Hikvision Fails To Fix Unsafe Browser Plugin

By: Ethan Ace, Published on Mar 21, 2018

More than 2 years ago, Hikvision committed to resolving the use of unsafe and ineffective browser plugins. Despite that, today, Hikvision still has not solved this.

Here is Hikvision's original statement and commitment in 2015:

We covered this issue when it first happened: (2015) Google Breaks Surveillance Browser Support

In the meantime, more browsers have discontinued support for these unsafe and ineffective plugins. Moreover, major Hikvision competitors have resolved this problem. By contrast, Hikvision still requires the use of an unsafe and discontinued browser.

Inside, we examine how Hikvision has failed to resolve this and key competitors who have.

**** **** * ***** ago, ********* ********* ** resolving *** *** ** ****** and *********** ******* *******. Despite ****, *****, ********* still *** *** ****** this.

**** ***********'* ******** ********* *** commitment ** ****:

** ******* **** ***** when ** ***** ********: (****) ****** ****** ************ Browser *******

** *** ********, **** browsers **** ************ ******* for ***** ****** *** ineffective *******. ********, ***** Hikvision *********** **** ******** this *******. ** ********, Hikvision ***** ******** *** use ** ** ****** and ************ *******.

******, ** ******* *** Hikvision *** ****** ** resolve **** *** *** competitors *** ****.

[***************]

No ***** ******* ** ******* ***** ********

***** ******** ** ****** support ***** ******* / Active *, ** *** list ***** *****:

Hikvision ******** *** *********

**** ***** **** ******/****** tasks *** *** ********* in ***** ********, ********* viewing **** *****:

** ******* ******* *** analytics ** ****** *********:

 

Internet ******** ********

******* ** **** **** of ****** *******, ******** Explorer *** ******* **** be **** ** ********* Hikvision *******. *******, **** *** **** recent ******* ** ******** ******** *** **** discontinued *** * *****. ***** ***** **********, Microsoft ********** *** ******** encouraging ****** ** ****, which **** *** ******* such *******. 

* ****** ** ***** have ******* *** ****** extensions **** ** ** *** ***** ***** ***** ** load ***** ** ******** Explorer ******** ** * Chrome *** ******* ** loading *** ******* **********.

***** **** *** ** more ********** **** ******* to ****** * ******** browser, ** ** *********** no ********* **** ***** IE *** **** *** address ******* ******** ** compatibility ******.

Many *********** ** *** ******* *******

**** ************* ** *** require ******* ** ***** plugins ** ****/********* *******. This ********* ***** **** two **********:

  • *****, *.***/*.*** ** *******: **** *************, **** ** Hanwha *** **** (********* below) ******* *.*** *** H.265 ** *** *** browser ******* ***** *******. This ****** ** ***** rare ** ****.
  • ***** ** *******:******, ********* ********, *******, and *******, ******* **** MJPEG ** *** *******. This *** *** ********* of ****** ************* *** does *** ******* *******, but ** *** ******* of ****** ********* *********** and ***** ******* **********.

Plugin-Free ********: ****** *** ****

** ******* ****** ******, no ******* *** ******** for *.*** ** *.*** video, *** ** ******* required *** ******* ********* such ** ******* ****** or ******** *****, ***** here (***** *.*** *****):

** ****** **** *** interface ******* ** *** ******* * **** ******.

*********,****' *** *** ********* ******** *.*** (*** *** H.265) ******* ******* *******, reviewed ****:

Dishonorable *******: *****

***** *** ******** ******* / **, *********** *** problem. ***** *** *** committed ** ******* **** and, ***** ***** *** poor ***** ******, ***** should *** ** **** hope, ****** *** ***** Hikvision ***** ****, ***** Dahua ***** ** ***** Hikvision * **** ** two *****. 

Still * *******: ****** **** ******* ** ***

*********'* ******* ** *** plugin-free ******* ** ********* remains * *******.****** ** *** ********* web ******* ***** ***********, ****** ** **** popular **** ******* *** IE, *** ******* *** world's * ******* ************* and *** ******** ***** require IE, **** *********** *** forced ** *** **, despite *** ***** ***** and ******.

Comments (46)

Maybe when the "Government's IT guy" takes time to fly to CA to review Hikvision's source code they can help them resolve this.

U1, one day it would be funny to sit down with you in person with a beer or two (or more), and just exchange opinions/ideas/reflections/B.S each others... )

 

LAMO. Ya'll would need nothing less than hard liquor for that meeting Bash.

No need - just wait for a CA developer to leak it all over social media for a few extra views or use one of the US's close friends in the Kremlin to hack it...

new IPVM booth handout request:  bumper sticker:

FRIENDS DON'T LET FRIENDS RUN VIDEO PLUGINS

(line 2 is url of this article https://ipvm.com/reports/hikvision-npapi)

   

Since you guys have tested Axis and Hanwha cameras with plugin-free H.264/H.265 streams in the browser, what was your findings about latency? 

I find that most solutions that provide real-time, no-latency plugin-free video on browser are based on MJPEG, but for H.264/H.265 the problem is deeper since there is no single solution that can work in multiple browsers and operating systems.

I'm just curious to find how was the rendering latency from these cameras, because for example if they are using HLS (HTTP Live Streaming) technique, this would introduce at least 2 seconds delay due to the nature of HLS, which would make it impossible to control a PTZ camera

I was told that the latency in Hanwha cameras with plug-in free H.264 or H.265 is less than about 500mS in any web browser.

(Years-old) advice to vendors: use the now-unencumbered H.264 plug in.  No need for a plug-in to kludge around your use of proprietary H.265 code.  Use HTML 5, not Flash.  Even the HVAC vendors know to use HTML-5.  Stop providing attack vectors into customer's browsers.  Make sure your product doesn't cause fits when viewed with Chrome or Edge on Windows 10, or Chrome on other platforms.  P.s. Chrome is a free download, don't tell us this is hard to test.

 

Frankly, I have been more than twice times thinking what's hidden into these plugins...

Plugins like that is so late 90'ish.

How long until Hikvision covertly installs a search bar?

Mystery meat.  Even if it's digitally signed.  Virtually guaranteed hasn't been updated since the integrator hung that camera on the wall years ago.  Uses browser-side active content technologies which is a hotbed of hacker activity.  And by the way, the minute you loaded a plug-in without permission you probably broke a rule in your network environment.

 

FWIW, Safari doesn't support NPAPI, however it does support plugins.

Safari was supposed to stop supporting legacy plugins as of Safari 10, but we're into 11 now and it still works so ¯\_(ツ)_/¯

Does the Hikvision plugin actually work in Safari, though? I've tried it multiple times and it pops up and asks me to trust the plugin, then never displays video. Is it OS dependent? 

I just downloaded Safari on Windows 10 and it worked no problems.

I was on site last week with a client who was using a Macbook to access the camera webpage and again no dramas.

Both were running 5.4.5 170124

Hikvision has alleged 1000 plus R & D engineers and not one of them can resolve this issue , its beyond funny anymore !!

My advice avoid Hik, your best to stick with other tried, tested, relaible proffesional CCTV suppliers

Hikvision has alleged 1000 plus R & D engineers

That's incorrect. Hikvision allegedly has more than 10,000 R&D engineers, according to Hikvision:

What takes 1 programmer a month to do will take 2 programmers a year. Account for inflation and we have our answer.

I don't think it's that they can't fix it, it's that they can't be bothered

Campbell, why can't they be bothered? It's a security and a usability issue.

Also, if they can't be bothered, why did they commit to having it fixed 2 years ago?

You'd have to ask them.

My guess would be that because IE is baked into Windows and it's EOL isn't for another 7 years.

Therefore, it's not a super high priority for them because nearly everyone uses an OS with a compatible browser (IE/Safari)

The PR statement probably seemed like a good idea at the time.

They can't be bothered because factory management thinks getting video to the trunkslammer fast is a more important business case than surviving a casual IT audit in an enterprise environment.  It's unlikely they ever asked one or more of the 10,000 engineers to look into this.  They "committed" to it because the they of whom you speak is someone in a sales office not back at the factory and they got a little bit out ahead of what the factory actually is doing.

(look at that.  no dust at all on my decade old vendor-neutral answer.)

 

 

Such a frustrating issue.  I'm a Chrome junkie and I have to run a Chrome extension called "IE Tab" which inserts a second URL line and emulates Internet Explorer.  Then run the web client plugin.  It's hit or miss on customer's computers, particularly 64 bit ones, whether the plugin will properly install.  

 

No idea why this is so hard for them to update.

This is very annoying. We are supposed to get HTML5 support in the near future. It cant come soon enough. This should have been updated along time ago.

On a side note, just keeping tabs, but this is the 3rd negatively based Hik Article that has been posted since the positive based news came out about the Transparency Center that still has no dedicated article. But who's counting.

 

Sean, as for the "Transparency Center", we have a long detailed discussion on it here - Hikvision Opens Security Industry First Source Code Transparency Center. As for it being 'positive', as we debated on that thread, there are important questions open. I'd rather try to get more answers before publishing.

As for this matter, it is cut and dry 100%, even you admit it's a clear problem.

Reporting actual facts is not negative. If memory serves me correct several manufacturers have thanked IPVM for their reporting. If Hikvision would have taken ownership of the vulnerabilities in their products from the beginning instead of denying or taking for ever to patch and as this article states, still not fixing then I don't think their would be near the negative publicity of Hikvision. 

Any reference information on comparing NVR/NVS for casting Pure HTML5 - No Flash or Plugs in's to Client Browsers or browser-based Display walls?

Ubiquity UniFi Video is growing up, popular with IT deployers and now streams well to chrome, but has limited camera options. 

Hikvision seems to release firmware updates at least once a quarter. How hard is this to accomplish? 

At the same time why don’t more camera manufacturers make their browser UIs responsive for mobile. This would make it a lot easier to setup cameras. 

This past week, we attended a Hikvision roadshow and were shown a new feature in their NVRs. They have baked in SADP and now allow almost full control of the settings of their IP cams (WDR, overlay, etc). 

My point is, it’s not like Hikvision is against progressing their products, so it’s just weird that they have neglected this portion of their product development that they themselves committed to resolve years ago. 

You have more control over settings now with 4.0 in the local GUI, but can you elaborate on the baked in SADP? What specifically were they showing?

In the NVR menu, you could activate, set IP, and other functions of SADP in the NVR GUI. It was on the bottom tray of the GUI. It didn't specifically say SADP, but their claim was that you no longer needed to "bring your own laptop" to configure cameras.

Also, as I said above, they also now give you the ability to set WDR, overlays, etc in the NVR GUI, which is actually a benefit for me. I was using a laptop on site to set the camera settings before, so this will save time. It also allows you to remote configure these settings if you are offsite as well.

Offsite programming will be nice. Especially adjusting certain night time settings, instead of working late or setting then checking next day results.

My reps response: "Most browsers now do not allow plugins and most video surveillance requires plugins to view video.

We do not require you to use a browser. We instead recommend iVMS-4200 instead." 

Although not ideal across many brands, it does solve the Hikvision issue. And works on a Mac.

That works yes but the web interface method is just a quicker way to make configurations needed. 

Honestly, we either need a web interface that will work on all browsers with 0 plugins, or simply abandon the web interface altogether.

I somewhat agree especially if we use several different brands of cameras. A brand-specific "app" seems to be the way of the future as more and more browser lock-downs occur and the camera engineers cannot (or will not) keep up. I mean my God, we have to use a Netscape plug in from 1995 on IE 4? Sadly, the bigger issue is whomever decides and creates these things will never be known and until we are in the same asian karaoke bar with the engineers, our views will never see the light of day.

Klay, thanks, good feedback!

If Hikvision's position is to just use iVMS-4200, then they can solve the security risk by simply removing the plugin entirely and displaying a message / link to download iVMS-4200 to display live video. Agree/disagree?

My reps response: "Most browsers now do not allow plugins and most video surveillance requires plugins to view video.

A response to Hikvision: Are you focusing on Dahua, Longse and XM or Avigilon, Axis and Hanwha? Because Hikvision talks about being a high end provider and those higher end competitors do not require such unsafe / antiquated plugins.

In theory, Wouldn't a system like Sureview bypass the plugin and just stream to the web browser? 

As a Hik fan I have to say this is probably my biggest annoyance with them. Smaller customers are almost always going to use a PC to access footage and iVMS-4200 is complicated and unintuitive for amateur users. The web interface is simple enough that I can show an elderly condo board member how to search for the person that left their recliner in the garbage room, for instance.

However Hik's complete and total disregard for this aspect of functionality has left me very frustrated. When Firefox ended NPAPI support I called their tech line to ask when they were ever going to improve this interface, and the answer was "someday". As it stands you have to run IE in administrator mode in order to download anything, then go hunt for the files in some arbitrary and deeply buried folder, and THEN use the Format Converter just to change it to something most players can actually use!

For a company that produces some of the best performing and cost effective surveillance hardware on the market they sure need to get their act together in virtually every other area. Their handling of their Chinese ownership, their interfaces, their security issues, etc.

Update: 5 months after this report (and 3 years after Hikvision first committed to fixing this), Hikvision has announced a fix for this rolling out in some cameras:

screen shot 2018-08-24 at 6 32 49 pm

We tested it on one of our cameras supporting the new firmware and it displayed video successfully on Chrome with no plugin:

Can you link some ways to determine which cameras support this and where to find the firmware that has  this feature?  I have searched but am getting nowhere.  Searching for "EasyIP x.0" yields announcements on an entire new product line, that have similar model numbers to existing models, but nothing on the US website seems to mention "EasyIP" under them.

 

example: EasyIP 3.0  finds an overseas website link LINK

replying to myself, I just found some links on an overseas HIK site. Link Here They relate this new FW to the G series, which I'm not familiar with, but it appears to be the DS-2cdxx line that the US has. I tried installing it on an older model I had laying around:

DS-2CD2132F-I  with firmware V5.4.0 build 160530 which is the latest on the US site.

It failed to install getting a "failed to the upgrade status" error message.  I thought it might be because I skipped a few intermediate FW levels, so I went back and downloaded the oldest one next to v5.40, which was V5.4.41_Build170310

and got the same error message.

 

 

They used to offer a spreadsheet on the Europe Portal that showed you which cameras are in which series, I don't see it on there anymore. This firmware is for the G1 series of cameras (2xx3, 2xx5) so it won't work with the camera you tried it on. Also, in my experience, putting EU firmware on non-EU cameras/NVR's (if that is what you attempted to do here) can potentially brick them or cause issues.

You used to be able to find all of the latest US firmware on the Hikvision tech site which categorized it by series (value, value plus, smart) but it seems like lately they haven't updated it and favor just putting the latest firmware on the US site.

This took way to long. I see they keep coming out with new cameras but rarely new firmware that is actually different or upgraded. 

Any idea how this works when logging into an NVR, and not just the camera?

Is this camera firmware or NVR? or both?

Read this IPVM report for free.

This article is part of IPVM's 6,298 reports, 840 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

VMS 101 on Mar 03, 2020
This guide teaches the fundamentals about video management software. Inside, we cover: NVR vs VMS Viewing Video - What are common client...
IP Camera Browser Support: Who's Broken / Who Works on Dec 10, 2019
For many years, IP cameras depended on ActiveX control, whose security flaws have been known for more than a decade. The good news is that this is...
Milestone XProtect 2019 R3 'Centralized Search' Tested on Oct 30, 2019
Milestone has had problems over the last few years releasing significant new software. Now, in XProtect 2019 R3, Milestone is touting "one search...
Network Optix NxWitness 4.0 Tested on Oct 10, 2019
Network Optix released Nx Witness 4.0, proclaiming new features like a deep learning analytics metadata SDK, increased H.265 support, and UX...
CheckMySystems Company Profile on Aug 14, 2019
CheckMySystems says that too many users respond, "I get an email when something is wrong" when talking about their video system maintenance plan,...
Avigilon ACC7 VMS Tested on Jul 22, 2019
Avigilon's Control Center 7 boldly claims it will "transform live video monitoring" with the new Focus of Attention "AI-enabled" interface. We...
IndigoVision Control Center VMS Tested on May 30, 2019
IPVM's last test of IndigoVision's VMS was in 2010, which found enterprise VMS features and a simple client interface. but no 3rd party camera...
Milestone XProtect 2019 R1 Tested on May 15, 2019
For the past few years, Milestone has released quarterly software updates XProtect VMS platform. What is new and how much impact do the updates...
Verkada Cloud VMS/Cameras Tested on May 02, 2019
Verkada is arguably the most ambitious video surveillance startup in many years. The company is developing their own cameras, their own VMS, their...
Camera Configuration Manager Shootout - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision on May 01, 2019
Which camera manufacturer has the best management tool? We tested 6 manufacturers - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision to find...

Most Recent Industry Reports

LIVE NOW "Fever Camera" Show on Jun 02, 2020
IPVM is excited for the world's first "Fever Camera" show, to be held today Tuesday, June 2nd and Wednesday the 3rd from 11am to 4pm EDT, giving...
Smart Entry Systems Presents Cloud Multi-Tenant Access Control on Jun 02, 2020
Smart Entry Systems presented Cloud Multi-Tenant Access Control at the May 2020 IPVM Startups show. Inside this report: A 30-minute video...
Genetec Drops Support for Dahua and Hikvision on Jun 01, 2020
Genetec has dropped support for Dahua and Hikvision, citing US blacklisting and ONVIF conformance blockage, the company informed partners in an...
Dotty "Hot Or Not" Elevated Body Temperature App Tested on Jun 01, 2020
What if you could take an existing phone or tablet and transform it into "fever camera"? That is what DottyAR is doing with their strangely named...
Optris "Fever Screening Systems" Examined on Jun 01, 2020
German manufacturer Optris has been building temperature measuring instruments for industrial manufacturing for over 15 years, and thermal cameras...
Fever Camera Sales From Integrators Surveyed on Jun 01, 2020
Fever cameras are the hottest trend in video surveillance currently but how much are integrators selling them? 220 integrators answered the...
Proxy Presents Mobile Credentials For BLE Devices and Access on May 29, 2020
Proxy presented Mobile Credentials For BLE Devices and Access at the May 2020 IPVM Startups show. Inside this report: A 30-minute video...
ISC West 2020 Moves To The Basement on May 29, 2020
The twice cancelled/postponed show will now not only be held in a different month (October) but on a different floor, moving down to the...
Integrators Avoiding Coronavirus Air Travel on May 29, 2020
IPVM asked integrators if air travel is part of their 2020 plans to see how significantly Coronavirus will impact future...
Viakoo Presents Cyber Hygiene for Cameras on May 28, 2020
Viakoo presented its 'Cyber Hygiene' and 'Service Assurance' products at the April 2020 IPVM New Products show. Inside this report: A...