ********."

****'* * **** *****.

"*** **** ******* *** ********* ***** ******** (**** ******** *** not) *** ******* ** ********** **** *** ************** ***'* *** proper ******** *********."

****** **** *** ****** ******* * ******** **** ***** ***** for * *** *****, ***** ***** ** ******** ******* ****.

Bob Germain

In reply to Steve Mitchell | 06/07/15 01:04am

*****- *** ***** ** *** **** * ****** *** *** already **** ********* ** ***** ******** ********. **** *** ****** Activation ******* *** **** ** *********** *** **** **** *** takes *** ******** ** * *** *****.

** **** ******** ******** ****** **********, ********* ****, ****, ** Cameras, **** ****** ****, ****-****, *** ***** ***********, ***, ** is *** ****** ********* **** ** ********* *** ********. ** are **** ********* ******* ****** ** ****** ********* **** **** new ******* ** *** ** **** *********** ***** ********* ** taking.

**** *******

***

Undisclosed Integrator #1

06/03/15 11:18pm

*** ********* **** *** **** ** ******* ** **** *** firmware?

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | 06/05/15 03:58am

**** ******* **** *** ******* **** ******** ** *********, ***** than ***** *** ********* **?

**** ******* ** * ************* ******* ** ******* *** ***** user *******? **** * ***/*** ***** *** **** ***** **** connection ***?

** **, * ***** * *** *************.

Chris Dearing

IPVMU Certified | In reply to Jon Dillabaugh | 06/05/15 04:37am

** *** *** **** **** ***** ******** **** *** **** machine/IP ** *** ***, *** **** *** ******* ********** ******(*), forcing *** *** ** **-************, **** *** ****** ** ******.

David Oleksy

In reply to Jon Dillabaugh | 06/06/15 10:59pm

** *****'* ***** *** *******. ** ****** *** ** ******* with *** **** ****** ***** ********.

Thumbnail image

Jon Dillabaugh

Pro Focus LLC | In reply to David Oleksy | 06/07/15 12:27am

***** ***** ** ********* ** ******** *** **?

Bob Germain

06/05/15 11:24am

*****- *** ******** ** *** ********* ** *** ********* *** website.

****://***.*********.***/**/**/********.***

*** ***** *******, ****** ** ** **** ******** ********* ******* for ********* *********.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Avigilon 'Blue' Cloud Entry Examined on Sep 19, 2017
Avigilon is moving to the cloud. The company announced their Avigilon Blue platform, designed to be a web-managed surveillance system, utilizing...
Hikvision Backdoor Exploit on Sep 18, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...
September IP Networking Course on Sep 14, 2017
LAST Chance - Registration is ending. Register now. This is the only networking course designed specifically for video surveillance professionals...
Genetec Launches Community Connect Examined on Sep 14, 2017
Genetec has done best in large-scale, enterprise systems and relatively worse in smaller systems such as SMB. Now, Genetec is launching...
Geovision Doorstation Tested (CS1320) on Sep 12, 2017
Geovision has released the GV-CS1320 door station, priced at a fraction of others, with additional bells and whistles like a built in card reader,...
Axis vs Sony Super Size Shootout (Q1659 vs SNC-VB770) on Sep 11, 2017
Super low light, super sized sensor cameras are a growing trend. In the past year, 2 of the most notable entrants for these IP cameras have been...
DoorBird D101 Tested Vs Ring and Axis on Sep 01, 2017
Video doorbells are a big growth market, with Ring, in particular gaining a lot of attention on the consumer side and Axis making a push on the...
Fortune 500 Company Bars Dahua and Hikvision on Aug 30, 2017
A Fortune 500 company has barred Dahua and Hikvision cameras from a large RFP due to cyber security concerns, IPVM has confirmed with the...
Security Press Wrong About New NY State Video Law on Aug 29, 2017
SecurityInfoWatch wrongly declared: N.Y. governor signs bill outlawing video surveillance of neighbors SDM wrongly affirmed: It is now illegal to...
Hikvision Happy With Bad Security Unless Hit With Bad Press on Aug 28, 2017
Hikvision is happy to have bad cyber security unless they are hit with bad press, as we detail inside. When you look at the pattern of their...

Most Recent Industry Reports

Genetec Launches Cloud Access Control (Synergis SaaS) on Sep 21, 2017
Genetec's cloud everything expansion continues, with their announcement of Synergis SaaS edition, joining their cloud video offering Stratocast,...
Genetec CEO Warns Against Insider Threats on Sep 21, 2017
With Dahua and Hikvision cybersecurity issues becoming indisputable, a new counter has emerged. Just put them behind a firewall, buy cheap...
Automatic Door Operators For Access Tutorial on Sep 20, 2017
Opening and closing doors might sound simple, but it takes a high-tech piece of door hardware to pull it off. Integrating automatic door operators...
'Clowns' Allege Ubiquiti 'Completely Fraudulent' on Sep 20, 2017
A short seller has alleged Ubiquiti is 'completely fraudulent'. Ubiquiti's CEO has responded calling them 'clowns'. Here is the short...
Avigilon 'Blue' Cloud Entry Examined on Sep 19, 2017
Avigilon is moving to the cloud. The company announced their Avigilon Blue platform, designed to be a web-managed surveillance system, utilizing...
HID Buys Mercury Security on Sep 19, 2017
One of the biggest access control deals in years. Mercury Security, the most widely used access hardware OEM, and partner to 20+ manufacturers,...
Hikvision Backdoor Exploit on Sep 18, 2017
Full disclosure to the Hikvision backdoor has been released, allowing easy exploit of vulnerable Hikvision IP cameras. As the researcher, Monte...
Avigilon Touting 'Made In America' on Sep 18, 2017
Canadian manufacturer Avigilon, who completed a US manufacturing facility in 2015, is now running a marketing campaign touting 'Made In America',...
Cloud Guy Prints Book, Misses Irony on Sep 15, 2017
On-premise security systems are dead. But $75 print books are alive and well. Such are the lessons from Brivo's CEO new book "The Five...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact