Hikvision Fails To Fix Unsafe Browser Plugin

Published Mar 21, 2018 20:29 PM

More than 2 years ago, Hikvision committed to resolving the use of unsafe and ineffective browser plugins. Despite that, today, Hikvision still has not solved this.

Here is Hikvision's original statement and commitment in 2015:

We covered this issue when it first happened: (2015) Google Breaks Surveillance Browser Support

In the meantime, more browsers have discontinued support for these unsafe and ineffective plugins. Moreover, major Hikvision competitors have resolved this problem. By contrast, Hikvision still requires the use of an unsafe and discontinued browser.

Inside, we examine how Hikvision has failed to resolve this and key competitors who have.

No ***** ******* ** ******* ***** ********

***** ******** ** ****** ******* ***** plugins / ****** *, ** *** list ***** *****:

Hikvision ******** *** *********

**** ***** **** ******/****** ***** *** not ********* ** ***** ********, ********* viewing **** *****:

** ******* ******* *** ********* ** motion *********:

 

Internet ******** ********

******* ** **** **** ** ****** support, ******** ******** *** ******* **** be **** ** ********* ********* *******. *******, **** the **** ****** ******* ** ******** ******** *** **** ************ *** 2 *****. ***** ***** **********, ********* ********** are ******** *********** ****** ** ****, which **** *** ******* **** *******. 

* ****** ** ***** **** ******* out ****** ********** **** ** ** *** ***** ***** ***** ** **** ***** in ******** ******** ******** ** * Chrome *** ******* ** ******* *** browser **********.

***** **** *** ** **** ********** than ******* ** ****** * ******** browser, ** ** *********** ** ********* than ***** ** *** **** *** address ******* ******** ** ************* ******.

Many *********** ** *** ******* *******

**** ************* ** *** ******* ******* or ***** ******* ** ****/********* *******. This ********* ***** **** *** **********:

  • *****, *.***/*.*** ** *******: **** *************, **** ** ****** *** Axis (********* *****) ******* *.*** *** H.265 ** *** *** ******* ******* using *******. **** ****** ** ***** rare ** ****.
  • ***** ** *******:******, ********* ********, *******, *** *******, display **** ***** ** *** *******. This *** *** ********* ** ****** compatibility *** **** *** ******* *******, but ** *** ******* ** ****** bandwidth *********** *** ***** ******* **********.

Plugin-Free ********: ****** *** ****

** ******* ****** ******, ** ******* are ******** *** *.*** ** *.*** video, *** ** ******* ******** *** special ********* **** ** ******* ****** or ******** *****, ***** **** (***** H.264 *****):

** ****** **** *** ********* ******* in *** ******* * **** ******.

*********,****' *** *** ********* ******** *.*** (*** *** *.***) ******* without *******, ******** ****:

Dishonorable *******: *****

***** *** ******** ******* / **, compounding *** *******. ***** *** *** committed ** ******* **** ***, ***** their *** **** ***** ******, ***** should *** ** **** ****, ****** and ***** ********* ***** ****, ***** Dahua ***** ** ***** ********* * year ** *** *****. 

Still * *******: ****** **** ******* ** ***

*********'* ******* ** *** ******-**** ******* as ********* ******* * *******.****** ** *** ********* *** ******* among ***********, ****** ** **** ******* **** Firefox *** **, *** ******* *** world's * ******* ************* *** *** supplier ***** ******* **, **** *********** *** forced ** *** **, ******* *** known ***** *** ******.

Comments (46)
U
Undisclosed #1
Mar 21, 2018

Maybe when the "Government's IT guy" takes time to fly to CA to review Hikvision's source code they can help them resolve this.

(1)
(4)
bm
bashis mcw
Mar 22, 2018

U1, one day it would be funny to sit down with you in person with a beer or two (or more), and just exchange opinions/ideas/reflections/B.S each others... )

 

(1)
(2)
UI
Undisclosed Integrator #7
Mar 22, 2018

LAMO. Ya'll would need nothing less than hard liquor for that meeting Bash.

(2)
UI
Undisclosed Integrator #9
Mar 26, 2018

No need - just wait for a CA developer to leak it all over social media for a few extra views or use one of the US's close friends in the Kremlin to hack it...

U
Undisclosed
Mar 26, 2018

new IPVM booth handout request:  bumper sticker:

FRIENDS DON'T LET FRIENDS RUN VIDEO PLUGINS

(line 2 is url of this article https://ipvm.com/reports/hikvision-npapi)

   

(1)
UM
Undisclosed Manufacturer #2
Mar 22, 2018

Since you guys have tested Axis and Hanwha cameras with plugin-free H.264/H.265 streams in the browser, what was your findings about latency? 

I find that most solutions that provide real-time, no-latency plugin-free video on browser are based on MJPEG, but for H.264/H.265 the problem is deeper since there is no single solution that can work in multiple browsers and operating systems.

I'm just curious to find how was the rendering latency from these cameras, because for example if they are using HLS (HTTP Live Streaming) technique, this would introduce at least 2 seconds delay due to the nature of HLS, which would make it impossible to control a PTZ camera

(2)
UM
Undisclosed Manufacturer #8
Mar 23, 2018

I was told that the latency in Hanwha cameras with plug-in free H.264 or H.265 is less than about 500mS in any web browser.

(1)
(1)
U
Undisclosed
Mar 26, 2018

(Years-old) advice to vendors: use the now-unencumbered H.264 plug in.  No need for a plug-in to kludge around your use of proprietary H.265 code.  Use HTML 5, not Flash.  Even the HVAC vendors know to use HTML-5.  Stop providing attack vectors into customer's browsers.  Make sure your product doesn't cause fits when viewed with Chrome or Edge on Windows 10, or Chrome on other platforms.  P.s. Chrome is a free download, don't tell us this is hard to test.

 

bm
bashis mcw
Mar 22, 2018

Frankly, I have been more than twice times thinking what's hidden into these plugins...

Plugins like that is so late 90'ish.

(2)
(1)
(2)
UI
Undisclosed Integrator #3
Mar 22, 2018

How long until Hikvision covertly installs a search bar?

(10)
U
Undisclosed
Mar 26, 2018

Mystery meat.  Even if it's digitally signed.  Virtually guaranteed hasn't been updated since the integrator hung that camera on the wall years ago.  Uses browser-side active content technologies which is a hotbed of hacker activity.  And by the way, the minute you loaded a plug-in without permission you probably broke a rule in your network environment.

 

(1)
UM
Undisclosed Manufacturer #4
Mar 22, 2018

FWIW, Safari doesn't support NPAPI, however it does support plugins.

Avatar
Campbell Chang
Mar 22, 2018

Safari was supposed to stop supporting legacy plugins as of Safari 10, but we're into 11 now and it still works so ¯\_(ツ)_/¯

Avatar
Ethan Ace
Mar 22, 2018

Does the Hikvision plugin actually work in Safari, though? I've tried it multiple times and it pops up and asks me to trust the plugin, then never displays video. Is it OS dependent? 

Avatar
Campbell Chang
Mar 22, 2018

I just downloaded Safari on Windows 10 and it worked no problems.

I was on site last week with a client who was using a Macbook to access the camera webpage and again no dramas.

Both were running 5.4.5 170124

UI
Undisclosed Integrator #5
Mar 22, 2018

Hikvision has alleged 1000 plus R & D engineers and not one of them can resolve this issue , its beyond funny anymore !!

My advice avoid Hik, your best to stick with other tried, tested, relaible proffesional CCTV suppliers

(1)
(1)
(1)
(1)
JH
John Honovich
Mar 22, 2018
IPVM

Hikvision has alleged 1000 plus R & D engineers

That's incorrect. Hikvision allegedly has more than 10,000 R&D engineers, according to Hikvision:

UI
Undisclosed Integrator #7
Mar 22, 2018

What takes 1 programmer a month to do will take 2 programmers a year. Account for inflation and we have our answer.

Avatar
Campbell Chang
Mar 22, 2018

I don't think it's that they can't fix it, it's that they can't be bothered

(1)
JH
John Honovich
Mar 22, 2018
IPVM

Campbell, why can't they be bothered? It's a security and a usability issue.

Also, if they can't be bothered, why did they commit to having it fixed 2 years ago?

Avatar
Campbell Chang
Mar 22, 2018

You'd have to ask them.

My guess would be that because IE is baked into Windows and it's EOL isn't for another 7 years.

Therefore, it's not a super high priority for them because nearly everyone uses an OS with a compatible browser (IE/Safari)

The PR statement probably seemed like a good idea at the time.

(1)
U
Undisclosed
Mar 26, 2018

They can't be bothered because factory management thinks getting video to the trunkslammer fast is a more important business case than surviving a casual IT audit in an enterprise environment.  It's unlikely they ever asked one or more of the 10,000 engineers to look into this.  They "committed" to it because the they of whom you speak is someone in a sales office not back at the factory and they got a little bit out ahead of what the factory actually is doing.

(look at that.  no dust at all on my decade old vendor-neutral answer.)

 

 

(1)
UI
Undisclosed Integrator #6
Mar 22, 2018

Such a frustrating issue.  I'm a Chrome junkie and I have to run a Chrome extension called "IE Tab" which inserts a second URL line and emulates Internet Explorer.  Then run the web client plugin.  It's hit or miss on customer's computers, particularly 64 bit ones, whether the plugin will properly install.  

 

No idea why this is so hard for them to update.

(1)
(2)
Avatar
Sean Nelson
Mar 22, 2018
Nelly's Security

This is very annoying. We are supposed to get HTML5 support in the near future. It cant come soon enough. This should have been updated along time ago.

On a side note, just keeping tabs, but this is the 3rd negatively based Hik Article that has been posted since the positive based news came out about the Transparency Center that still has no dedicated article. But who's counting.

 

(1)
(1)
(1)
(1)
JH
John Honovich
Mar 22, 2018
IPVM

Sean, as for the "Transparency Center", we have a long detailed discussion on it here - Hikvision Opens Security Industry First Source Code Transparency Center. As for it being 'positive', as we debated on that thread, there are important questions open. I'd rather try to get more answers before publishing.

As for this matter, it is cut and dry 100%, even you admit it's a clear problem.

(1)
SD
Shannon Davis
Mar 23, 2018
IPVMU Certified

Reporting actual facts is not negative. If memory serves me correct several manufacturers have thanked IPVM for their reporting. If Hikvision would have taken ownership of the vulnerabilities in their products from the beginning instead of denying or taking for ever to patch and as this article states, still not fixing then I don't think their would be near the negative publicity of Hikvision. 

(2)
(1)
DL
DC Long
Mar 26, 2018

Any reference information on comparing NVR/NVS for casting Pure HTML5 - No Flash or Plugs in's to Client Browsers or browser-based Display walls?

DL
DC Long
Mar 26, 2018

Ubiquity UniFi Video is growing up, popular with IT deployers and now streams well to chrome, but has limited camera options. 

Avatar
John Bazyk
Mar 26, 2018
Command Corporation • IPVMU Certified

Hikvision seems to release firmware updates at least once a quarter. How hard is this to accomplish? 

At the same time why don’t more camera manufacturers make their browser UIs responsive for mobile. This would make it a lot easier to setup cameras. 

Avatar
Jon Dillabaugh
Mar 26, 2018
Pro Focus LLC

This past week, we attended a Hikvision roadshow and were shown a new feature in their NVRs. They have baked in SADP and now allow almost full control of the settings of their IP cams (WDR, overlay, etc). 

My point is, it’s not like Hikvision is against progressing their products, so it’s just weird that they have neglected this portion of their product development that they themselves committed to resolve years ago. 

(1)
Avatar
Rob Kilpatrick
Mar 26, 2018
IPVM • IPVMU Certified

You have more control over settings now with 4.0 in the local GUI, but can you elaborate on the baked in SADP? What specifically were they showing?

Avatar
Jon Dillabaugh
Mar 26, 2018
Pro Focus LLC

In the NVR menu, you could activate, set IP, and other functions of SADP in the NVR GUI. It was on the bottom tray of the GUI. It didn't specifically say SADP, but their claim was that you no longer needed to "bring your own laptop" to configure cameras.

Also, as I said above, they also now give you the ability to set WDR, overlays, etc in the NVR GUI, which is actually a benefit for me. I was using a laptop on site to set the camera settings before, so this will save time. It also allows you to remote configure these settings if you are offsite as well.

UI
Undisclosed Integrator #11
Mar 28, 2018

Offsite programming will be nice. Especially adjusting certain night time settings, instead of working late or setting then checking next day results.

Avatar
Klay Anderson
Mar 26, 2018
Klay Anderson AVL

My reps response: "Most browsers now do not allow plugins and most video surveillance requires plugins to view video.

We do not require you to use a browser. We instead recommend iVMS-4200 instead." 

Although not ideal across many brands, it does solve the Hikvision issue. And works on a Mac.

Avatar
Sean Nelson
Mar 26, 2018
Nelly's Security

That works yes but the web interface method is just a quicker way to make configurations needed. 

Honestly, we either need a web interface that will work on all browsers with 0 plugins, or simply abandon the web interface altogether.

Avatar
Klay Anderson
Mar 26, 2018
Klay Anderson AVL

I somewhat agree especially if we use several different brands of cameras. A brand-specific "app" seems to be the way of the future as more and more browser lock-downs occur and the camera engineers cannot (or will not) keep up. I mean my God, we have to use a Netscape plug in from 1995 on IE 4? Sadly, the bigger issue is whomever decides and creates these things will never be known and until we are in the same asian karaoke bar with the engineers, our views will never see the light of day.

JH
John Honovich
Mar 26, 2018
IPVM

Klay, thanks, good feedback!

If Hikvision's position is to just use iVMS-4200, then they can solve the security risk by simply removing the plugin entirely and displaying a message / link to download iVMS-4200 to display live video. Agree/disagree?

(1)
JH
John Honovich
Mar 26, 2018
IPVM

My reps response: "Most browsers now do not allow plugins and most video surveillance requires plugins to view video.

A response to Hikvision: Are you focusing on Dahua, Longse and XM or Avigilon, Axis and Hanwha? Because Hikvision talks about being a high end provider and those higher end competitors do not require such unsafe / antiquated plugins.

PS
Paul Shah
Mar 26, 2018

In theory, Wouldn't a system like Sureview bypass the plugin and just stream to the web browser? 

UI
Undisclosed Integrator #10
Mar 26, 2018

As a Hik fan I have to say this is probably my biggest annoyance with them. Smaller customers are almost always going to use a PC to access footage and iVMS-4200 is complicated and unintuitive for amateur users. The web interface is simple enough that I can show an elderly condo board member how to search for the person that left their recliner in the garbage room, for instance.

However Hik's complete and total disregard for this aspect of functionality has left me very frustrated. When Firefox ended NPAPI support I called their tech line to ask when they were ever going to improve this interface, and the answer was "someday". As it stands you have to run IE in administrator mode in order to download anything, then go hunt for the files in some arbitrary and deeply buried folder, and THEN use the Format Converter just to change it to something most players can actually use!

For a company that produces some of the best performing and cost effective surveillance hardware on the market they sure need to get their act together in virtually every other area. Their handling of their Chinese ownership, their interfaces, their security issues, etc.

(1)
(1)
JH
John Honovich
Aug 25, 2018
IPVM

Update: 5 months after this report (and 3 years after Hikvision first committed to fixing this), Hikvision has announced a fix for this rolling out in some cameras:

screen shot 2018-08-24 at 6 32 49 pm

We tested it on one of our cameras supporting the new firmware and it displayed video successfully on Chrome with no plugin:

(1)
UI
Undisclosed Integrator #6
Aug 25, 2018

Can you link some ways to determine which cameras support this and where to find the firmware that has  this feature?  I have searched but am getting nowhere.  Searching for "EasyIP x.0" yields announcements on an entire new product line, that have similar model numbers to existing models, but nothing on the US website seems to mention "EasyIP" under them.

 

example: EasyIP 3.0  finds an overseas website link LINK

UI
Undisclosed Integrator #6
Aug 25, 2018

replying to myself, I just found some links on an overseas HIK site. Link Here They relate this new FW to the G series, which I'm not familiar with, but it appears to be the DS-2cdxx line that the US has. I tried installing it on an older model I had laying around:

DS-2CD2132F-I  with firmware V5.4.0 build 160530 which is the latest on the US site.

It failed to install getting a "failed to the upgrade status" error message.  I thought it might be because I skipped a few intermediate FW levels, so I went back and downloaded the oldest one next to v5.40, which was V5.4.41_Build170310

and got the same error message.

 

 

Avatar
Rob Kilpatrick
Aug 27, 2018
IPVM • IPVMU Certified

They used to offer a spreadsheet on the Europe Portal that showed you which cameras are in which series, I don't see it on there anymore. This firmware is for the G1 series of cameras (2xx3, 2xx5) so it won't work with the camera you tried it on. Also, in my experience, putting EU firmware on non-EU cameras/NVR's (if that is what you attempted to do here) can potentially brick them or cause issues.

You used to be able to find all of the latest US firmware on the Hikvision tech site which categorized it by series (value, value plus, smart) but it seems like lately they haven't updated it and favor just putting the latest firmware on the US site.

(1)
Avatar
John Bazyk
Aug 25, 2018
Command Corporation • IPVMU Certified

This took way to long. I see they keep coming out with new cameras but rarely new firmware that is actually different or upgraded. 

UI
Undisclosed Integrator #11
Aug 25, 2018

Any idea how this works when logging into an NVR, and not just the camera?

Is this camera firmware or NVR? or both?