Hikvision Fails To Fix Unsafe Browser Plugin

By: Ethan Ace, Published on Mar 21, 2018

More than 2 years ago, Hikvision committed to resolving the use of unsafe and ineffective browser plugins. Despite that, today, Hikvision still has not solved this.

Here is Hikvision's original statement and commitment in 2015:

We covered this issue when it first happened: (2015) Google Breaks Surveillance Browser Support

In the meantime, more browsers have discontinued support for these unsafe and ineffective plugins. Moreover, major Hikvision competitors have resolved this problem. By contrast, Hikvision still requires the use of an unsafe and discontinued browser.

Inside, we examine how Hikvision has failed to resolve this and key competitors who have.

No ***** ******* ** ******* ***** ********

***** ******** ** ****** support ***** ******* / Active *, ** *** list ***** *****:

Hikvision ******** *** *********

**** ***** **** ******/****** tasks *** *** ********* in ***** ********, ********* viewing **** *****:

** ******* ******* *** analytics ** ****** *********:

 

Internet ******** ********

******* ** **** **** of ****** *******, ******** Explorer *** ******* **** be **** ** ********* Hikvision *******. *******, **** *** **** recent ******* ** ******** ******** *** **** discontinued *** * *****. ***** ***** **********, Microsoft ********** *** ******** encouraging ****** ** ****, which **** *** ******* such *******. 

* ****** ** ***** have ******* *** ****** extensions **** ** ** *** ***** ***** ***** ** load ***** ** ******** Explorer ******** ** * Chrome *** ******* ** loading *** ******* **********.

***** **** *** ** more ********** **** ******* to ****** * ******** browser, ** ** *********** no ********* **** ***** IE *** **** *** address ******* ******** ** compatibility ******.

Many *********** ** *** ******* *******

**** ************* ** *** require ******* ** ***** plugins ** ****/********* *******. This ********* ***** **** two **********:

  • *****, *.***/*.*** ** *******: **** *************, **** ** Hanwha *** **** (********* below) ******* *.*** *** H.265 ** *** *** browser ******* ***** *******. This ****** ** ***** rare ** ****.
  • ***** ** *******:******, ********* ********, *******, and *******, ******* **** MJPEG ** *** *******. This *** *** ********* of ****** ************* *** does *** ******* *******, but ** *** ******* of ****** ********* *********** and ***** ******* **********.

Plugin-Free ********: ****** *** ****

** ******* ****** ******, no ******* *** ******** for *.*** ** *.*** video, *** ** ******* required *** ******* ********* such ** ******* ****** or ******** *****, ***** here (***** *.*** *****):

** ****** **** *** interface ******* ** *** ******* * **** ******.

*********,****' *** *** ********* ******** *.*** (*** *** H.265) ******* ******* *******, reviewed ****:

Dishonorable *******: *****

***** *** ******** ******* / **, *********** *** problem. ***** *** *** committed ** ******* **** and, ***** ***** *** poor ***** ******, ***** should *** ** **** hope, ****** *** ***** Hikvision ***** ****, ***** Dahua ***** ** ***** Hikvision * **** ** two *****. 

Still * *******: ****** **** ******* ** ***

*********'* ******* ** *** plugin-free ******* ** ********* remains * *******.****** ** *** ********* web ******* ***** ***********, ****** ** **** popular **** ******* *** IE, *** ******* *** world's * ******* ************* and *** ******** ***** require IE, **** *********** *** forced ** *** **, despite *** ***** ***** and ******.

Comments (46)

Maybe when the "Government's IT guy" takes time to fly to CA to review Hikvision's source code they can help them resolve this.

U1, one day it would be funny to sit down with you in person with a beer or two (or more), and just exchange opinions/ideas/reflections/B.S each others... )

 

LAMO. Ya'll would need nothing less than hard liquor for that meeting Bash.

No need - just wait for a CA developer to leak it all over social media for a few extra views or use one of the US's close friends in the Kremlin to hack it...

new IPVM booth handout request:  bumper sticker:

FRIENDS DON'T LET FRIENDS RUN VIDEO PLUGINS

(line 2 is url of this article https://ipvm.com/reports/hikvision-npapi)

   

Since you guys have tested Axis and Hanwha cameras with plugin-free H.264/H.265 streams in the browser, what was your findings about latency? 

I find that most solutions that provide real-time, no-latency plugin-free video on browser are based on MJPEG, but for H.264/H.265 the problem is deeper since there is no single solution that can work in multiple browsers and operating systems.

I'm just curious to find how was the rendering latency from these cameras, because for example if they are using HLS (HTTP Live Streaming) technique, this would introduce at least 2 seconds delay due to the nature of HLS, which would make it impossible to control a PTZ camera

I was told that the latency in Hanwha cameras with plug-in free H.264 or H.265 is less than about 500mS in any web browser.

(Years-old) advice to vendors: use the now-unencumbered H.264 plug in.  No need for a plug-in to kludge around your use of proprietary H.265 code.  Use HTML 5, not Flash.  Even the HVAC vendors know to use HTML-5.  Stop providing attack vectors into customer's browsers.  Make sure your product doesn't cause fits when viewed with Chrome or Edge on Windows 10, or Chrome on other platforms.  P.s. Chrome is a free download, don't tell us this is hard to test.

 

Frankly, I have been more than twice times thinking what's hidden into these plugins...

Plugins like that is so late 90'ish.

How long until Hikvision covertly installs a search bar?

Mystery meat.  Even if it's digitally signed.  Virtually guaranteed hasn't been updated since the integrator hung that camera on the wall years ago.  Uses browser-side active content technologies which is a hotbed of hacker activity.  And by the way, the minute you loaded a plug-in without permission you probably broke a rule in your network environment.

 

FWIW, Safari doesn't support NPAPI, however it does support plugins.

Safari was supposed to stop supporting legacy plugins as of Safari 10, but we're into 11 now and it still works so ¯\_(ツ)_/¯

Does the Hikvision plugin actually work in Safari, though? I've tried it multiple times and it pops up and asks me to trust the plugin, then never displays video. Is it OS dependent? 

I just downloaded Safari on Windows 10 and it worked no problems.

I was on site last week with a client who was using a Macbook to access the camera webpage and again no dramas.

Both were running 5.4.5 170124

Hikvision has alleged 1000 plus R & D engineers and not one of them can resolve this issue , its beyond funny anymore !!

My advice avoid Hik, your best to stick with other tried, tested, relaible proffesional CCTV suppliers

Hikvision has alleged 1000 plus R & D engineers

That's incorrect. Hikvision allegedly has more than 10,000 R&D engineers, according to Hikvision:

What takes 1 programmer a month to do will take 2 programmers a year. Account for inflation and we have our answer.

I don't think it's that they can't fix it, it's that they can't be bothered

Campbell, why can't they be bothered? It's a security and a usability issue.

Also, if they can't be bothered, why did they commit to having it fixed 2 years ago?

You'd have to ask them.

My guess would be that because IE is baked into Windows and it's EOL isn't for another 7 years.

Therefore, it's not a super high priority for them because nearly everyone uses an OS with a compatible browser (IE/Safari)

The PR statement probably seemed like a good idea at the time.

They can't be bothered because factory management thinks getting video to the trunkslammer fast is a more important business case than surviving a casual IT audit in an enterprise environment.  It's unlikely they ever asked one or more of the 10,000 engineers to look into this.  They "committed" to it because the they of whom you speak is someone in a sales office not back at the factory and they got a little bit out ahead of what the factory actually is doing.

(look at that.  no dust at all on my decade old vendor-neutral answer.)

 

 

Such a frustrating issue.  I'm a Chrome junkie and I have to run a Chrome extension called "IE Tab" which inserts a second URL line and emulates Internet Explorer.  Then run the web client plugin.  It's hit or miss on customer's computers, particularly 64 bit ones, whether the plugin will properly install.  

 

No idea why this is so hard for them to update.

This is very annoying. We are supposed to get HTML5 support in the near future. It cant come soon enough. This should have been updated along time ago.

On a side note, just keeping tabs, but this is the 3rd negatively based Hik Article that has been posted since the positive based news came out about the Transparency Center that still has no dedicated article. But who's counting.

 

Sean, as for the "Transparency Center", we have a long detailed discussion on it here - Hikvision Opens Security Industry First Source Code Transparency Center. As for it being 'positive', as we debated on that thread, there are important questions open. I'd rather try to get more answers before publishing.

As for this matter, it is cut and dry 100%, even you admit it's a clear problem.

Reporting actual facts is not negative. If memory serves me correct several manufacturers have thanked IPVM for their reporting. If Hikvision would have taken ownership of the vulnerabilities in their products from the beginning instead of denying or taking for ever to patch and as this article states, still not fixing then I don't think their would be near the negative publicity of Hikvision. 

Any reference information on comparing NVR/NVS for casting Pure HTML5 - No Flash or Plugs in's to Client Browsers or browser-based Display walls?

Ubiquity UniFi Video is growing up, popular with IT deployers and now streams well to chrome, but has limited camera options. 

Hikvision seems to release firmware updates at least once a quarter. How hard is this to accomplish? 

At the same time why don’t more camera manufacturers make their browser UIs responsive for mobile. This would make it a lot easier to setup cameras. 

This past week, we attended a Hikvision roadshow and were shown a new feature in their NVRs. They have baked in SADP and now allow almost full control of the settings of their IP cams (WDR, overlay, etc). 

My point is, it’s not like Hikvision is against progressing their products, so it’s just weird that they have neglected this portion of their product development that they themselves committed to resolve years ago. 

You have more control over settings now with 4.0 in the local GUI, but can you elaborate on the baked in SADP? What specifically were they showing?

In the NVR menu, you could activate, set IP, and other functions of SADP in the NVR GUI. It was on the bottom tray of the GUI. It didn't specifically say SADP, but their claim was that you no longer needed to "bring your own laptop" to configure cameras.

Also, as I said above, they also now give you the ability to set WDR, overlays, etc in the NVR GUI, which is actually a benefit for me. I was using a laptop on site to set the camera settings before, so this will save time. It also allows you to remote configure these settings if you are offsite as well.

Offsite programming will be nice. Especially adjusting certain night time settings, instead of working late or setting then checking next day results.

My reps response: "Most browsers now do not allow plugins and most video surveillance requires plugins to view video.

We do not require you to use a browser. We instead recommend iVMS-4200 instead." 

Although not ideal across many brands, it does solve the Hikvision issue. And works on a Mac.

That works yes but the web interface method is just a quicker way to make configurations needed. 

Honestly, we either need a web interface that will work on all browsers with 0 plugins, or simply abandon the web interface altogether.

I somewhat agree especially if we use several different brands of cameras. A brand-specific "app" seems to be the way of the future as more and more browser lock-downs occur and the camera engineers cannot (or will not) keep up. I mean my God, we have to use a Netscape plug in from 1995 on IE 4? Sadly, the bigger issue is whomever decides and creates these things will never be known and until we are in the same asian karaoke bar with the engineers, our views will never see the light of day.

Klay, thanks, good feedback!

If Hikvision's position is to just use iVMS-4200, then they can solve the security risk by simply removing the plugin entirely and displaying a message / link to download iVMS-4200 to display live video. Agree/disagree?

My reps response: "Most browsers now do not allow plugins and most video surveillance requires plugins to view video.

A response to Hikvision: Are you focusing on Dahua, Longse and XM or Avigilon, Axis and Hanwha? Because Hikvision talks about being a high end provider and those higher end competitors do not require such unsafe / antiquated plugins.

In theory, Wouldn't a system like Sureview bypass the plugin and just stream to the web browser? 

As a Hik fan I have to say this is probably my biggest annoyance with them. Smaller customers are almost always going to use a PC to access footage and iVMS-4200 is complicated and unintuitive for amateur users. The web interface is simple enough that I can show an elderly condo board member how to search for the person that left their recliner in the garbage room, for instance.

However Hik's complete and total disregard for this aspect of functionality has left me very frustrated. When Firefox ended NPAPI support I called their tech line to ask when they were ever going to improve this interface, and the answer was "someday". As it stands you have to run IE in administrator mode in order to download anything, then go hunt for the files in some arbitrary and deeply buried folder, and THEN use the Format Converter just to change it to something most players can actually use!

For a company that produces some of the best performing and cost effective surveillance hardware on the market they sure need to get their act together in virtually every other area. Their handling of their Chinese ownership, their interfaces, their security issues, etc.

Update: 5 months after this report (and 3 years after Hikvision first committed to fixing this), Hikvision has announced a fix for this rolling out in some cameras:

screen shot 2018-08-24 at 6 32 49 pm

We tested it on one of our cameras supporting the new firmware and it displayed video successfully on Chrome with no plugin:

Can you link some ways to determine which cameras support this and where to find the firmware that has  this feature?  I have searched but am getting nowhere.  Searching for "EasyIP x.0" yields announcements on an entire new product line, that have similar model numbers to existing models, but nothing on the US website seems to mention "EasyIP" under them.

 

example: EasyIP 3.0  finds an overseas website link LINK

replying to myself, I just found some links on an overseas HIK site. Link Here They relate this new FW to the G series, which I'm not familiar with, but it appears to be the DS-2cdxx line that the US has. I tried installing it on an older model I had laying around:

DS-2CD2132F-I  with firmware V5.4.0 build 160530 which is the latest on the US site.

It failed to install getting a "failed to the upgrade status" error message.  I thought it might be because I skipped a few intermediate FW levels, so I went back and downloaded the oldest one next to v5.40, which was V5.4.41_Build170310

and got the same error message.

 

 

They used to offer a spreadsheet on the Europe Portal that showed you which cameras are in which series, I don't see it on there anymore. This firmware is for the G1 series of cameras (2xx3, 2xx5) so it won't work with the camera you tried it on. Also, in my experience, putting EU firmware on non-EU cameras/NVR's (if that is what you attempted to do here) can potentially brick them or cause issues.

You used to be able to find all of the latest US firmware on the Hikvision tech site which categorized it by series (value, value plus, smart) but it seems like lately they haven't updated it and favor just putting the latest firmware on the US site.

This took way to long. I see they keep coming out with new cameras but rarely new firmware that is actually different or upgraded. 

Any idea how this works when logging into an NVR, and not just the camera?

Is this camera firmware or NVR? or both?

Read this IPVM report for free.

This article is part of IPVM's 6,534 reports, 880 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020
Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
SIA: "Refrain From Working With Companies And/or Products That Are Implicated In Human Rights Abuses" Like Dahua and Hikvision on Aug 17, 2020
The US (Security Industry Association) SIA has taken a stand, declaring that...
Genetec CEO Declares "We Don't Negotiate Payment With Patent Trolls" on Aug 11, 2020
Are patent trolls like terrorists? Genetec's CEO is coming out strongly...
South Korea Bus Outdoor Temperature Screening Endangers Public on Aug 26, 2020
These $80,000+ South Korea bus stations have gained world-wide attention but...
Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
Amazon, Microsoft and IBM Abandoning Face Recognition Is An "Irresponsible PR Stunt" Says AnyVision on Jul 17, 2020
In the wake of national protests against US police abuses, big tech firms...
NDAA Blacklist Delay Amendment Fails on Jul 24, 2020
The Blacklist Clause, which bans Hikvision/Dahua/Huawei users from doing...
Provider Admits Seoul Bus Station Temperature Screening Wrong on Aug 31, 2020
The South Korean company, EHOO, providing the temperature tablets highlighted...
Wrong Dahua Australia Medical Device Approved on Jul 20, 2020
Dahua's body temperature system is now in Australia's medical device...
FLIR Suspends Agreement With Feevr on May 07, 2020
Thermal manufacturer FLIR has suspended its agreement with Feevr (aka...
Facial Recognition: Weak Sales, Anti Regulation, No Favorite, Says Security Integrators on Jul 07, 2020
While facial recognition has gained greater prominence, a new IPVM study of...
UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020
A UK security firm falsely claimed its Hikvision-based thermal solution could...
FLIR Cancelling Contract With X.Labs / Feevr on May 20, 2020
While X.Labs announced the signing of a new agreement with FLIR on May 12,...
InVid Flaunts Violating FDA Guidelines on Aug 28, 2020
InVid Tech is showcasing an open violation of FDA fever screening guidelines...

Recent Reports

OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...