Hikvision Anti Hacking Firmware Tested

Hikvision has had historic hacking problems, with DVRs turned into Bitcoin miners, buffer overflow vulnerabilities, and finally culminating in the hacking of a Chinese province's cameras due to weak passwords.

In response to these attacks, Hikvision promised improvements to address these issues in updated firmware.

With the improvements added in 5.3.0 firmware, Hikvision devices are much less likely to be compromised simply due to users not changing simple default passwords of internet connected devices, since the camera/recorder forces a unique password before it may be used. However, some users may find strong password requirements annoying or result in increased documentation and troubleshooting time.

Additionally, with the inclusion of illegal login lock (and notification), brute force hacking attempts are far less likely to succeed, as attackers will be blocked temporarily, stopping the attack, and users may be notified, giving them time to react, block, IP addresses, report attacks, etc. 

Finally, the removal of the vulnerable, unencrypted, yet infrequently used telnet protocol closes a security hole often used by attackers of embedded devices.

Firmware Availability

5.3.x firmware is available now for download from Hikvision USA's website [link no longer available] for those in North America. Users in other regions should check their respective websites.

Note: Hikvision recommends against installing other localizations of firmware (e.g., Chinese instead of North American English), as they are altered for different regions, with different interfaces, etc.

Device Activation Process

The biggest new addition in firmware 5.3.0 is the new device activation process, which forces users to create a secure password (via web interface of Hikvision's SADP software) before the camera may be accessed or connected to a VMS. Passwords must contain at least 8 characters and use a combination of two types (uppercase, lowercase, numbers, or special characters), though this is still considered "weak" by Hikvision. In order to create a "strong" password, users must use at least three types of character. 

The device activation process is reviewed in this video:

This password creation scheme increases security, but comes with two downsides:

Increased Documentation Required

The main complaint about strong passwords, especially among integrators, is that increased documentation is required. Many choose to simply leave camera passwords defaulted, especially when working in surveillance-only networks, not shared with other services.

Installation and service techs may need to look up passwords under this scheme, where they may have otherwise simply memorized it. However, organizations may simply create a company default password which is used for all projects and easy to memorize, while still meeting these rules, effectively negating this argument.

VMS Defaults Incorrect

Novice or consumer users may be confused when adding 5.3.0 cameras to VMSes using outdated default passwords. Since VMSes often do not supply verbose feedback as to why cameras did not connect, these users may not realize they are using incorrect passwords. This may cause additional problems if illegal login lock is turned on (below).

Illegal Login Lock

Illegal login lock blocks all logins from specific IP addresses after five failed login attempts. Additionally, emails may be triggered informing adminstrators of failed login attempts so they may take other actions such as blocking and reporting offending IP addresses, checking firewall settings, etc.

Once locked, users must wait 30 minutes to access the camera, or log in via a different IP address, and disable and re-enable the feature.

Illegal login lock functions are shown in this video:

VMSes May Lock Camera

Users may quickly activate illegal login lock if they attempt to add a camera to a VMS using old default credentials. As the VMS attempts to reconnect quickly, the camera may block its access in a matter of only a few seconds if proper passwords are not entered. In our tests, forgetting that a Hikvision 4132 was connected to Exacq using old credentials, the camera was blocked in under ten seconds.

Telnet Removed

Finally, Hikvision removed Telnet support from all devices in 5.3.0, a service commonly attacked by hackers [link no longer available], since it is unencrypted and the port is often open by default. SSH, a similar protocol, is still in use, serving many of the same functions if terminal access is required, though it is encrypted, secured via public key and much less vulnerable to attack.

In this video, we compared NMAP scans of cameras running 5.3.0 and 5.2.x, showing the differences in open/closed ports and running services.

NMAP Comparison

The comparison below shows the difference in open and closed ports between a camera running 5.3.0 firmware and one running 5.2.x, with telnet closed (as well as ftp and https, which are now disabled by default).

Compared To Other Manufacturers

Hikvision is not the first manufacturer to implement each of these security features, but may be the first to combine them. We provide a summary of measures taken by other manufacturers below. Readers should see our IP Camera Passwords - Axis, Dahua, Samsung report for more details.

Samsung includes a device activation process similar to Hikvision, starting in 2.x firmwares. Users are required to create a secure password (even more complex than Hikvision, seen below) before the camera may be accessed or added to a VMS.

Axis now forces users to create a root password, but users may still simply use "pass", effectively the same as keeping the default. Additionally, before the password is created, ONVIF is enabled using the root/pass combination, allowing the camera to be added to VMSes.

Finally, Dahua does not include any secure password requirements, with passwords defaulting to "admin". However, they are one of few other manufacturers to include email notification of repeated failed login attempts. Though, unlike Hikvision, the camera does not temporarily block the attacking IP address, allowing the attack to continue.

What Do You Think?

Do these additions to Hikvision's 5.3.0 firmware do enough to prevent hacking? Or will problems persist?